Analysis Overview
SHA256
5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5
Threat Level: Shows suspicious behavior
The file 5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Creates scheduled task(s)
Modifies registry class
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 22:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 22:30
Reported
2024-06-02 22:33
Platform
win7-20240419-en
Max time kernel
149s
Max time network
127s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mwyjnbrrs = "\"C:\\Users\\Admin\\AppData\\Roaming\\5jl0\\BitLockerWizard.exe\"" | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\3087\wbengine.exe | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\3087\wbengine.exe | C:\Windows\System32\cmd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open\command | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\IKOyebX.cmd" | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open\command | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1208 wrote to memory of 2812 | N/A | N/A | C:\Windows\system32\BitLockerWizard.exe |
| PID 1208 wrote to memory of 2812 | N/A | N/A | C:\Windows\system32\BitLockerWizard.exe |
| PID 1208 wrote to memory of 2812 | N/A | N/A | C:\Windows\system32\BitLockerWizard.exe |
| PID 1208 wrote to memory of 2560 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1208 wrote to memory of 2560 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1208 wrote to memory of 2560 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1208 wrote to memory of 2608 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1208 wrote to memory of 2608 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1208 wrote to memory of 2608 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 2608 wrote to memory of 3012 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2608 wrote to memory of 3012 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2608 wrote to memory of 3012 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 1208 wrote to memory of 2580 | N/A | N/A | C:\Windows\system32\logagent.exe |
| PID 1208 wrote to memory of 2580 | N/A | N/A | C:\Windows\system32\logagent.exe |
| PID 1208 wrote to memory of 2580 | N/A | N/A | C:\Windows\system32\logagent.exe |
| PID 1208 wrote to memory of 3008 | N/A | N/A | C:\Windows\system32\wbengine.exe |
| PID 1208 wrote to memory of 3008 | N/A | N/A | C:\Windows\system32\wbengine.exe |
| PID 1208 wrote to memory of 3008 | N/A | N/A | C:\Windows\system32\wbengine.exe |
| PID 1208 wrote to memory of 2304 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1208 wrote to memory of 2304 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1208 wrote to memory of 2304 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1208 wrote to memory of 2808 | N/A | N/A | C:\Windows\System32\eventvwr.exe |
| PID 1208 wrote to memory of 2808 | N/A | N/A | C:\Windows\System32\eventvwr.exe |
| PID 1208 wrote to memory of 2808 | N/A | N/A | C:\Windows\System32\eventvwr.exe |
| PID 2808 wrote to memory of 2868 | N/A | C:\Windows\System32\eventvwr.exe | C:\Windows\system32\cmd.exe |
| PID 2808 wrote to memory of 2868 | N/A | C:\Windows\System32\eventvwr.exe | C:\Windows\system32\cmd.exe |
| PID 2808 wrote to memory of 2868 | N/A | C:\Windows\System32\eventvwr.exe | C:\Windows\system32\cmd.exe |
| PID 2868 wrote to memory of 2636 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2868 wrote to memory of 2636 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2868 wrote to memory of 2636 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5.dll,#1
C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\7yXTr.cmd
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{62baf7d1-2421-76c3-d64f-48bbd6001acb}"
C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{62baf7d1-2421-76c3-d64f-48bbd6001acb}"
C:\Windows\system32\logagent.exe
C:\Windows\system32\logagent.exe
C:\Windows\system32\wbengine.exe
C:\Windows\system32\wbengine.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\ZG2R.cmd
C:\Windows\System32\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\IKOyebX.cmd
C:\Windows\system32\schtasks.exe
schtasks.exe /Create /F /TN "Bygyxkyzdvxj" /SC minute /MO 60 /TR "C:\Windows\system32\3087\wbengine.exe" /RL highest
