Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 00:17
Behavioral task
behavioral1
Sample
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe
Resource
win10v2004-20240426-en
General
-
Target
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe
-
Size
2.7MB
-
MD5
332af220a6f8c875312ab0d215ec5ace
-
SHA1
bccc9805ba77ad03e7bfa6da8166c3feac4839e7
-
SHA256
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928
-
SHA512
964a09ff2bebb8e638d7b66f23cb2f62d833e2d097bf459fc22351bbcb25ecc138411cca552df616f93893f4c396ae918124c993bfe78041256e0476bea133e0
-
SSDEEP
49152:qH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:qHfE5Ad8Xd295UmGc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 19 IoCs
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\lsm.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\csrss.exe\", \"C:\\Program Files\\Windows Portable Devices\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\dwm.exe\", \"C:\\Users\\All Users\\Documents\\spoolsv.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\Idle.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\lsm.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\csrss.exe\", \"C:\\Program Files\\Windows Portable Devices\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\dwm.exe\", \"C:\\Users\\All Users\\Documents\\spoolsv.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\spoolsv.exe\", \"C:\\Windows\\LiveKernelReports\\services.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\lsm.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\csrss.exe\", \"C:\\Program Files\\Windows Portable Devices\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\dwm.exe\", \"C:\\Users\\All Users\\Documents\\spoolsv.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\spoolsv.exe\", \"C:\\Windows\\LiveKernelReports\\services.exe\", \"C:\\Windows\\AppCompat\\Programs\\sppsvc.exe\", \"C:\\Windows\\tracing\\audiodg.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\System.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\lsm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\dllhost.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\lsm.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\csrss.exe\", \"C:\\Program Files\\Windows Portable Devices\\System.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\lsm.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\csrss.exe\", \"C:\\Program Files\\Windows Portable Devices\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\dwm.exe\", \"C:\\Users\\All Users\\Documents\\spoolsv.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\spoolsv.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\lsm.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\csrss.exe\", \"C:\\Program Files\\Windows Portable Devices\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\dwm.exe\", \"C:\\Users\\All Users\\Documents\\spoolsv.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\lsm.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\csrss.exe\", \"C:\\Program Files\\Windows Portable Devices\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\dwm.exe\", \"C:\\Users\\All Users\\Documents\\spoolsv.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\spoolsv.exe\", \"C:\\Windows\\LiveKernelReports\\services.exe\", \"C:\\Windows\\AppCompat\\Programs\\sppsvc.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\lsm.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\csrss.exe\", \"C:\\Program Files\\Windows Portable Devices\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\dwm.exe\", \"C:\\Users\\All Users\\Documents\\spoolsv.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\spoolsv.exe\", \"C:\\Windows\\LiveKernelReports\\services.exe\", \"C:\\Windows\\AppCompat\\Programs\\sppsvc.exe\", \"C:\\Windows\\tracing\\audiodg.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\wininit.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\lsm.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\csrss.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\lsm.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\csrss.exe\", \"C:\\Program Files\\Windows Portable Devices\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\dwm.exe\", \"C:\\Users\\All Users\\Documents\\spoolsv.exe\", \"C:\\Windows\\system\\wininit.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\lsm.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\csrss.exe\", \"C:\\Program Files\\Windows Portable Devices\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\dwm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe -
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exelsm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe -
Processes:
resource yara_rule C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe dcrat behavioral1/memory/2420-1-0x0000000001120000-0x00000000013E0000-memory.dmp dcrat C:\Program Files (x86)\Reference Assemblies\lsm.exe dcrat C:\ProgramData\Microsoft\Windows\Templates\Idle.exe dcrat behavioral1/memory/3040-212-0x00000000009E0000-0x0000000000CA0000-memory.dmp dcrat -
Detects executables packed with SmartAssembly 8 IoCs
Processes:
resource yara_rule behavioral1/memory/2420-24-0x0000000000FD0000-0x0000000000FDA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2420-22-0x0000000000FB0000-0x0000000000FBC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2420-21-0x0000000000FA0000-0x0000000000FAC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2420-18-0x0000000000DF0000-0x0000000000DFC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2420-15-0x0000000000CF0000-0x0000000000CFC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2420-12-0x0000000000C90000-0x0000000000CE6000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2420-11-0x0000000000C70000-0x0000000000C7A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2420-6-0x0000000000560000-0x0000000000570000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 1 IoCs
Processes:
lsm.exepid process 3040 lsm.exe -
Adds Run key to start application 2 TTPs 38 IoCs
