Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
27/10/2022, 21:11
221027-z1n9kaddh2 1027/10/2022, 20:55
221027-zqrlyadfcq 1027/10/2022, 20:47
221027-zkwnpsdfap 10Analysis
-
max time kernel
436s -
max time network
440s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2022, 20:55
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://gitlab.com/oxx980710
Resource
win10v2004-20220812-en
General
-
Target
http://gitlab.com/oxx980710
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\NetHood\\wininit.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\chrome.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\fontdrvhost.exe\", \"C:\\Windows\\AppReadiness\\TrustedInstaller.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\NetHood\\wininit.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\chrome.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\fontdrvhost.exe\", \"C:\\Windows\\AppReadiness\\TrustedInstaller.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\dllhost.exe\", \"C:\\Users\\Default User\\csrss.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\NetHood\\wininit.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\NetHood\\wininit.exe\", \"C:\\odt\\conhost.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\NetHood\\wininit.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\chrome.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\NetHood\\wininit.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\chrome.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\fontdrvhost.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\NetHood\\wininit.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\chrome.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\fontdrvhost.exe\", \"C:\\Windows\\AppReadiness\\TrustedInstaller.exe\", \"C:\\Users\\Public\\services.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\NetHood\\wininit.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\chrome.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\fontdrvhost.exe\", \"C:\\Windows\\AppReadiness\\TrustedInstaller.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\dllhost.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\NetHood\\wininit.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\chrome.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\fontdrvhost.exe\", \"C:\\Windows\\AppReadiness\\TrustedInstaller.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\dllhost.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\chrome.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\NetHood\\wininit.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\chrome.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\fontdrvhost.exe\", \"C:\\Windows\\AppReadiness\\TrustedInstaller.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\dllhost.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\chrome.exe\", \"C:\\Program Files\\7-Zip\\Lang\\chrome.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\NetHood\\wininit.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\chrome.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\fontdrvhost.exe\", \"C:\\Windows\\AppReadiness\\TrustedInstaller.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\dllhost.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\chrome.exe\", \"C:\\Program Files\\7-Zip\\Lang\\chrome.exe\", \"C:\\Program Files\\Windows Defender\\StartMenuExperienceHost.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\NetHood\\wininit.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\chrome.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\fontdrvhost.exe\", \"C:\\Windows\\AppReadiness\\TrustedInstaller.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\dllhost.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\chrome.exe\", \"C:\\Program Files\\7-Zip\\Lang\\chrome.exe\", \"C:\\Program Files\\Windows Defender\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\NetHood\\wininit.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\chrome.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\fontdrvhost.exe\", \"C:\\Windows\\AppReadiness\\TrustedInstaller.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\dllhost.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\chrome.exe\", \"C:\\Program Files\\7-Zip\\Lang\\chrome.exe\", \"C:\\Program Files\\Windows Defender\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Snippets\\chrome.exe\"" INST.exe -
