Analysis Overview
SHA256
f0d489c7e53b8e804a263c537ac51b70854b070ef08a9ad3d4e04a4a0f158f15
Threat Level: Likely malicious
The file f0d489c7e53b8e804a263c537ac51b70854b070ef08a9ad3d4e04a4a0f158f15 was found to be: Likely malicious.
Malicious Activity Summary
Detects Windows executables referencing non-Windows User-Agents
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:26
Reported
2024-06-03 05:28
Platform
win7-20240508-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mqdbvnnwgmqj = "\"C:\\Users\\Admin\\AppData\\Roaming\\rdBN51n\\dccw.exe\"" | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\9430\WFS.exe | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\9430\WFS.exe | C:\Windows\System32\cmd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\MSCFile | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\MSCFile\shell\open | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\LPWr5o.cmd" | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\MSCFile\shell\open\command | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\MSCFile\shell\open | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\MSCFile | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\MSCFile\shell\open\command | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\MSCFile\shell | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\MSCFile\shell | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1232 wrote to memory of 2540 | N/A | N/A | C:\Windows\system32\dccw.exe |
| PID 1232 wrote to memory of 2540 | N/A | N/A | C:\Windows\system32\dccw.exe |
| PID 1232 wrote to memory of 2540 | N/A | N/A | C:\Windows\system32\dccw.exe |
| PID 1232 wrote to memory of 1252 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1232 wrote to memory of 1252 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1232 wrote to memory of 1252 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1232 wrote to memory of 2552 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1232 wrote to memory of 2552 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1232 wrote to memory of 2552 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 2552 wrote to memory of 2676 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2552 wrote to memory of 2676 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2552 wrote to memory of 2676 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 1232 wrote to memory of 3036 | N/A | N/A | C:\Windows\system32\WFS.exe |
| PID 1232 wrote to memory of 3036 | N/A | N/A | C:\Windows\system32\WFS.exe |
| PID 1232 wrote to memory of 3036 | N/A | N/A | C:\Windows\system32\WFS.exe |
| PID 1232 wrote to memory of 2284 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1232 wrote to memory of 2284 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1232 wrote to memory of 2284 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1232 wrote to memory of 2596 | N/A | N/A | C:\Windows\System32\eventvwr.exe |
| PID 1232 wrote to memory of 2596 | N/A | N/A | C:\Windows\System32\eventvwr.exe |
| PID 1232 wrote to memory of 2596 | N/A | N/A | C:\Windows\System32\eventvwr.exe |
| PID 2596 wrote to memory of 2840 | N/A | C:\Windows\System32\eventvwr.exe | C:\Windows\system32\cmd.exe |
| PID 2596 wrote to memory of 2840 | N/A | C:\Windows\System32\eventvwr.exe | C:\Windows\system32\cmd.exe |
| PID 2596 wrote to memory of 2840 | N/A | C:\Windows\System32\eventvwr.exe | C:\Windows\system32\cmd.exe |
| PID 2840 wrote to memory of 2920 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2840 wrote to memory of 2920 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2840 wrote to memory of 2920 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f0d489c7e53b8e804a263c537ac51b70854b070ef08a9ad3d4e04a4a0f158f15.dll,#1
C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\KDvqv0.cmd
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{7b98aa95-b212-23e5-3cc8-426819761c96}"
C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{7b98aa95-b212-23e5-3cc8-426819761c96}"
C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\1kxDDdc.cmd
C:\Windows\System32\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\LPWr5o.cmd
C:\Windows\system32\schtasks.exe
schtasks.exe /Create /F /TN "Rkbail" /SC minute /MO 60 /TR "C:\Windows\system32\9430\WFS.exe" /RL highest
Network
Files
memory/2108-0-0x0000000140000000-0x0000000140105000-memory.dmp
memory/2108-2-0x00000000000A0000-0x00000000000A7000-memory.dmp
