Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 00:17
Behavioral task
behavioral1
Sample
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe
Resource
win10v2004-20240426-en
General
-
Target
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe
-
Size
2.7MB
-
MD5
332af220a6f8c875312ab0d215ec5ace
-
SHA1
bccc9805ba77ad03e7bfa6da8166c3feac4839e7
-
SHA256
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928
-
SHA512
964a09ff2bebb8e638d7b66f23cb2f62d833e2d097bf459fc22351bbcb25ecc138411cca552df616f93893f4c396ae918124c993bfe78041256e0476bea133e0
-
SSDEEP
49152:qH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:qHfE5Ad8Xd295UmGc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\explorer.exe\", \"C:\\Program Files\\Java\\jre-1.8\\bin\\sppsvc.exe\", \"C:\\Users\\Default\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\explorer.exe\", \"C:\\Program Files\\Java\\jre-1.8\\bin\\sppsvc.exe\", \"C:\\Users\\Default\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\winlogon.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\explorer.exe\", \"C:\\Program Files\\Java\\jre-1.8\\bin\\sppsvc.exe\", \"C:\\Users\\Default\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\dwm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\explorer.exe\", \"C:\\Program Files\\Java\\jre-1.8\\bin\\sppsvc.exe\", \"C:\\Users\\Default\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\dwm.exe\", \"C:\\Users\\Default User\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\winlogon.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\explorer.exe\", \"C:\\Program Files\\Java\\jre-1.8\\bin\\sppsvc.exe\", \"C:\\Users\\Default\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\dwm.exe\", \"C:\\Users\\Default User\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\winlogon.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\c6927e14e1fbf4feae9cd67df04eaabe\\spoolsv.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\upfc.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\explorer.exe\", \"C:\\Program Files\\Java\\jre-1.8\\bin\\sppsvc.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\explorer.exe\", \"C:\\Program Files\\Java\\jre-1.8\\bin\\sppsvc.exe\", \"C:\\Users\\Default\\backgroundTaskHost.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\explorer.exe\", \"C:\\Program Files\\Java\\jre-1.8\\bin\\sppsvc.exe\", \"C:\\Users\\Default\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\dwm.exe\", \"C:\\Users\\Default User\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\winlogon.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\c6927e14e1fbf4feae9cd67df04eaabe\\spoolsv.exe\", \"C:\\Users\\Public\\Pictures\\Registry.exe\", \"C:\\Users\\Admin\\SendTo\\backgroundTaskHost.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\explorer.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\explorer.exe\", \"C:\\Program Files\\Java\\jre-1.8\\bin\\sppsvc.exe\", \"C:\\Users\\Default\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\dwm.exe\", \"C:\\Users\\Default User\\OfficeClickToRun.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\explorer.exe\", \"C:\\Program Files\\Java\\jre-1.8\\bin\\sppsvc.exe\", \"C:\\Users\\Default\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\dwm.exe\", \"C:\\Users\\Default User\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\winlogon.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\c6927e14e1fbf4feae9cd67df04eaabe\\spoolsv.exe\", \"C:\\Users\\Public\\Pictures\\Registry.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe -
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3144 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3240 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3284 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4600 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3384 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4208 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3768 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 436 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3372 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4592 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5032 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4792 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3844 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4916 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4252 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4332 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3260 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3740 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4316 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 644 5116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3480 5116 schtasks.exe -
Processes:
spoolsv.exe8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe -
Processes:
resource yara_rule behavioral2/memory/2180-1-0x0000000000260000-0x0000000000520000-memory.dmp dcrat C:\Recovery\WindowsRE\lsass.exe dcrat C:\Program Files (x86)\Windows Mail\RCX4D0E.tmp dcrat -
Detects executables packed with SmartAssembly 8 IoCs
Processes:
resource yara_rule behavioral2/memory/2180-7-0x000000001B060000-0x000000001B070000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2180-12-0x000000001B0C0000-0x000000001B0CA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2180-13-0x000000001B850000-0x000000001B8A6000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2180-16-0x000000001B8A0000-0x000000001B8AC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2180-19-0x000000001B8D0000-0x000000001B8DC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2180-23-0x000000001BB40000-0x000000001BB4C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2180-22-0x000000001BB30000-0x000000001BB3C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2180-25-0x000000001BC70000-0x000000001BC7A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe -
Executes dropped EXE 1 IoCs
Processes:
spoolsv.exepid process 2576 spoolsv.exe -
Adds Run key to start application 2 TTPs 24 IoCs
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Admin\\Links\\upfc.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Mail\\dwm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Default User\\OfficeClickToRun.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Multimedia Platform\\winlogon.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Public\\Pictures\\Registry.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Admin\\SendTo\\backgroundTaskHost.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Defender\\explorer.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\sppsvc.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Default\\backgroundTaskHost.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Default\\backgroundTaskHost.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\winlogon.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Mail\\dwm.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Default User\\OfficeClickToRun.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Multimedia Platform\\winlogon.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\c6927e14e1fbf4feae9cd67df04eaabe\\spoolsv.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\c6927e14e1fbf4feae9cd67df04eaabe\\spoolsv.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Public\\Pictures\\Registry.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Admin\\SendTo\\backgroundTaskHost.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Admin\\Links\\upfc.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Defender\\explorer.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\sppsvc.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\winlogon.exe\"" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe -
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exespoolsv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe -
Drops file in Program Files directory 20 IoCs
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exedescription ioc process File created C:\Program Files\Windows Multimedia Platform\cc11b995f2a76d 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files (x86)\Windows Mail\RCX4D0E.tmp 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files (x86)\Windows Mail\dwm.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files\Windows Multimedia Platform\winlogon.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Program Files\Windows Multimedia Platform\winlogon.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Program Files\Java\jre-1.8\bin\sppsvc.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Program Files\Java\jre-1.8\bin\0a1fd5f707cd16 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files (x86)\Windows Defender\RCX42A8.tmp 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Program Files (x86)\Windows Defender\7a0fd90576e088 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\RCX44BD.tmp 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\sppsvc.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX4B09.tmp 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files\Windows Multimedia Platform\RCX5194.tmp 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Program Files (x86)\Windows Defender\explorer.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cc11b995f2a76d 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Program Files (x86)\Windows Mail\dwm.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Program Files (x86)\Windows Mail\6cb0b6c459d5d3 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Program Files (x86)\Windows Defender\explorer.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe -
Drops file in Windows directory 4 IoCs
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exedescription ioc process File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System\c6927e14e1fbf4feae9cd67df04eaabe\spoolsv.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System\c6927e14e1fbf4feae9cd67df04eaabe\f3b6ecef712a24 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\System\c6927e14e1fbf4feae9cd67df04eaabe\RCX5415.tmp 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\System\c6927e14e1fbf4feae9cd67df04eaabe\spoolsv.exe 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4252 schtasks.exe 4332 schtasks.exe 4208 schtasks.exe 436 schtasks.exe 2556 schtasks.exe 3384 schtasks.exe 3240 schtasks.exe 2884 schtasks.exe 556 schtasks.exe 5032 schtasks.exe 4916 schtasks.exe 2404 schtasks.exe 1360 schtasks.exe 3144 schtasks.exe 3260 schtasks.exe 4316 schtasks.exe 3480 schtasks.exe 3768 schtasks.exe 1328 schtasks.exe 4592 schtasks.exe 3844 schtasks.exe 1224 schtasks.exe 2320 schtasks.exe 4792 schtasks.exe 5112 schtasks.exe 3740 schtasks.exe 1576 schtasks.exe 644 schtasks.exe 2552 schtasks.exe 3372 schtasks.exe 4712 schtasks.exe 1100 schtasks.exe 2224 schtasks.exe 2988 schtasks.exe 3284 schtasks.exe 4600 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exepid process 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exepowershell.exespoolsv.exedescription pid process Token: SeDebugPrivilege 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Token: SeDebugPrivilege 3384 powershell.exe Token: SeDebugPrivilege 2576 spoolsv.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.execmd.exedescription pid process target process PID 2180 wrote to memory of 3384 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe powershell.exe PID 2180 wrote to memory of 3384 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe powershell.exe PID 2180 wrote to memory of 4716 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe cmd.exe PID 2180 wrote to memory of 4716 2180 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe cmd.exe PID 4716 wrote to memory of 3864 4716 cmd.exe w32tm.exe PID 4716 wrote to memory of 3864 4716 cmd.exe w32tm.exe PID 4716 wrote to memory of 2576 4716 cmd.exe spoolsv.exe PID 4716 wrote to memory of 2576 4716 cmd.exe spoolsv.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
spoolsv.exe8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe"C:\Users\Admin\AppData\Local\Temp\8d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2180 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3384
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6m5Z0ujVQO.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3864
-
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\c6927e14e1fbf4feae9cd67df04eaabe\spoolsv.exe"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\c6927e14e1fbf4feae9cd67df04eaabe\spoolsv.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2576
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Links\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\Links\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre-1.8\bin\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\bin\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre-1.8\bin\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Users\Default\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\Default\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System\c6927e14e1fbf4feae9cd67df04eaabe\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System\c6927e14e1fbf4feae9cd67df04eaabe\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System\c6927e14e1fbf4feae9cd67df04eaabe\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3480
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD55f77f641dc2e85d18188230c7ee787c5
SHA1abaad4c1a0c40f71a7fec82c3d1f41755863c276
SHA25605ecfbf32767a6680193b8b6f1e7f0e2e6c400ca7c07c891ee89eb469c62be9f
SHA512088ff86e0449060b92db0a6ba0298aa3ce17fe5ac5f84ef983d218194f304f3773688371e587c119a5cdd1770bd9cbe97e6043622bb89fa5c2d4465ab3c243f5
-
Filesize
2.7MB
MD5332af220a6f8c875312ab0d215ec5ace
SHA1bccc9805ba77ad03e7bfa6da8166c3feac4839e7
SHA2568d95b8e8049201f160a718bb56bcebeae3cf641dc56aac746ce3dec2cca35928
SHA512964a09ff2bebb8e638d7b66f23cb2f62d833e2d097bf459fc22351bbcb25ecc138411cca552df616f93893f4c396ae918124c993bfe78041256e0476bea133e0
-
Filesize
263B
MD5741f564aef4504015e39c435f566bbba
SHA15eedd98f91a59c42fb3265d73cd4a9a7fb549e10
SHA256f3346ecc2e2de7abda0d863e5842b566ab795052980eaf221c9bcb0537b08b64
SHA512365c3caaf59ea49fb3f354c1eeeb23b9576f346d8412f2077255f753d872bee3ef4cbc34f9b7dd00433e93764c0bb86243c111b59d86855a191f59083f4bd5d6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82