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3384 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5040 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4868 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4228 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4776 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3668 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4832 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3844 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3908 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4420 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4024 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3912 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3484 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4696 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3952 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4644 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 744 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3944 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4760 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3392 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 640 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4016 640 schtasks.exe 28 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" INST.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" INST.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" INST.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe -
resource yara_rule behavioral1/files/0x00080000000230a3-135.dat dcrat behavioral1/files/0x00080000000230a3-136.dat dcrat behavioral1/memory/1700-137-0x0000000000550000-0x000000000069A000-memory.dmp dcrat behavioral1/files/0x000700000001d88b-153.dat dcrat behavioral1/files/0x000700000001d88b-154.dat dcrat behavioral1/memory/1184-155-0x0000000000290000-0x000000000044A000-memory.dmp dcrat behavioral1/files/0x00070000000230c8-184.dat dcrat behavioral1/files/0x00070000000230c8-183.dat dcrat behavioral1/memory/532-186-0x00000000003C0000-0x000000000057A000-memory.dmp dcrat behavioral1/memory/5240-256-0x0000000000060000-0x000000000021A000-memory.dmp dcrat -
Downloads MZ/PE file
-
Executes dropped EXE 12 IoCs
pid Process 1700 brokercommon.exe 4428 fud_dc.exe 4424 fud_dc.exe 1184 INST.exe 532 StartMenuExperienceHost.exe 880 StartMenuExperienceHost.exe 2252 StartMenuExperienceHost.exe 2832 StartMenuExperienceHost.exe 8 StartMenuExperienceHost.exe 5884 StartMenuExperienceHost.exe 3496 StartMenuExperienceHost.exe 5240 services.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation INST.exe -
Loads dropped DLL 2 IoCs
pid Process 4424 fud_dc.exe 4424 fud_dc.exe -
Adds Run key to start application 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Program Files\\7-Zip\\Lang\\chrome.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" INST.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\NetHood\\wininit.exe\"" INST.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Program Files (x86)\\Reference Assemblies\\chrome.exe\"" INST.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\services.exe\"" INST.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\"" INST.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Program Files\\7-Zip\\Lang\\chrome.exe\"" INST.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Windows Defender\\StartMenuExperienceHost.exe\"" INST.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\odt\\conhost.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\odt\\conhost.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\dllhost.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Windows\\AppReadiness\\TrustedInstaller.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\services.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\chrome.exe\"" INST.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Snippets\\chrome.exe\"" INST.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\VideoLAN\\VLC\\plugins\\fontdrvhost.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\VideoLAN\\VLC\\plugins\\fontdrvhost.exe\"" INST.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Windows\\AppReadiness\\TrustedInstaller.exe\"" INST.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\chrome.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Windows Defender\\StartMenuExperienceHost.exe\"" INST.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Snippets\\chrome.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\NetHood\\wininit.exe\"" INST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Program Files (x86)\\Reference Assemblies\\chrome.exe\"" INST.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\dllhost.exe\"" INST.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA StartMenuExperienceHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA StartMenuExperienceHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA INST.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" INST.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA StartMenuExperienceHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA StartMenuExperienceHost.exe -