memory/1232-3-0x00000000776C6000-0x00000000776C7000-memory.dmp
memory/1232-4-0x0000000002EC0000-0x0000000002EC1000-memory.dmp
memory/2108-6-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-8-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-7-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-9-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-25-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-33-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-34-0x0000000002CE0000-0x0000000002CE7000-memory.dmp
memory/1232-26-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-24-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-23-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-22-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-21-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-20-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-19-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-18-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-17-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-16-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-37-0x00000000777D1000-0x00000000777D2000-memory.dmp
memory/1232-15-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-14-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-13-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-12-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-11-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-10-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-44-0x0000000140000000-0x0000000140105000-memory.dmp
memory/1232-49-0x0000000077930000-0x0000000077932000-memory.dmp
memory/1232-50-0x0000000140000000-0x0000000140105000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KDvqv0.cmd
| MD5 | 3b6071220812d30eaba369fcfd49a9b4 |
| SHA1 | b5953b8e3324ebcbe483315e639b5a9d02636484 |
| SHA256 | 38ac44b727095c75f4f1948721c911c4abe002270caaed8052bec3940f5ce888 |
| SHA512 | e5d0cbb5513cbdd1b14acdf54a2e6b46d19785ffdfff97bcf633f7912d43d2181f33141f34b2513f28b7258a8b78ce9dc62fff3fb83a2fd66743fd55a73253cc |
C:\Users\Admin\AppData\Local\Temp\Hz317C.tmp
| MD5 | 99073021600b9cf6ff57c76bd062ef7d |
| SHA1 | 3a33f8dcfeb656d6aa74dc99b7e0ebc171eae8ae |
| SHA256 | bd3e54dd54dcdd2e776fca2a87958208d19aa874641ecad3c9eb4cc9b6c028b9 |
| SHA512 | 8e2d4cded46384095f64827c33f22c38c0062d42273925f38411e16343535056452e541589100610c4830d747f72192b69179bd983e4a85d498b31247113db16 |
C:\Users\Admin\AppData\Roaming\rdBN51n\dccw.exe
| MD5 | a46cee731351eb4146db8e8a63a5c520 |
| SHA1 | 8ea441e4a77642e12987ac842b36034230edd731 |
| SHA256 | 283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5 |
| SHA512 | 3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc |
C:\Users\Admin\AppData\Local\Temp\1kxDDdc.cmd
| MD5 | 722de24f8d34fbe349a508c916ee76b9 |
| SHA1 | 302532fb1277a56081191082a3a0944c48762c9a |
| SHA256 | 3530c784d8eef7b6c83cbf6b3f873eedd3df8eaa3b825900a4f38537f38c7a36 |
| SHA512 | 0dbaa11597f6e426a0edce2d51eb2bcb6bde74561f13eaed7b4e242d7d426986bedd693424d36502e281ad13196f9738c4ad5e728ffc931b4092b647af3e7363 |
C:\Users\Admin\AppData\Local\Temp\XO3332.tmp
| MD5 | 39de3dbe50e56d5ca7bfa77a66d99a7f |
| SHA1 | f713473f0956904f9a12bcfb10be142c24531780 |
| SHA256 | 7fc308ae87c79d6c22732cb0a6602ae3ea450860d83c488db068733c0fc5a442 |
| SHA512 | bc8a786baed12c6b554c2f76fac138209839ef7a8167ef37b50a226c1c5f070347ff6320b6df4238f52391f6ac8f4b8bd45c368fc6d2d7341b00fea0bb96bc4d |
C:\Users\Admin\AppData\Local\Temp\LPWr5o.cmd
| MD5 | 927e4d338107109edbd97ecd590b0185 |
| SHA1 | 9cab29d7a3a63494897f8040d40cdcc167087fa1 |
| SHA256 | d05a756b06fa7ff8ce506e6624f6c0122e9d9fe6ee6c256276bf804111bd91aa |
| SHA512 | bbfac085c7af3947c75b714c18330be79ebff59b896e21d174eac7371bdb2a3a25f0f60a6b63461eb7ce5215accc3dceaffcda9b9ed82eb5c069ac010c4fb87a |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mqdbvnnwgmqj.lnk
| MD5 | 56f8cc06d7ee62c67a04020454dee30b |
| SHA1 | f8819e82a4ba547cd18b8958de50b894fae3b847 |
| SHA256 | a88fad3630b96cba48fbaca333c9d419a2495b1642bec042b7dd3c53220b7309 |
| SHA512 | c6136642168357efd823dc969160300dd04a4c221fdd6db897ce7de45be7c1ed16f4c79a16d296c32fa0078ac2eef438828e739744eb39dc9997fd8825d1f76f |
memory/1232-98-0x00000000776C6000-0x00000000776C7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:26
Reported
2024-06-03 05:29
