Analysis
-
max time kernel
938s -
max time network
940s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 03:33
Behavioral task
behavioral1
Sample
NurikCrackNewVersion.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
NurikCrackNewVersion.exe
Resource
win10v2004-20240508-en
General
-
Target
NurikCrackNewVersion.exe
-
Size
1.1MB
-
MD5
4b39d2785f3041d673495ecc36a95074
-
SHA1
925f23e1e5b69b075728221874b54dc2ad2c7f65
-
SHA256
9fb4c2982f8b86bc0c969db4c2907b5e86596e73e556d68751f5d8077c807772
-
SHA512
44f75ea465ee52d9ead19330a9f4b82e7b2cc59d95e89547f85a5dc2af1139481fbeecb498edb7e68497820f1daf3c9f63d9a94fa536e91f63011603c9c31d4d
-
SSDEEP
24576:P2G/nvxW3Wayt05h/1NDQNxDL5rNx5bhpC6TZ:PbA37yC5GVz9
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4960 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3832 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3596 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4664 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4416 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4596 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4200 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3432 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5056 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5080 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4828 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 364 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 4204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 4204 schtasks.exe -
Processes:
resource yara_rule C:\netSvc\Msproviderserver.exe dcrat behavioral2/memory/2928-17-0x0000000000E40000-0x0000000000F16000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NurikCrackNewVersion.exeWScript.exeMsproviderserver.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation NurikCrackNewVersion.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Msproviderserver.exe -
Executes dropped EXE 14 IoCs
Processes:
Msproviderserver.execsrss.exeWmiPrvSE.execonhost.exeupfc.exewininit.exeTextInputHost.exesysmon.exeWmiPrvSE.execsrss.execonhost.exeupfc.exespoolsv.exewininit.exepid process 2928 Msproviderserver.exe 3388 csrss.exe 4156 WmiPrvSE.exe 4224 conhost.exe 2360 upfc.exe 1168 wininit.exe 3836 TextInputHost.exe 2240 sysmon.exe 3596 WmiPrvSE.exe 1572 csrss.exe 3380 conhost.exe 1644 upfc.exe 1820 spoolsv.exe 1212 wininit.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
Processes:
flow ioc 80 pastebin.com 89 pastebin.com 104 pastebin.com 30 pastebin.com 81 pastebin.com 85 pastebin.com 92 pastebin.com 97 pastebin.com 98 pastebin.com 101 pastebin.com 107 pastebin.com 31 pastebin.com -
Drops file in Program Files directory 5 IoCs
Processes:
Msproviderserver.exedescription ioc process File created C:\Program Files\Windows Multimedia Platform\886983d96e3d3e Msproviderserver.exe File created C:\Program Files\ModifiableWindowsApps\dllhost.exe Msproviderserver.exe File created C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe Msproviderserver.exe File created C:\Program Files\Microsoft Office 15\ClientX64\24dbde2999530e Msproviderserver.exe File created C:\Program Files\Windows Multimedia Platform\csrss.exe Msproviderserver.exe -
Drops file in Windows directory 3 IoCs
Processes:
Msproviderserver.exedescription ioc process File created C:\Windows\DiagTrack\Scenarios\TextInputHost.exe Msproviderserver.exe File opened for modification C:\Windows\DiagTrack\Scenarios\TextInputHost.exe Msproviderserver.exe File created C:\Windows\DiagTrack\Scenarios\22eafd247d37c3 Msproviderserver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2800 schtasks.exe 2248 schtasks.exe 4960 schtasks.exe 4976 schtasks.exe 1700 schtasks.exe 5056 schtasks.exe 364 schtasks.exe 3832 schtasks.exe 1568 schtasks.exe 4200 schtasks.exe 1640 schtasks.exe 1804 schtasks.exe 2192 schtasks.exe 5080 schtasks.exe 1004 schtasks.exe 2132 schtasks.exe 4828 schtasks.exe 3596 schtasks.exe 4664 schtasks.exe 4416 schtasks.exe 4596 schtasks.exe 3432 schtasks.exe 772 schtasks.exe 2072 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