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Portable Devices\\System.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\system\\wininit.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\system\\wininit.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\spoolsv.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\dllhost.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Reference Assemblies\\lsm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\csrss.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\csrss.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\spoolsv.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\LiveKernelReports\\services.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Portable Devices\\System.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\dwm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\All Users\\Documents\\spoolsv.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\AppCompat\\Programs\\sppsvc.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\tracing\\audiodg.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\wininit.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\My Documents\\services.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\System.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\My Documents\\services.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\dwm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\All Users\\Documents\\spoolsv.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\LiveKernelReports\\services.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\dllhost.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Templates\\Idle.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\System.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Reference Assemblies\\lsm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Templates\\Idle.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\AppCompat\\Programs\\sppsvc.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\tracing\\audiodg.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\wininit.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe -
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exelsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe -
Drops file in Program Files directory 20 IoCs
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exedescription ioc process File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\RCX3935.tmp 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\dwm.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX41C1.tmp 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Program Files (x86)\Uninstall Information\dwm.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files (x86)\Uninstall Information\RCX2AAD.tmp 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\RCX32BC.tmp 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Program Files (x86)\Uninstall Information\6cb0b6c459d5d3 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Program Files\Windows Portable Devices\System.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\dwm.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\6cb0b6c459d5d3 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\f3b6ecef712a24 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files (x86)\Uninstall Information\dwm.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\lsm.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Program Files (x86)\Reference Assemblies\lsm.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files\Windows Portable Devices\System.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files\Windows Portable Devices\RCX3731.tmp 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Program Files (x86)\Reference Assemblies\101b941d020240 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe -
Drops file in Windows directory 16 IoCs
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exedescription ioc process File created C:\Windows\system\56085415360792 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Windows\LiveKernelReports\c5b4cb5e9653cc 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Windows\AppCompat\Programs\RCX45F7.tmp 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Windows\AppCompat\Programs\sppsvc.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Windows\system\wininit.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Windows\tracing\audiodg.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Windows\system\RCX3D3C.tmp 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Windows\LiveKernelReports\RCX43F3.tmp 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Windows\LiveKernelReports\services.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Windows\tracing\audiodg.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Windows\AppCompat\Programs\0a1fd5f707cd16 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Windows\AppCompat\Programs\sppsvc.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Windows\tracing\42af1c969fbb7b 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Windows\system\wininit.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Windows\tracing\RCX47FB.tmp 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Windows\LiveKernelReports\services.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe -
Creates scheduled task(s) 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1984 schtasks.exe 664 schtasks.exe 2012 schtasks.exe 3004 schtasks.exe 2948 schtasks.exe 2564 schtasks.exe 2408 schtasks.exe 2344 schtasks.exe 2468 schtasks.exe 1776 schtasks.exe 2804 schtasks.exe 1480 schtasks.exe 2516 schtasks.exe 1436 schtasks.exe 2072 schtasks.exe 1148 schtasks.exe 1864 schtasks.exe 1696 schtasks.exe 1824 schtasks.exe 300 schtasks.exe 2356 schtasks.exe 2524 schtasks.exe 2764 schtasks.exe 2616 schtasks.exe 1568 schtasks.exe 356 schtasks.exe 688 schtasks.exe 2396 schtasks.exe 1120 schtasks.exe 1192 schtasks.exe 1852 schtasks.exe 2520 schtasks.exe 308 schtasks.exe 296 schtasks.exe 1548 schtasks.exe 3000 schtasks.exe 1344 schtasks.exe 2024 schtasks.exe 1980 schtasks.exe 1664 schtasks.exe 2844 schtasks.exe 2164 schtasks.exe 952 schtasks.exe 1608 schtasks.exe 1644 schtasks.exe 448 schtasks.exe 2252 schtasks.exe 2692 schtasks.exe 2696 schtasks.exe 3036 schtasks.exe 1764 schtasks.exe 2712 schtasks.exe 2876 schtasks.exe 2456 schtasks.exe 2960 schtasks.exe 2388 schtasks.exe 1492 schtasks.exe -
