Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 02:33
Behavioral task
behavioral1
Sample
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe
Resource
win10v2004-20240426-en
General
-
Target
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe
-
Size
2.7MB
-
MD5
9508912e063cac5e940efba1f85ce86f
-
SHA1
e6d15f29a811c4470f4b7a245207e9f2d1051e62
-
SHA256
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf
-
SHA512
2581361c9c99904ff11beb75208e3689ef310cdb98fd8a0d71a3f0a3d5480f696fc14a5b8e42075d3df79b89bb2623114763ff75820fa454e053f5f72b875f27
-
SSDEEP
49152:iH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:iHfE5Ad8Xd295UmGc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 14 IoCs
Processes:
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\Idle.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\Idle.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Program Files\\Microsoft Games\\Multiplayer\\Backgammon\\es-ES\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\Idle.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\Idle.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Program Files\\Microsoft Games\\Multiplayer\\Backgammon\\es-ES\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\Idle.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Program Files\\Microsoft Games\\Multiplayer\\Backgammon\\es-ES\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe\", \"C:\\Program Files\\Windows Mail\\ja-JP\\explorer.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\Idle.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\Idle.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\Idle.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Program Files\\Microsoft Games\\Multiplayer\\Backgammon\\es-ES\\taskhost.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\Idle.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\Idle.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Program Files\\Microsoft Games\\Multiplayer\\Backgammon\\es-ES\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\Idle.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Program Files\\Microsoft Games\\Multiplayer\\Backgammon\\es-ES\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe\", \"C:\\Program Files\\Windows Mail\\ja-JP\\explorer.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\dllhost.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\Idle.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe -
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 588 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1340 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 932 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 972 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 2088 schtasks.exe -
Processes:
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exeb7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe -
Processes:
resource yara_rule behavioral1/memory/2180-1-0x0000000000C10000-0x0000000000ED0000-memory.dmp dcrat C:\Program Files\Microsoft Games\wininit.exe dcrat C:\MSOCache\All Users\csrss.exe dcrat C:\Program Files (x86)\Windows Defender\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe dcrat behavioral1/memory/2292-168-0x0000000001180000-0x0000000001440000-memory.dmp dcrat -
Detects executables packed with SmartAssembly 8 IoCs
Processes:
resource yara_rule behavioral1/memory/2180-6-0x0000000000360000-0x0000000000370000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2180-11-0x0000000000B70000-0x0000000000B7A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2180-12-0x0000000000B80000-0x0000000000BD6000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2180-15-0x0000000000BF0000-0x0000000000BFC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2180-18-0x00000000023F0000-0x00000000023FC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2180-21-0x0000000002410000-0x000000000241C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2180-22-0x0000000002430000-0x000000000243C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2180-24-0x0000000002450000-0x000000000245A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 1 IoCs
Processes:
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exepid process 2292 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe -
Adds Run key to start application 2 TTPs 28 IoCs
Processes:
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\csrss.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf = "\"C:\\Program Files (x86)\\Windows Defender\\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Defender\\it-IT\\Idle.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\dllhost.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Microsoft Games\\Multiplayer\\Backgammon\\es-ES\\taskhost.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\dllhost.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows Mail\\ja-JP\\explorer.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows Mail\\ja-JP\\explorer.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Common Files\\Services\\Idle.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Defender\\it-IT\\Idle.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf = "\"C:\\Program Files (x86)\\Windows Defender\\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Microsoft Games\\wininit.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Microsoft Games\\wininit.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Microsoft Games\\Multiplayer\\Backgammon\\es-ES\\taskhost.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\audiodg.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\csrss.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Common Files\\Services\\Idle.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\audiodg.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe -
Processes:
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exeb7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe -
Drops file in Program Files directory 32 IoCs
Processes:
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exedescription ioc process File created C:\Program Files\Microsoft Games\56085415360792 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\taskhost.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File created C:\Program Files (x86)\Common Files\Services\6ccacd8608530f b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File created C:\Program Files (x86)\Windows Defender\6a8718662d6d3d b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\RCX123.tmp b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File opened for modification C:\Program Files (x86)\Windows Defender\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File created C:\Program Files (x86)\Common Files\Services\Idle.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File created C:\Program Files\Windows Mail\ja-JP\7a0fd90576e088 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File opened for modification C:\Program Files (x86)\Common Files\Services\Idle.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File opened for modification C:\Program Files\Windows Mail\ja-JP\explorer.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\RCXC9C.tmp b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File created C:\Program Files\Microsoft Games\wininit.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File opened for modification C:\Program Files\Microsoft Games\RCXF858.tmp b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File created C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File created C:\Program Files (x86)\Windows NT\Accessories\5940a34987c991 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\RCXF616.tmp b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File opened for modification C:\Program Files\Microsoft Games\wininit.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\5940a34987c991 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File created C:\Program Files (x86)\Windows Defender\it-IT\Idle.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXF1D0.tmp b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File opened for modification C:\Program Files (x86)\Common Files\Services\RCX578.tmp b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File opened for modification C:\Program Files (x86)\Windows Defender\RCX808.tmp b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File created C:\Program Files (x86)\Windows Defender\it-IT\6ccacd8608530f b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File created C:\Program Files\Windows Mail\ja-JP\explorer.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\Idle.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File opened for modification C:\Program Files\Windows Mail\ja-JP\RCXA89.tmp b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\b75386f1303e64 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File created C:\Program Files (x86)\Windows Defender\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\taskhost.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2544 schtasks.exe 2532 schtasks.exe 2528 schtasks.exe 1096 schtasks.exe 1712 schtasks.exe 2128 schtasks.exe 2320 schtasks.exe 1684 schtasks.exe 1820 schtasks.exe 588 schtasks.exe 1340 schtasks.exe 1140 schtasks.exe 972 schtasks.exe 1992 schtasks.exe 2824 schtasks.exe 932 schtasks.exe 1844 schtasks.exe 320 schtasks.exe 2420 schtasks.exe 1216 schtasks.exe 1596 schtasks.exe 936 schtasks.exe 1656 schtasks.exe 1808 schtasks.exe 2660 schtasks.exe 2596 schtasks.exe 2444 schtasks.exe 1948 schtasks.exe 1956 schtasks.exe 1016 schtasks.exe 2880 schtasks.exe 2584 schtasks.exe 2852 schtasks.exe 1680 schtasks.exe 1628 schtasks.exe 1812 schtasks.exe 1832 schtasks.exe 2900 schtasks.exe 2540 schtasks.exe 2044 schtasks.exe 2260 schtasks.exe 2368 schtasks.exe -
Processes:
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exepowershell.exeb7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exepid process 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2520 powershell.exe 2292 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 2292 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exepowershell.exeb7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exedescription pid process Token: SeDebugPrivilege 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 2292 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.execmd.exedescription pid process target process PID 2180 wrote to memory of 2520 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe powershell.exe PID 2180 wrote to memory of 2520 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe powershell.exe PID 2180 wrote to memory of 2520 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe powershell.exe PID 2180 wrote to memory of 3004 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe cmd.exe PID 2180 wrote to memory of 3004 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe cmd.exe PID 2180 wrote to memory of 3004 2180 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe cmd.exe PID 3004 wrote to memory of 2824 3004 cmd.exe w32tm.exe PID 3004 wrote to memory of 2824 3004 cmd.exe w32tm.exe PID 3004 wrote to memory of 2824 3004 cmd.exe w32tm.exe PID 3004 wrote to memory of 2292 3004 cmd.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe PID 3004 wrote to memory of 2292 3004 cmd.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe PID 3004 wrote to memory of 2292 3004 cmd.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exeb7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe"C:\Users\Admin\AppData\Local\Temp\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2180 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqRQWcHBD3.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2824
-
C:\Program Files (x86)\Windows Defender\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe"C:\Program Files (x86)\Windows Defender\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Services\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cfb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cfb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\ja-JP\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\ja-JP\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5b01f37b221c11bf17d0be1bef5b54d33
SHA1dfd6fa201d1a0098dd1e90af5e022c756bbe3ea0
SHA2565a6d8f3511d0c88b5b204f54947bef6d0eec7400736dd44f32721f2cf39ca4a3
SHA512765556be3f0f4244d513ecbc51b0ac0cd5f755d90662892bbe3b847fabe1a637545e58dbc36bafd657996515868fbe368dac58b2ae4e8d7634f60503cd45159b
-
C:\Program Files (x86)\Windows Defender\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe
Filesize2.7MB
MD51ce38ff49efb4696119cce588b715961
SHA1cd2fca147874920af1843046feace4b6c860402e
SHA25641ab8be52aa3c82d66069e6b15418e7600ee975c755f70a12576def5738899d4
SHA51221ca4dd3ae0e1d2afec92528f670582b5528257b681b514b897db88390c9e86b4012d7c4d6b18287104762a0e3668bb8a02da56e52c263ca6eee84701f351efc
-
Filesize
2.7MB
MD59508912e063cac5e940efba1f85ce86f
SHA1e6d15f29a811c4470f4b7a245207e9f2d1051e62
SHA256b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf
SHA5122581361c9c99904ff11beb75208e3689ef310cdb98fd8a0d71a3f0a3d5480f696fc14a5b8e42075d3df79b89bb2623114763ff75820fa454e053f5f72b875f27
-
Filesize
273B
MD580c8c5b8baa87e463738d4f0a692736c
SHA1064f007b823e12cc6fdbf7fc56bb7f1a513f65e0
SHA256ce21e6134e73f59e94372981aae55e3a2b7cbb7791a1e392d5e38fef612312fb
SHA51238e6d2811ddb1f324c0fad835c5e22d1c1dc84d9ba062497a1f24f61beef0b76c51202114a3ae1c83151cf75c90b0c87182f87f5a8666fd34a2af2e1ac9b7240