Drops file in Program Files directory 28 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Reference Assemblies\RCXAECC.tmp INST.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\fontdrvhost.exe INST.exe File opened for modification C:\Program Files\7-Zip\Lang\RCXC0B5.tmp INST.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\7a73b78f679a6f INST.exe File created C:\Program Files\VideoLAN\VLC\plugins\fontdrvhost.exe INST.exe File created C:\Program Files\7-Zip\Lang\7a73b78f679a6f INST.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\chrome.exe INST.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\chrome.exe INST.exe File created C:\Program Files (x86)\Reference Assemblies\7a73b78f679a6f INST.exe File created C:\Program Files (x86)\Windows Defender\es-ES\dllhost.exe INST.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\chrome.exe INST.exe File created C:\Program Files (x86)\Reference Assemblies\chrome.exe INST.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\RCXC859.tmp INST.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\chrome.exe INST.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\chrome.exe INST.exe File created C:\Program Files\7-Zip\Lang\chrome.exe INST.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXBE24.tmp INST.exe File opened for modification C:\Program Files\Windows Defender\RCXC337.tmp INST.exe File opened for modification C:\Program Files\Windows Defender\StartMenuExperienceHost.exe INST.exe File created C:\Program Files (x86)\Windows Defender\es-ES\5940a34987c991 INST.exe File created C:\Program Files\Windows Defender\StartMenuExperienceHost.exe INST.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\RCXB16D.tmp INST.exe File opened for modification C:\Program Files\7-Zip\Lang\chrome.exe INST.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\7a73b78f679a6f INST.exe File created C:\Program Files\Windows Defender\55b276f4edf653 INST.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\RCXB911.tmp INST.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\dllhost.exe INST.exe File created C:\Program Files\VideoLAN\VLC\plugins\5b884080fd4f94 INST.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\servicing\es-ES\RuntimeBroker.exe INST.exe File created C:\Windows\AppReadiness\TrustedInstaller.exe INST.exe File created C:\Windows\AppReadiness\04c1e7795967e4 INST.exe File opened for modification C:\Windows\AppReadiness\RCXB3EF.tmp INST.exe File opened for modification C:\Windows\AppReadiness\TrustedInstaller.exe INST.exe -
Detects Pyinstaller 3 IoCs
resource yara_rule behavioral1/files/0x000500000001d9f2-141.dat pyinstaller behavioral1/files/0x000500000001d9f2-142.dat pyinstaller behavioral1/files/0x000500000001d9f2-144.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5040 schtasks.exe 4420 schtasks.exe 2976 schtasks.exe 1472 schtasks.exe 1696 schtasks.exe 1896 schtasks.exe 2964 schtasks.exe 1600 schtasks.exe 2920 schtasks.exe 4776 schtasks.exe 3912 schtasks.exe 2864 schtasks.exe 4016 schtasks.exe 3668 schtasks.exe 3844 schtasks.exe 4696 schtasks.exe 1764 schtasks.exe 3944 schtasks.exe 1796 schtasks.exe 2024 schtasks.exe 4868 schtasks.exe 3908 schtasks.exe 324 schtasks.exe 3392 schtasks.exe 4024 schtasks.exe 3484 schtasks.exe 4876 schtasks.exe 3952 schtasks.exe 3384 schtasks.exe 4228 schtasks.exe 4488 schtasks.exe 4508 schtasks.exe 1652 schtasks.exe 2012 schtasks.exe 4760 schtasks.exe 4832 schtasks.exe 1832 schtasks.exe 4644 schtasks.exe 744 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings StartMenuExperienceHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ INST.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings StartMenuExperienceHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5080 chrome.exe 5080 chrome.exe 4984 chrome.exe 4984 chrome.exe 2964 chrome.exe 2964 chrome.exe 2032 chrome.exe 2032 chrome.exe 4728 chrome.exe 4728 chrome.exe 1780 chrome.exe 1780 chrome.exe 3452 chrome.exe 3452 chrome.exe 1332 chrome.exe 1332 chrome.exe 2916 chrome.exe 2916 chrome.exe 4280 chrome.exe 4280 chrome.exe 1184 INST.exe 1184 INST.exe 1184 INST.exe 1184 INST.exe 1184 INST.exe 1184 INST.exe 1184 INST.exe 1184 INST.exe 1184 INST.exe 1184 INST.exe 1184 INST.exe 1184 INST.exe 1184 INST.exe 1184 INST.exe 1184 INST.exe 1184 INST.exe 1184 INST.exe 1916 chrome.exe 1916 chrome.exe 1916 chrome.exe 1916 chrome.exe 2324 powershell.exe 2324 powershell.exe 2952 powershell.exe 2952 powershell.exe 4660 powershell.exe 4660 powershell.exe 5100 powershell.exe 5100 powershell.exe 4396 powershell.exe 4396 powershell.exe 1604 powershell.exe 1604 powershell.exe 2884 powershell.exe 2884 powershell.exe 2320 powershell.exe 2320 powershell.exe 3100 powershell.exe 3100 powershell.exe 2184 powershell.exe 2184 powershell.exe 4968 powershell.exe 4968 powershell.exe 3384 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 1700 brokercommon.exe Token: SeDebugPrivilege 1184 INST.exe Token: SeDebugPrivilege 2324 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 4660 powershell.exe Token: SeDebugPrivilege 5100 powershell.exe Token: SeDebugPrivilege 4396 powershell.exe Token: SeDebugPrivilege 1604 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 3100 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 4968 powershell.exe Token: SeDebugPrivilege 3384 powershell.exe Token: SeDebugPrivilege 5116 powershell.exe Token: SeDebugPrivilege 4488 powershell.exe Token: SeDebugPrivilege 532 StartMenuExperienceHost.exe Token: SeDebugPrivilege 880 StartMenuExperienceHost.exe Token: SeDebugPrivilege 2252 StartMenuExperienceHost.exe Token: SeDebugPrivilege 2832 StartMenuExperienceHost.exe Token: SeDebugPrivilege 8 StartMenuExperienceHost.exe Token: SeDebugPrivilege 5884 StartMenuExperienceHost.exe Token: SeDebugPrivilege 3496 StartMenuExperienceHost.exe Token: SeDebugPrivilege 5240 services.