Processes:
lsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 lsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 lsm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exepowershell.exepid process 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2816 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exepowershell.exelsm.exedescription pid process Token: SeDebugPrivilege 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 3040 lsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.execmd.exedescription pid process target process PID 2420 wrote to memory of 2816 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe powershell.exe PID 2420 wrote to memory of 2816 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe powershell.exe PID 2420 wrote to memory of 2816 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe powershell.exe PID 2420 wrote to memory of 1800 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe cmd.exe PID 2420 wrote to memory of 1800 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe cmd.exe PID 2420 wrote to memory of 1800 2420 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe cmd.exe PID 1800 wrote to memory of 2692 1800 cmd.exe w32tm.exe PID 1800 wrote to memory of 2692 1800 cmd.exe w32tm.exe PID 1800 wrote to memory of 2692 1800 cmd.exe w32tm.exe PID 1800 wrote to memory of 3040 1800 cmd.exe lsm.exe PID 1800 wrote to memory of 3040 1800 cmd.exe lsm.exe PID 1800 wrote to memory of 3040 1800 cmd.exe lsm.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exelsm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe"C:\Users\Admin\AppData\Local\Temp\8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2420 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cXKRfm9BNs.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2692
-
-
C:\Program Files (x86)\Reference Assemblies\lsm.exe"C:\Program Files (x86)\Reference Assemblies\lsm.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3040
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\services.exe'" /f1⤵
- Creates scheduled task(s)
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\services.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\services.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Creates scheduled task(s)
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Creates scheduled task(s)
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /f1⤵
- Creates scheduled task(s)
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe'" /f1⤵
- Creates scheduled task(s)
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Creates scheduled task(s)
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /f1⤵
- Creates scheduled task(s)
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\lsm.exe'" /f1⤵
- Creates scheduled task(s)
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\lsm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\lsm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /f1⤵
- Creates scheduled task(s)
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f1⤵
- Creates scheduled task(s)
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\dwm.exe'" /f1⤵
- Creates scheduled task(s)
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\dwm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\dwm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /f1⤵
- Creates scheduled task(s)
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\system\wininit.exe'" /f1⤵
- Creates scheduled task(s)
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\Idle.exe'" /f1⤵
- Creates scheduled task(s)
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Templates\Idle.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\Idle.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /f1⤵
- Creates scheduled task(s)
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\services.exe'" /f1⤵
- Creates scheduled task(s)
PID:1344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\services.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\services.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\AppCompat\Programs\sppsvc.exe'" /f1⤵
- Creates scheduled task(s)
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\sppsvc.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\AppCompat\Programs\sppsvc.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\audiodg.exe'" /f1⤵
- Creates scheduled task(s)
PID:308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\tracing\audiodg.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\audiodg.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /f1⤵
- Creates scheduled task(s)
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1436
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD53631f5923b36d1279537333d56ace65e
SHA1b7bef14fb5c64f0c2d3b992a4900916588a324dd
SHA2560740d1e7f41e057c722ea0a2878002e949887880c2d6b1715a881bb2d3e61a78
SHA512e00de8791e119c1ff931b588ee079ddac242ff19348eaa61882249349166623a5a2a26dbb4389395aadc580600ce46b329f0576e9428be08a94f21d649e2566a
-
Filesize
2.7MB
MD50ba383def419fa16fc83c6c0373c50fb
SHA1f28fa07789e10b4575b92685387a34e252d8ee9e
SHA2565fb48c56a761b867ce43fddbf13311ff0358450a859e066f674be158769ff47d
SHA512268a60744f01d8ec37a0365a523d84d6b7700d78996509bb54e2548821d7eca5ded08fe7dc86146d2cc2f1060026717c2af5434b14fed0cbb4013ecda9aa04e0
-
Filesize
2.7MB
MD5332af220a6f8c875312ab0d215ec5ace
SHA1bccc9805ba77ad03e7bfa6da8166c3feac4839e7
SHA2568d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928
SHA512964a09ff2bebb8e638d7b66f23cb2f62d833e2d097bf459fc22351bbcb25ecc138411cca552df616f93893f4c396ae918124c993bfe78041256e0476bea133e0
-
Filesize
216B
MD5a5972b14b670381b4e01ebd431dc3dae
SHA1273c88e59fba6dbc62dbdd231bac68dabe7e8673
SHA2562c40e2e377beef094d822fec2c711e2fd3bdec4f4cd1be69688bb813a08e2f4f
SHA512980480c8a713679fd5b8f7738b7b335b4c591393e7841f4e18c0fb7b1142c696b9d05aeffe7a8b7436dded43fcf607560f8196bc96d11ff0f0708b70349d499f