9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
Size

3.2MB
MD5

069d8565f208c71cb5496278392a3e8d
SHA1

2276be9129c6e50c4bb38ebe34e209ced3538492
SHA256

9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5
SHA512

b85064722385adcea34546f6729eacf99612807abf3603fd011bd464254d61c1748b76c93f6eff07fc0324cac941a57e3b2f024f5c0b15a089138b39c923f431
SSDEEP

49152:/QswzIgfd2FhMj0pPKEg5QlLCO0pMHBVlFP2R7Yt5ibo0/1lliJEq1pC1G:/9+kFOj+PKEaQlLNBDRtuo9Eq10

Score

10^/10

execution persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Java\\winlogon.exe\""	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Java\\winlogon.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe\""	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	1696	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	1696	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	1696	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1696	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	1696	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	1696	schtasks.exe	28

Detects executables packed with unregistered version of .NET Reactor 5 IoCs

resource	yara_rule
behavioral1/memory/1252-1-0x0000000000980000-0x0000000000CB2000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0030000000015d3b-86.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1260-88-0x00000000008A0000-0x0000000000BD2000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/604-116-0x00000000001D0000-0x0000000000502000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2972-144-0x0000000001290000-0x00000000015C2000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1964	powershell.exe
1940	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
1260	winlogon.exe
604	winlogon.exe
2972	winlogon.exe
1440	winlogon.exe
532	winlogon.exe
1316	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Java\\winlogon.exe\""	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Java\\winlogon.exe\""	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe\""	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe\""	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC30A80D55D99445EE8BB79617A73BD.TMP	csc.exe
File created	\??\c:\Windows\System32\bsgne1.exe	csc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\winlogon.exe	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
File opened for modification	C:\Program Files (x86)\Java\winlogon.exe	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
File created	C:\Program Files (x86)\Java\cc11b995f2a76d	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2956	schtasks.exe
1668	schtasks.exe
2576	schtasks.exe
2444	schtasks.exe
2572	schtasks.exe
2532	schtasks.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1532	PING.EXE
1648	PING.EXE
1612	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1260	winlogon.exe
Token: SeDebugPrivilege	604	winlogon.exe
Token: SeDebugPrivilege	2972	winlogon.exe
Token: SeDebugPrivilege	1440	winlogon.exe
Token: SeDebugPrivilege	532	winlogon.exe
Token: SeDebugPrivilege	1316	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2008	1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe	32
PID 1252 wrote to memory of 2008	1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe	32
PID 1252 wrote to memory of 2008	1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe	32
PID 2008 wrote to memory of 316	2008	csc.exe	34
PID 2008 wrote to memory of 316	2008	csc.exe	34
PID 2008 wrote to memory of 316	2008	csc.exe	34
PID 1252 wrote to memory of 1964	1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe	38
PID 1252 wrote to memory of 1964	1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe	38
PID 1252 wrote to memory of 1964	1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe	38
PID 1252 wrote to memory of 1940	1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe	39
PID 1252 wrote to memory of 1940	1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe	39
PID 1252 wrote to memory of 1940	1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe	39
PID 1252 wrote to memory of 844	1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe	42
PID 1252 wrote to memory of 844	1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe	42
PID 1252 wrote to memory of 844	1252	9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe	42
PID 844 wrote to memory of 1532	844	cmd.exe	44
PID 844 wrote to memory of 1532	844	cmd.exe	44
PID 844 wrote to memory of 1532	844	cmd.exe	44
PID 844 wrote to memory of 1612	844	cmd.exe	45
PID 844 wrote to memory of 1612	844	cmd.exe	45
PID 844 wrote to memory of 1612	844	cmd.exe	45
PID 844 wrote to memory of 1260	844	cmd.exe	46
PID 844 wrote to memory of 1260	844	cmd.exe	46
PID 844 wrote to memory of 1260	844	cmd.exe	46
PID 1260 wrote to memory of 984	1260	winlogon.exe	47
PID 1260 wrote to memory of 984	1260	winlogon.exe	47
PID 1260 wrote to memory of 984	1260	winlogon.exe	47
PID 984 wrote to memory of 1368	984	cmd.exe	49
PID 984 wrote to memory of 1368	984	cmd.exe	49
PID 984 wrote to memory of 1368	984	cmd.exe	49
PID 984 wrote to memory of 2228	984	cmd.exe	50
PID 984 wrote to memory of 2228	984	cmd.exe	50
PID 984 wrote to memory of 2228	984	cmd.exe	50
PID 984 wrote to memory of 604	984	cmd.exe	51
PID 984 wrote to memory of 604	984	cmd.exe	51
PID 984 wrote to memory of 604	984	cmd.exe	51
PID 604 wrote to memory of 3020	604	winlogon.exe	54
PID 604 wrote to memory of 3020	604	winlogon.exe	54
PID 604 wrote to memory of 3020	604	winlogon.exe	54
PID 3020 wrote to memory of 2776	3020	cmd.exe	56
PID 3020 wrote to memory of 2776	3020	cmd.exe	56
PID 3020 wrote to memory of 2776	3020	cmd.exe	56
PID 3020 wrote to memory of 2780	3020	cmd.exe	57
PID 3020 wrote to memory of 2780	3020	cmd.exe	57
PID 3020 wrote to memory of 2780	3020	cmd.exe	57
PID 3020 wrote to memory of 2972	3020	cmd.exe	58
PID 3020 wrote to memory of 2972	3020	cmd.exe	58
PID 3020 wrote to memory of 2972	3020	cmd.exe	58
PID 2972 wrote to memory of 1956	2972	winlogon.exe	59
PID 2972 wrote to memory of 1956	2972	winlogon.exe	59
PID 2972 wrote to memory of 1956	2972	winlogon.exe	59
PID 1956 wrote to memory of 2732	1956	cmd.exe	61
PID 1956 wrote to memory of 2732	1956	cmd.exe	61
PID 1956 wrote to memory of 2732	1956	cmd.exe	61
PID 1956 wrote to memory of 1532	1956	cmd.exe	62
PID 1956 wrote to memory of 1532	1956	cmd.exe	62
PID 1956 wrote to memory of 1532	1956	cmd.exe	62
PID 1956 wrote to memory of 1440	1956	cmd.exe	63
PID 1956 wrote to memory of 1440	1956	cmd.exe	63
PID 1956 wrote to memory of 1440	1956	cmd.exe	63
PID 1440 wrote to memory of 2796	1440	winlogon.exe	64
PID 1440 wrote to memory of 2796	1440	winlogon.exe	64
PID 1440 wrote to memory of 2796	1440	winlogon.exe	64
PID 2796 wrote to memory of 2300	2796	cmd.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
"C:\Users\Admin\AppData\Local\Temp\9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l0pbzdhy\l0pbzdhy.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BB2.tmp" "c:\Windows\System32\CSC30A80D55D99445EE8BB79617A73BD.TMP"
    3⤵
    PID:316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Java\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DlrfZSSjBm.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1532
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:1612
- - C:\Program Files (x86)\Java\winlogon.exe
    "C:\Program Files (x86)\Java\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fVfPD2qQtb.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:984
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1368
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2228
    - - C:\Program Files (x86)\Java\winlogon.exe
        