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4984 wrote to memory of 3480 4984 chrome.exe 81 PID 4984 wrote to memory of 3480 4984 chrome.exe 81 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 376 4984 chrome.exe 84 PID 4984 wrote to memory of 5080 4984 chrome.exe 85 PID 4984 wrote to memory of 5080 4984 chrome.exe 85 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 PID 4984 wrote to memory of 4604 4984 chrome.exe 86 -
System policy modification 1 TTPs 21 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" INST.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" INST.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" INST.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" http://gitlab.com/oxx9807101⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff794a4f50,0x7fff794a4f60,0x7fff794a4f702⤵PID:3480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1668 /prefetch:22⤵PID:376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2020 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2312 /prefetch:82⤵PID:4604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:12⤵PID:1184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:12⤵PID:4628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4328 /prefetch:82⤵PID:4752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:12⤵PID:536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4432 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5192 /prefetch:82⤵PID:1472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3248 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5276 /prefetch:82⤵PID:3500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5324 /prefetch:82⤵PID:728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5292 /prefetch:82⤵PID:220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:12⤵PID:256
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5276 /prefetch:82⤵PID:4752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3452
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:12⤵PID:3868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:82⤵PID:1476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:12⤵PID:5012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1332
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5728 /prefetch:82⤵PID:3704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5716 /prefetch:82⤵PID:4000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=980 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5832 /prefetch:82⤵PID:3548
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5868 /prefetch:82⤵PID:3948
-
-
C:\Users\Admin\Downloads\brokercommon.exe"C:\Users\Admin\Downloads\brokercommon.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5888 /prefetch:82⤵PID:1644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2728 /prefetch:12⤵PID:4840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5960 /prefetch:82⤵PID:2404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5948 /prefetch:82⤵PID:2884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4280
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6084 /prefetch:82⤵PID:3628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5952 /prefetch:82⤵PID:4400
-
-
C:\Users\Admin\Downloads\fud_dc.exe"C:\Users\Admin\Downloads\fud_dc.exe"2⤵
- Executes dropped EXE
PID:4428 -
C:\Users\Admin\Downloads\fud_dc.exe"C:\Users\Admin\Downloads\fud_dc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4424 -
C:\Windows\SYSTEM32\cmd.execmd /c echo %temp%4⤵PID:4576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\INST.exe4⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\INST.exeC:\Users\Admin\AppData\Local\Temp\INST.exe5⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1184 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\INST.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\wininit.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\conhost.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\TrustedInstaller.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\services.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\dllhost.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\chrome.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\StartMenuExperienceHost.exe'6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\chrome.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\fontdrvhost.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\chrome.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\chrome.exe'6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