Network
Files
memory/1340-0-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1340-2-0x0000000000170000-0x0000000000177000-memory.dmp
memory/1208-3-0x0000000077A86000-0x0000000077A87000-memory.dmp
memory/1208-4-0x0000000002550000-0x0000000002551000-memory.dmp
memory/1340-6-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-7-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-8-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-18-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-9-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-10-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-11-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-12-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-13-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-32-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-31-0x0000000002530000-0x0000000002537000-memory.dmp
memory/1208-24-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-23-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-22-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-21-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-20-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-19-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-17-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-16-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-15-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-14-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-33-0x0000000077B91000-0x0000000077B92000-memory.dmp
memory/1208-42-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-48-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-47-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/1208-46-0x0000000077CF0000-0x0000000077CF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7yXTr.cmd
| MD5 | 6269cf9d55c096e2e43dd2737f00c11a |
| SHA1 | 468f035509796131bbd85dbc1e9ad77cdf40fbdd |
| SHA256 | 6c5069f8adb1b32eb63f9dedfd7a897fb366cf77cf0aa2b1c2cf78187e5179d9 |
| SHA512 | 9ab4bcb40e4f86e83fdc3c0ea72df92357186c178fed204249810538e255cdf0c85405e53e5393696e806db14ea80e5c8b64255e8fd70787834e8a68c4d841e9 |
C:\Users\Admin\AppData\Local\Temp\V5u251D.tmp
| MD5 | e1fc2dda8901105681d7986f89043ecb |
| SHA1 | 0cfbf4dfea70189f1615eea1731dbfd094a37a7c |
| SHA256 | f8b9b1060d0828e3f7fcec7db02beb0914f4004d4774e02bcc43c095b33f0276 |
| SHA512 | bf3eafabe67f1dc49fbbb9279752003711d2cff7c553dd123fcf53d3836781c8c8e31ee4a0db411cc8a1dffb4cbb12851f8733901aa76f354b35e1b1b24fa52b |
C:\Users\Admin\AppData\Roaming\5jl0\BitLockerWizard.exe
| MD5 | 08a761595ad21d152db2417d6fdb239a |
| SHA1 | d84c1bc2e8c9afce9fb79916df9bca169f93a936 |
| SHA256 | ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620 |
| SHA512 | 8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9 |
C:\Users\Admin\AppData\Local\Temp\ZG2R.cmd
| MD5 | 981f04ddae8a5ef54ef6f2d95cc27ed7 |
| SHA1 | b467e660582a5d2721318cfd10bc7d52c1ceced6 |
| SHA256 | 8251ef9c6caea24388dcab8f32a418321fe262de2b93bce1dcafe872f8f7612c |
| SHA512 | 0494e7beeb34a5954fcbb41d0b91d291625ac612b06b17075959caa7590d455ca14e81c3ca70085ca878dcfd1d22716af0dfc4b8b7489c083b951e83d386fd36 |
C:\Users\Admin\AppData\Local\Temp\S2685.tmp
| MD5 | ef0bc0ee7e0b1759979add3129d2d453 |
| SHA1 | 663a116b3c7f37ebddd63027dfe2ba10b22d213d |
| SHA256 | f826fb05e0bcbaf1a1ca81f510ec885273f22ab1277350c5219f403aa8d0c68a |
| SHA512 | 79447400d9815b3b011af0af960c511eb8374336f6b339e3f0654b433ed04cdae5fa7b06220037c097a9f89a5ed782ebe79c98a9ca49878dc2fd35d651522d5a |
C:\Users\Admin\AppData\Local\Temp\IKOyebX.cmd
| MD5 | 4c7dcc4d5577f3701b50121677bf01e2 |
| SHA1 | 47793f51cba26400b2be7c07a64d35ab9815b39a |
| SHA256 | e8d319414dd9222e093a2c9dd74041e2a532a00f35dca609023a40916116f4b3 |
| SHA512 | f3ac672d475e5dba3c3441428a465aee7f2fc31616e6015cfd78f35a4f02b1c3a15cad0f266d24a03105f0e5acfad2b1bc2abd2459f1b17fe963eeaed5901ca0 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mwyjnbrrs.lnk
| MD5 | ddaeb0c2277f6ec03db48d039e77f75a |
| SHA1 | d65fa0fa748cccd5ee5d4af9666446864980a5c3 |
| SHA256 | 4772c4f086da5c54b07bf01746504bf2686accec479391b91c048dce09551093 |
| SHA512 | 8a7be64080ad8051195a4df9b145cfa74ebd25762ba88943da71f71bffed53947c2a339e19e47b7490991f75230e3062165860b9001ab9d36506acc1c86102ca |