NurikCrackNewVersion.exeMsproviderserver.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings NurikCrackNewVersion.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings Msproviderserver.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
Msproviderserver.execsrss.exeWmiPrvSE.execonhost.exewininit.exeTextInputHost.exeWmiPrvSE.execsrss.execonhost.exewininit.exepid process 2928 Msproviderserver.exe 2928 Msproviderserver.exe 2928 Msproviderserver.exe 2928 Msproviderserver.exe 2928 Msproviderserver.exe 2928 Msproviderserver.exe 2928 Msproviderserver.exe 3388 csrss.exe 3388 csrss.exe 4156 WmiPrvSE.exe 4224 conhost.exe 1168 wininit.exe 3836 TextInputHost.exe 3596 WmiPrvSE.exe 1572 csrss.exe 3380 conhost.exe 1212 wininit.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
Msproviderserver.execsrss.exeWmiPrvSE.execonhost.exeupfc.exewininit.exeTextInputHost.exesysmon.exeWmiPrvSE.execsrss.execonhost.exeupfc.exespoolsv.exewininit.exedescription pid process Token: SeDebugPrivilege 2928 Msproviderserver.exe Token: SeDebugPrivilege 3388 csrss.exe Token: SeDebugPrivilege 4156 WmiPrvSE.exe Token: SeDebugPrivilege 4224 conhost.exe Token: SeDebugPrivilege 2360 upfc.exe Token: SeDebugPrivilege 1168 wininit.exe Token: SeDebugPrivilege 3836 TextInputHost.exe Token: SeDebugPrivilege 2240 sysmon.exe Token: SeDebugPrivilege 3596 WmiPrvSE.exe Token: SeDebugPrivilege 1572 csrss.exe Token: SeDebugPrivilege 3380 conhost.exe Token: SeDebugPrivilege 1644 upfc.exe Token: SeDebugPrivilege 1820 spoolsv.exe Token: SeDebugPrivilege 1212 wininit.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
NurikCrackNewVersion.execmd.exeWScript.execmd.exeMsproviderserver.execmd.exedescription pid process target process PID 872 wrote to memory of 4480 872 NurikCrackNewVersion.exe WScript.exe PID 872 wrote to memory of 4480 872 NurikCrackNewVersion.exe WScript.exe PID 872 wrote to memory of 4480 872 NurikCrackNewVersion.exe WScript.exe PID 872 wrote to memory of 4072 872 NurikCrackNewVersion.exe cmd.exe PID 872 wrote to memory of 4072 872 NurikCrackNewVersion.exe cmd.exe PID 872 wrote to memory of 4072 872 NurikCrackNewVersion.exe cmd.exe PID 4072 wrote to memory of 3520 4072 cmd.exe cmd.exe PID 4072 wrote to memory of 3520 4072 cmd.exe cmd.exe PID 4072 wrote to memory of 3520 4072 cmd.exe cmd.exe PID 4480 wrote to memory of 3048 4480 WScript.exe cmd.exe PID 4480 wrote to memory of 3048 4480 WScript.exe cmd.exe PID 4480 wrote to memory of 3048 4480 WScript.exe cmd.exe PID 3048 wrote to memory of 2928 3048 cmd.exe Msproviderserver.exe PID 3048 wrote to memory of 2928 3048 cmd.exe Msproviderserver.exe PID 2928 wrote to memory of 4180 2928 Msproviderserver.exe cmd.exe PID 2928 wrote to memory of 4180 2928 Msproviderserver.exe cmd.exe PID 4180 wrote to memory of 2672 4180 cmd.exe w32tm.exe PID 4180 wrote to memory of 2672 4180 cmd.exe w32tm.exe PID 4180 wrote to memory of 3388 4180 cmd.exe csrss.exe PID 4180 wrote to memory of 3388 4180 cmd.exe csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe"C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\netSvc\oRGxNIscN7mzUEqEFjiOrNSCKy.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\netSvc\WsWYaVY80xOTEmwO5LX.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\netSvc\Msproviderserver.exe"C:\netSvc\Msproviderserver.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dc1PqBqq9g.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