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xcdbzlxvqxxhz = "\"C:\\Users\\Admin\\AppData\\Roaming\\Pm7qq7J\\ie4uinit.exe\"" | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\6791\ie4ushowIE.exe | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\6791\ie4ushowIE.exe | C:\Windows\System32\cmd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\HMho.cmd" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\DelegateExecute | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3164 wrote to memory of 760 | N/A | N/A | C:\Windows\system32\ctfmon.exe |
| PID 3164 wrote to memory of 760 | N/A | N/A | C:\Windows\system32\ctfmon.exe |
| PID 3164 wrote to memory of 912 | N/A | N/A | C:\Windows\system32\cleanmgr.exe |
| PID 3164 wrote to memory of 912 | N/A | N/A | C:\Windows\system32\cleanmgr.exe |
| PID 3164 wrote to memory of 3660 | N/A | N/A | C:\Windows\system32\wsqmcons.exe |
| PID 3164 wrote to memory of 3660 | N/A | N/A | C:\Windows\system32\wsqmcons.exe |
| PID 3164 wrote to memory of 3652 | N/A | N/A | C:\Windows\system32\audiodg.exe |
| PID 3164 wrote to memory of 3652 | N/A | N/A | C:\Windows\system32\audiodg.exe |
| PID 3164 wrote to memory of 2800 | N/A | N/A | C:\Windows\system32\ie4uinit.exe |
| PID 3164 wrote to memory of 2800 | N/A | N/A | C:\Windows\system32\ie4uinit.exe |
| PID 3164 wrote to memory of 4928 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3164 wrote to memory of 4928 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3164 wrote to memory of 4028 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3164 wrote to memory of 4028 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 4028 wrote to memory of 2524 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 4028 wrote to memory of 2524 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 3164 wrote to memory of 2660 | N/A | N/A | C:\Windows\system32\ResetEngine.exe |
| PID 3164 wrote to memory of 2660 | N/A | N/A | C:\Windows\system32\ResetEngine.exe |
| PID 3164 wrote to memory of 2932 | N/A | N/A | C:\Windows\system32\DsmUserTask.exe |
| PID 3164 wrote to memory of 2932 | N/A | N/A | C:\Windows\system32\DsmUserTask.exe |
| PID 3164 wrote to memory of 776 | N/A | N/A | C:\Windows\system32\iscsicpl.exe |
| PID 3164 wrote to memory of 776 | N/A | N/A | C:\Windows\system32\iscsicpl.exe |
| PID 3164 wrote to memory of 2220 | N/A | N/A | C:\Windows\system32\RemotePosWorker.exe |
| PID 3164 wrote to memory of 2220 | N/A | N/A | C:\Windows\system32\RemotePosWorker.exe |
| PID 3164 wrote to memory of 3992 | N/A | N/A | C:\Windows\system32\MDMAgent.exe |
| PID 3164 wrote to memory of 3992 | N/A | N/A | C:\Windows\system32\MDMAgent.exe |
| PID 3164 wrote to memory of 3720 | N/A | N/A | C:\Windows\system32\ie4ushowIE.exe |
| PID 3164 wrote to memory of 3720 | N/A | N/A | C:\Windows\system32\ie4ushowIE.exe |
| PID 3164 wrote to memory of 684 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3164 wrote to memory of 684 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3164 wrote to memory of 4368 | N/A | N/A | C:\Windows\System32\fodhelper.exe |
| PID 3164 wrote to memory of 4368 | N/A | N/A | C:\Windows\System32\fodhelper.exe |
| PID 4368 wrote to memory of 4668 | N/A | C:\Windows\System32\fodhelper.exe | C:\Windows\system32\cmd.exe |
| PID 4368 wrote to memory of 4668 | N/A | C:\Windows\System32\fodhelper.exe | C:\Windows\system32\cmd.exe |
| PID 4668 wrote to memory of 1760 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 4668 wrote to memory of 1760 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f0d489c7e53b8e804a263c537ac51b70854b070ef08a9ad3d4e04a4a0f158f15.dll,#1
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\cleanmgr.exe
C:\Windows\system32\cleanmgr.exe
C:\Windows\system32\wsqmcons.exe
C:\Windows\system32\wsqmcons.exe
C:\Windows\system32\audiodg.exe
C:\Windows\system32\audiodg.exe
C:\Windows\system32\ie4uinit.exe
C:\Windows\system32\ie4uinit.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\HLc.cmd
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2876edf9-11ce-6726-5bde-f751084e1399}"
C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2876edf9-11ce-6726-5bde-f751084e1399}"
C:\Windows\system32\ResetEngine.exe
C:\Windows\system32\ResetEngine.exe
C:\Windows\system32\DsmUserTask.exe
C:\Windows\system32\DsmUserTask.exe
C:\Windows\system32\iscsicpl.exe
C:\Windows\system32\iscsicpl.exe
C:\Windows\system32\RemotePosWorker.exe
C:\Windows\system32\RemotePosWorker.exe
C:\Windows\system32\MDMAgent.exe
C:\Windows\system32\MDMAgent.exe
C:\Windows\system32\ie4ushowIE.exe
C:\Windows\system32\ie4ushowIE.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\atUBD.cmd