-
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:532 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b74314ca-5289-49e5-863e-afddf0115a3b.vbs"7⤵PID:5952
-
C:\Recovery\WindowsRE\StartMenuExperienceHost.exeC:\Recovery\WindowsRE\StartMenuExperienceHost.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:880 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a28fbad-74b0-466a-a715-c6ab343d4577.vbs"9⤵PID:5612
-
C:\Recovery\WindowsRE\StartMenuExperienceHost.exeC:\Recovery\WindowsRE\StartMenuExperienceHost.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2252 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03106564-3f63-4edb-a2a9-96ddbafac4a7.vbs"11⤵PID:220
-
C:\Recovery\WindowsRE\StartMenuExperienceHost.exeC:\Recovery\WindowsRE\StartMenuExperienceHost.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2832 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0562cc07-8c1e-43c8-a99c-e8e8d12038f8.vbs"13⤵PID:3492
-
C:\Recovery\WindowsRE\StartMenuExperienceHost.exeC:\Recovery\WindowsRE\StartMenuExperienceHost.exe14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5884
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\594c1d7f-47db-4a19-9f6b-d591c7b8ad8c.vbs"13⤵PID:5044
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd27fcd1-2a7e-42a5-b3dd-9559d075ecc6.vbs"11⤵PID:5472
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fbb1686-3cd8-4a12-9840-ece2abed9bba.vbs"9⤵PID:5568
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79ecc6b2-60f8-4421-948d-3a4135e1cca5.vbs"7⤵PID:5980
-
-
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6036 /prefetch:82⤵PID:3128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5368 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6088 /prefetch:82⤵PID:5216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=912 /prefetch:12⤵PID:2408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1108 /prefetch:82⤵PID:1488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5500 /prefetch:82⤵PID:3544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1584 /prefetch:82⤵PID:5432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5896 /prefetch:82⤵PID:1180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4792 /prefetch:82⤵PID:4664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4912 /prefetch:82⤵PID:3536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:12⤵PID:5620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3204 /prefetch:82⤵PID:2388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2712 /prefetch:82⤵PID:2264
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2704 /prefetch:82⤵PID:3684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5756 /prefetch:82⤵PID:700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4428 /prefetch:82⤵PID:5060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,295692695891379081,11436050421282439797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2128 /prefetch:82⤵PID:180
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\NetHood\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\odt\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\chrome.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\plugins\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\plugins\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\Windows\AppReadiness\TrustedInstaller.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Windows\AppReadiness\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\Windows\AppReadiness\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\chrome.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\chrome.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\chrome.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016
-
C:\Recovery\WindowsRE\StartMenuExperienceHost.exeC:\Recovery\WindowsRE\StartMenuExperienceHost.exe1⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:8 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de816cc7-bcc4-408b-a8bb-3bffe5cba8a4.vbs"2⤵PID:4084
-
C:\Recovery\WindowsRE\StartMenuExperienceHost.exeC:\Recovery\WindowsRE\StartMenuExperienceHost.exe3⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3496 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4037d8e9-8cbe-4414-a6b1-a9df246a0a7c.vbs"4⤵PID:4696
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ece48a1d-a03f-478a-930e-c838877b0066.vbs"4⤵PID:5912
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6a36ff7-0330-4a7b-a6ff-da0db9932858.vbs"2⤵PID:3744
-
-
C:\Users\Public\services.exeC:\Users\Public\services.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5240