C:\Program Files\Windows Multimedia Platform\csrss.exe"C:\Program Files\Windows Multimedia Platform\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\netSvc\1TCP8vvjtWtNky92sAt.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe3⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\DiagTrack\Scenarios\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Scenarios\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Windows\DiagTrack\Scenarios\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\My Documents\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\My Documents\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\My Documents\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\netSvc\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\netSvc\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\netSvc\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\netSvc\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\netSvc\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\netSvc\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe"C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\netSvc\conhost.exeC:\netSvc\conhost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\AccountPictures\upfc.exeC:\Users\Public\AccountPictures\upfc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Default\My Documents\wininit.exe"C:\Users\Default\My Documents\wininit.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\DiagTrack\Scenarios\TextInputHost.exeC:\Windows\DiagTrack\Scenarios\TextInputHost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\netSvc\sysmon.exeC:\netSvc\sysmon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe"C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Multimedia Platform\csrss.exe"C:\Program Files\Windows Multimedia Platform\csrss.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\netSvc\conhost.exeC:\netSvc\conhost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\AccountPictures\upfc.exeC:\Users\Public\AccountPictures\upfc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Recovery\WindowsRE\spoolsv.exeC:\Recovery\WindowsRE\spoolsv.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Default\My Documents\wininit.exe"C:\Users\Default\My Documents\wininit.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.logFilesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
C:\Users\Admin\AppData\Local\Temp\Dc1PqBqq9g.batFilesize
219B
MD542976956ade5cc566251e39d5d8d7412
SHA1926bb66255fa2c51e1eadff6f2bf89cb96b74944
SHA2562f229175ea6341e99220d6a0f50b47ac01a64f04a05f29ffa59a1836d69261f5
SHA512f47a572964e17a6c33f0e1628ee6cf21a7e21e441bcc9223f42970cb406024f5cc2c46fc99876f38dddf8be0f679b778b88094c2a4ec3c0cae1467cb2d5275a2
-
C:\netSvc\1TCP8vvjtWtNky92sAt.batFilesize
13B
MD59e97eb7b4fe7e7b2978f9ebdf6896f2d
SHA1cdccef4e71f279347ff25fea52f53d5b640b0aea
SHA2569d89a31f0e7b7d9fe52bf475b00ffb9fe24ea28d0905229467ee072246bb413b
SHA5128a50d83ac64ed0c96a1a4db4e18a909e93d108b0d35481340e6a829d914fad604b9a0ef860d902b978a475fd15e4dca304db6952aa51fe8cf2010c2319887c91
-
C:\netSvc\Msproviderserver.exeFilesize
827KB
MD54e4088d5176e77688154f64545051d8b
SHA13020231a4134839b3970c3cb10ed5d87ea174459
SHA256046956b1eb9b2fc738698aa8222744b07c11e104e20a94d764ed7b1ac133fac0
SHA51249599228d257f18aa2c0931569ea4eb917d0e793e30906940e521be6a5280580aee57bc96c62645a61241fb2843103da26fa3f443d7a724ceaaa4486c401d2a5
-
C:\netSvc\WsWYaVY80xOTEmwO5LX.batFilesize
32B
MD5e897bc8313657095107640d60d42da83
SHA1803d583c033182a69af393bd1f239a2c23b76fb0
SHA2565acdb6f1284aaa5e072c09bd68de498d21c344910ab2c2ccf83257305997c05f
SHA51244d1d8ed11d4158cde19e7501fb2467e2c274f1a16f7e220d0ca163d8af8167582084954d5238b8c3485ebde903a24658dd608c9da1469a1864537f1cec26e1d
-
C:\netSvc\oRGxNIscN7mzUEqEFjiOrNSCKy.vbeFilesize
202B
MD5d443149e014f135240a9aeca27fbfe1e
SHA13f541782e2333dc7aced3e77732f198ea37113cc
SHA256bf426dcc90e02082ddaeee361aaa3deadd6249eed5156be07bd763086887793b
SHA5128d3a16b1b608928f31ab6f0db12449dbb07b449e8a25647ebfb2671d9f12eb661b33a11b03f0c4771615f1afde3c70bde350df06d17a3273b4f1f5c064d5d381
-
memory/2928-17-0x0000000000E40000-0x0000000000F16000-memory.dmpFilesize
856KB