memory/1208-96-0x0000000077A86000-0x0000000077A87000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 22:30
Reported
2024-06-02 22:33
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hkwligutpbxhkv = "\"C:\\Users\\Admin\\AppData\\Roaming\\OBVb3\\dpapimig.exe\"" | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\6000\cmstp.exe | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\6000\cmstp.exe | C:\Windows\System32\cmd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open\command | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open\command | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\59KmpNH.cmd" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open\command\DelegateExecute | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3388 wrote to memory of 4832 | N/A | N/A | C:\Windows\system32\provtool.exe |
| PID 3388 wrote to memory of 4832 | N/A | N/A | C:\Windows\system32\provtool.exe |
| PID 3388 wrote to memory of 5064 | N/A | N/A | C:\Windows\system32\notepad.exe |
| PID 3388 wrote to memory of 5064 | N/A | N/A | C:\Windows\system32\notepad.exe |
| PID 3388 wrote to memory of 5056 | N/A | N/A | C:\Windows\system32\svchost.exe |
| PID 3388 wrote to memory of 5056 | N/A | N/A | C:\Windows\system32\svchost.exe |
| PID 3388 wrote to memory of 876 | N/A | N/A | C:\Windows\system32\wsmprovhost.exe |
| PID 3388 wrote to memory of 876 | N/A | N/A | C:\Windows\system32\wsmprovhost.exe |
| PID 3388 wrote to memory of 3004 | N/A | N/A | C:\Windows\system32\LanguageComponentsInstallerComHandler.exe |
| PID 3388 wrote to memory of 3004 | N/A | N/A | C:\Windows\system32\LanguageComponentsInstallerComHandler.exe |
| PID 3388 wrote to memory of 2640 | N/A | N/A | C:\Windows\system32\dllhost.exe |
| PID 3388 wrote to memory of 2640 | N/A | N/A | C:\Windows\system32\dllhost.exe |
| PID 3388 wrote to memory of 4608 | N/A | N/A | C:\Windows\system32\dpapimig.exe |
| PID 3388 wrote to memory of 4608 | N/A | N/A | C:\Windows\system32\dpapimig.exe |
| PID 3388 wrote to memory of 4084 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3388 wrote to memory of 4084 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3388 wrote to memory of 4684 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3388 wrote to memory of 4684 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 4684 wrote to memory of 2840 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 4684 wrote to memory of 2840 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 3388 wrote to memory of 2892 | N/A | N/A | C:\Windows\system32\cmstp.exe |
| PID 3388 wrote to memory of 2892 | N/A | N/A | C:\Windows\system32\cmstp.exe |
| PID 3388 wrote to memory of 3844 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3388 wrote to memory of 3844 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3388 wrote to memory of 4164 | N/A | N/A | C:\Windows\System32\fodhelper.exe |
| PID 3388 wrote to memory of 4164 | N/A | N/A | C:\Windows\System32\fodhelper.exe |
| PID 4164 wrote to memory of 2868 | N/A | C:\Windows\System32\fodhelper.exe | C:\Windows\system32\cmd.exe |
| PID 4164 wrote to memory of 2868 | N/A | C:\Windows\System32\fodhelper.exe | C:\Windows\system32\cmd.exe |
| PID 2868 wrote to memory of 3696 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2868 wrote to memory of 3696 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5.dll,#1
C:\Windows\system32\provtool.exe
C:\Windows\system32\provtool.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\wsmprovhost.exe
C:\Windows\system32\wsmprovhost.exe
C:\Windows\system32\LanguageComponentsInstallerComHandler.exe
C:\Windows\system32\LanguageComponentsInstallerComHandler.exe
C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe
C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\UXihNCQ.cmd
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{8134eb3e-5b1e-a619-3025-e7d0bcaff737}"
C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{8134eb3e-5b1e-a619-3025-e7d0bcaff737}"
C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Nj38.cmd
C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\59KmpNH.cmd
C:\Windows\system32\schtasks.exe