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5486e29f773ccc428f44b52f50b37c1ff
SHA142e596c9a6e841faabe1300c44ecbdcbbc6a4da8
SHA2560837db8d5ca5e0bbd3b494a37f65cf0e5aea8466eb5329bc17236da1d20b62c4
SHA5127145e04c16affe3442affc875f0b1e0e25e0eabdf2ad20351419960d92055ae05d2d0393a1405efcdb8a26af0aed5ea30f53b662a30e651ea0e092228c082cc2
-
Filesize
1.7MB
MD5486e29f773ccc428f44b52f50b37c1ff
SHA142e596c9a6e841faabe1300c44ecbdcbbc6a4da8
SHA2560837db8d5ca5e0bbd3b494a37f65cf0e5aea8466eb5329bc17236da1d20b62c4
SHA5127145e04c16affe3442affc875f0b1e0e25e0eabdf2ad20351419960d92055ae05d2d0393a1405efcdb8a26af0aed5ea30f53b662a30e651ea0e092228c082cc2
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
Filesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD561e06aa7c42c7b2a752516bcbb242cc1
SHA102c54f8b171ef48cad21819c20b360448418a068
SHA2565bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d
SHA51203731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346
-
Filesize
944B
MD561e06aa7c42c7b2a752516bcbb242cc1
SHA102c54f8b171ef48cad21819c20b360448418a068
SHA2565bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d
SHA51203731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346
-
Filesize
944B
MD561e06aa7c42c7b2a752516bcbb242cc1
SHA102c54f8b171ef48cad21819c20b360448418a068
SHA2565bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d
SHA51203731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346
-
Filesize
944B
MD561e06aa7c42c7b2a752516bcbb242cc1
SHA102c54f8b171ef48cad21819c20b360448418a068
SHA2565bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d
SHA51203731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346
-
Filesize
944B
MD561e06aa7c42c7b2a752516bcbb242cc1
SHA102c54f8b171ef48cad21819c20b360448418a068
SHA2565bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d
SHA51203731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346
-
Filesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
Filesize
1.7MB
MD5226328c111a2cccf9a4a2d576ab9a5e9
SHA17fd7b703a12b44932872d7f5bc420b3cfa0c8b1d
SHA256bad9b63870daa9d4976129b7ac5fabc721d7950017e2151035b4c7747a6ed09a
SHA51239a03007b7f06f74ad1b00626028acaa53aa2740f2a20b87ef37aaff5e95588a2bb26762756747a83a628b6790ff1ff155bfb53b32e802e90bfcf404c4766155
-
Filesize
1.7MB
MD5226328c111a2cccf9a4a2d576ab9a5e9
SHA17fd7b703a12b44932872d7f5bc420b3cfa0c8b1d
SHA256bad9b63870daa9d4976129b7ac5fabc721d7950017e2151035b4c7747a6ed09a
SHA51239a03007b7f06f74ad1b00626028acaa53aa2740f2a20b87ef37aaff5e95588a2bb26762756747a83a628b6790ff1ff155bfb53b32e802e90bfcf404c4766155
-
Filesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
Filesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
Filesize
1.0MB
MD5fe8cdf31376555c17995503161be963d
SHA15cf403915a49fbf19a76af894be4aa24f6e0bcd0
SHA256517efabd9a372ef0a6b986a0979f62105138dd2cc1a3ed12022b693444f2a912
SHA51256ecb8689eae7864e2285665fb16856c2e52f443939a82eba6471776f271ffd150caa9e52d2c0e74a456c6666908a02d886c930ccdb7a42f4a92e0eabc97c04c
-
Filesize
4.3MB
MD5c80b5cb43e5fe7948c3562c1fff1254e
SHA1f73cb1fb9445c96ecd56b984a1822e502e71ab9d
SHA256058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20
SHA512faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81
-
Filesize
4.3MB
MD5c80b5cb43e5fe7948c3562c1fff1254e
SHA1f73cb1fb9445c96ecd56b984a1822e502e71ab9d
SHA256058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20
SHA512faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81
-
Filesize
1.3MB
MD51e9b89c54c99e9b9ac684bfe2523d316
SHA18d20dd3e61a2eadae5511ec5a4c720610a2112bb
SHA2561b0a49b3703c3a18af26245ab66bd07f7699f237223cfc18e6f7ead9923e6a18
SHA512ad98d9b86a64fd82991e8bd2c72b53068f61a3602249927100b32fedfc5b348d2bbd6a07fdaf950b0a322c2580395589c8081cfe81c3c3db7526b1878646dcda
-
Filesize
1.3MB
MD51e9b89c54c99e9b9ac684bfe2523d316
SHA18d20dd3e61a2eadae5511ec5a4c720610a2112bb
SHA2561b0a49b3703c3a18af26245ab66bd07f7699f237223cfc18e6f7ead9923e6a18
SHA512ad98d9b86a64fd82991e8bd2c72b53068f61a3602249927100b32fedfc5b348d2bbd6a07fdaf950b0a322c2580395589c8081cfe81c3c3db7526b1878646dcda
-
Filesize
7.1MB
MD5526ea3e97e4a0d09407a93eaeec74270
SHA194fc622236678bbd6fd57a5d6acc470e8d829a2b
SHA256f4f815795f4944efd72c16608ffad64171ba5bbee057bcde2918b524927c75ba
SHA512d3d0cdb362a80037ad743df0f1ce5574a0b87aabac504ac438553a10cb97f13ffce0015c7981ade9cf31d7b867a8d2d99c62a0c74e5ae9ccfda96539ae64c466
-
Filesize
7.1MB
MD5526ea3e97e4a0d09407a93eaeec74270
SHA194fc622236678bbd6fd57a5d6acc470e8d829a2b
SHA256f4f815795f4944efd72c16608ffad64171ba5bbee057bcde2918b524927c75ba
SHA512d3d0cdb362a80037ad743df0f1ce5574a0b87aabac504ac438553a10cb97f13ffce0015c7981ade9cf31d7b867a8d2d99c62a0c74e5ae9ccfda96539ae64c466
-
Filesize
7.1MB
MD5526ea3e97e4a0d09407a93eaeec74270
SHA194fc622236678bbd6fd57a5d6acc470e8d829a2b
SHA256f4f815795f4944efd72c16608ffad64171ba5bbee057bcde2918b524927c75ba
SHA512d3d0cdb362a80037ad743df0f1ce5574a0b87aabac504ac438553a10cb97f13ffce0015c7981ade9cf31d7b867a8d2d99c62a0c74e5ae9ccfda96539ae64c466