C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\HMho.cmd
C:\Windows\system32\schtasks.exe
schtasks.exe /Create /F /TN "Eofvjgiti" /SC minute /MO 60 /TR "C:\Windows\system32\6791\ie4ushowIE.exe" /RL highest
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
memory/2384-0-0x0000024525F50000-0x0000024525F57000-memory.dmp
memory/2384-1-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-3-0x00000000023B0000-0x00000000023B1000-memory.dmp
memory/3164-5-0x00007FFC0C71A000-0x00007FFC0C71B000-memory.dmp
memory/2384-6-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-14-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-17-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-33-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-26-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-25-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-24-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-23-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-22-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-20-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-19-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-34-0x0000000000560000-0x0000000000567000-memory.dmp
memory/3164-16-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-15-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-13-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-12-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-18-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-46-0x00007FFC0E580000-0x00007FFC0E590000-memory.dmp
memory/3164-43-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-11-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-10-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-21-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-9-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-8-0x0000000140000000-0x0000000140105000-memory.dmp
memory/3164-7-0x0000000140000000-0x0000000140105000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HLc.cmd
| MD5 | adf18cdccd22c551815e21062c8e0534 |
| SHA1 | 5152f9663b0b156d2644cf4ee61f9d8e7230b902 |
| SHA256 | c90cc099d8efbee8ac25fc67e8dc90137cc76f9ba82197d168bc418bbde6d1fd |
| SHA512 | 61036bb240ddada5aeb6972a5124ba418d18364a243f14cc460339de554050b98324aa0b0c2f3ff0dbc597e02f7bb848d75da8c972a6fb6de9279c8654e48c22 |
C:\Users\Admin\AppData\Local\Temp\hsR1D09.tmp
| MD5 | 7eb5790fa20c1ae222adf004c2f9cdf4 |
| SHA1 | 78c80e1b4d349eb17a14cf3e20744714f7906f4d |
| SHA256 | 2a811f25128f8445e34c569f4549989d4858d00389502f0aa7c744bae634c28a |
| SHA512 | 22f8c84630af7bf0ba66122304e130d8e3f3f6d726acd6a57776db479d5293738d98e2f505626eaa3c356537c01b96adb81155a62a12fc59859abf3438ce21f4 |
C:\Users\Admin\AppData\Roaming\Pm7qq7J\ie4uinit.exe
| MD5 | a2f0104edd80ca2c24c24356d5eacc4f |
| SHA1 | 8269b9fd9231f04ed47419bd565c69dc677fab56 |
| SHA256 | 5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c |
| SHA512 | e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390 |
memory/3164-54-0x0000000140000000-0x0000000140105000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\atUBD.cmd
| MD5 | bed18e2a9e7d56b8022e3dbb3aab2417 |
| SHA1 | 76bdeebd59059723663181fe0831c60b77d6012d |
| SHA256 | 36842ea7effd6722f01380fd530d274bc21f28c9a9d1bafab0194e6bdc3f834f |
| SHA512 | 3c3e113e5cd1308b4d0d96984e7db9dedc491ced822f67ec31f490b0b564d0c6e1daf842c65275df88eaeaf3f8e26985da1fd1ef7b4b4d20691a3f74500488ca |
C:\Users\Admin\AppData\Local\Temp\02314.tmp
| MD5 | 82638df3bd62eb59e65beddc9f8ddf04 |
| SHA1 | 800fb063547fa893c49fa0b7261ac1c4c8ec1954 |
| SHA256 | dafb94daee7119edf294f500a93884f85f8132dc1d32dd36ffa07d46e1af9da0 |
| SHA512 | c788e366e67278c65f53e5c27a1745b4fffc51e596e91558c1fbf3a524f4407a7445f8fec933eddff82bc1dcc16c2acdc4069c9e20a1aef2a9dcb185a9a7e172 |
C:\Users\Admin\AppData\Local\Temp\HMho.cmd
| MD5 | 9a3f36f4c543ab4f9b35bbadacfb6781 |
| SHA1 | b49cfd67b4c67c29c7955829d14be151ea40dcb1 |
| SHA256 | be04b5931b73c2194c189a93418938981ce79b9d0c00d97a12b55debeeba35b5 |
| SHA512 | 5c8acc9c38c97e5b5d68813178b43b5b2302aa70fdab087dcf69ce7f69fdc1880fb90da99989d964e13abd257b98982e20b571acca660fd307f64a82bbc3b06f |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xcdbzlxvqxxhz.lnk
| MD5 | 4696b0f11644a0364e387276f552c6ff |
| SHA1 | 9dd1462319c8926d49b919c9651a59cfec41fe40 |
| SHA256 | 39e1a68ea4d929f3e64de9a305115f8eabfed51710f34c7bc08fdee5381577e2 |
| SHA512 | 4673d5f0af5a03fcde841fa9fa25e4fe05392b32e258a87422c9ed1fb5d7f8cbb24c9f8c83c925a6c96aed1e7f5e651fea23371be052595777f2eba8b998e312 |