schtasks.exe /Create /F /TN "Fzlrtmppumx" /SC minute /MO 60 /TR "C:\Windows\system32\6000\cmstp.exe" /RL highest
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
memory/4688-0-0x000001CE11660000-0x000001CE11667000-memory.dmp
memory/4688-1-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-3-0x00000000023D0000-0x00000000023D1000-memory.dmp
memory/4688-5-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-6-0x00007FFA14D2A000-0x00007FFA14D2B000-memory.dmp
memory/3388-18-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-19-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-43-0x00007FFA16BC0000-0x00007FFA16BD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1q26EF7.tmp
| MD5 | 17f26fe1d14c890a18ca6733264de27a |
| SHA1 | b5e193999c6592b043e203cb65934ac8844edc1b |
| SHA256 | f9688590bdab82d6cd36a3150b63ef267687291392e3a38c666334d2635c64d9 |
| SHA512 | 353d2530e5ba49a64877c99d925adadab8327f1d6d6310d910fb8f36e793d2d2899dd037e8affdccc0c7dff6628138e1d40ca12034eac40958d520a96622fb42 |
C:\Users\Admin\AppData\Local\Temp\Nj38.cmd
| MD5 | cbf5f3d4e9db331746bc15643b92d8b3 |
| SHA1 | 700670893ae5f5f4a8158576d0e74a52d2da52de |
| SHA256 | 133953265f7c12fdc9c3ab8b02505134e261de7f4add647afe3b59dc87473b34 |
| SHA512 | 2539fe8d44d19002223619e6531170647534ce4d03f96562352d3f24cc79062a351a6847c8c7589efbc16d2c938ca7395937b3db71f2a5566b931eba55adc919 |
C:\Users\Admin\AppData\Local\Temp\59KmpNH.cmd
| MD5 | 09ef23093bfde9c4626cdeb218aad241 |
| SHA1 | 4fab0a228fa314a21df3891d22d7ba7d3556e71b |
| SHA256 | cbd8d9b64f2ea208570b6405e5a24bf5bd28d5bb5ce5c92e9da559b39fcaac3f |
| SHA512 | 179a61c8a691ad4d05b2b50151b6dfe7b95e7f0f00dfe77af4f32bf71b91ed2b356f215bae2b57835fd2dd1cbd40726d3978ca59207e95b8833bfb0f0cb2bb8b |
memory/3388-52-0x0000000140000000-0x00000001400BE000-memory.dmp
C:\Users\Admin\AppData\Roaming\OBVb3\dpapimig.exe
| MD5 | b6d6477a0c90a81624c6a8548026b4d0 |
| SHA1 | e6eac6941d27f76bbd306c2938c0a962dbf1ced1 |
| SHA256 | a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb |
| SHA512 | 72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe |
C:\Users\Admin\AppData\Local\Temp\Unv6E3B.tmp
| MD5 | 897bf351a9881769449c28173edbae04 |
| SHA1 | 3a37f016cd9be27ebc234654fcdbf49eb1785fb1 |
| SHA256 | 5a14233ba3900089e955fb61989ce6fca75e1403f85b19ae6f746d762196c303 |
| SHA512 | 0d04809c07bb575994b133aec9731a1508f45e622169a832c73ea7b537c75bb0e912a3054582a53bd68500137d5cd742a4423a6de3b1ffa35ff38c45e1d2aff9 |
C:\Users\Admin\AppData\Local\Temp\UXihNCQ.cmd
| MD5 | 5b262cd5693605c516f2ed6dfc40876e |
| SHA1 | 1caf283be70ab1956cc218a1880442962f07bb7e |
| SHA256 | 89fb6e49e57e6d44e56ca84ca2059059a995a1d36ffb3fa7f6ba6173cbfa9c4b |
| SHA512 | 2e898d1c856f737acaf4bb04ff3d7799cf748860780b15c63d36014314682a6f43dbab442bec24774c10df00fb7a5b1a3742c12f2c8393b86adc49b34035a39b |
memory/3388-42-0x0000000000550000-0x0000000000557000-memory.dmp
memory/3388-40-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-31-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-24-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-23-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-22-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-21-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-20-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-17-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-16-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-15-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-14-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-13-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-12-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-11-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-10-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-9-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-8-0x0000000140000000-0x00000001400BE000-memory.dmp
memory/3388-7-0x0000000140000000-0x00000001400BE000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hkwligutpbxhkv.lnk
| MD5 | 2ed8ba3b5e467ae8c479af62137a4555 |
| SHA1 | 3c3ea8e2e1adde1e004e48294464304f62457edd |
| SHA256 | 5871a8c74805f005d66990075362e08bcaf2ec4a5b7c38106e898634df74074a |
| SHA512 | 257ae6ae0b722c88cfde4da001840c7e1c5e4561ad6852440bb0c23a9d057ada70ff43fd8a2ef41bb2c08ad8615fbe2929aa1b4f2f75f93ec262c65badaee4fd |