        "C:\Program Files (x86)\Java\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:604
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8EsK2bkKJG.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2780
        
        C:\Program Files (x86)\Java\winlogon.exe
        
        "C:\Program Files (x86)\Java\winlogon.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5AOAfIZos6.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:1532
        
        C:\Program Files (x86)\Java\winlogon.exe
        
        "C:\Program Files (x86)\Java\winlogon.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ZUpyl1cxR.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2896
        
        C:\Program Files (x86)\Java\winlogon.exe
        
        "C:\Program Files (x86)\Java\winlogon.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EAk7xcglkE.bat"
        12⤵
        
        PID:1872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1088
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:1648
        
        C:\Program Files (x86)\Java\winlogon.exe
        
        "C:\Program Files (x86)\Java\winlogon.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Java\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Java\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Java\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c59" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c59" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\winlogon.exe

Filesize
3.2MB

MD5
069d8565f208c71cb5496278392a3e8d

SHA1
2276be9129c6e50c4bb38ebe34e209ced3538492

SHA256
9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5

SHA512
b85064722385adcea34546f6729eacf99612807abf3603fd011bd464254d61c1748b76c93f6eff07fc0324cac941a57e3b2f024f5c0b15a089138b39c923f431

Download Submit
C:\Users\Admin\AppData\Local\Temp\5AOAfIZos6.bat

Filesize
168B

MD5
15f6ac3c0ad937948c125743b46d7cdb

SHA1
ca9d402933a17013b0df7ed211c35c7047b54228

SHA256
e919796f922405baf4516ba3c8cac1a663d996b5ec1cffc1a2dbd3b4c6bb5830

SHA512
2ae9e861bcb9da43a2f64365b0941c6d5d51325027c382b6910ce4ea98f5b9568beb54119f1ebc8018f06c5efee9a9e991132223a5bdf77d30ddc97794ae03df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZUpyl1cxR.bat

Filesize
216B

MD5
99cd4e76d81322778d65d073f9ba10fd

SHA1
a35784a706df37f27730c7b17c8df811ec5ebe42

SHA256
3016fe00ec1c79a0d647806129b8bc1f45766a8a919206c861ce80b413089db2

SHA512
5fb6a3897847a0df4ae4dac468d43397e3664ed858094233f93e99296509bff9ccf18e62fb33b20801e68739c418fdcc14c132121f9b2d67b16e793d4c6f454a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EsK2bkKJG.bat

Filesize
216B

MD5
d464516f7e412494fd78dad54b811650

SHA1
8b4578c5e2436acd9d2afdead5b8c23f08b4ce31

SHA256
a18bb0c0a785714d4621ab699cdb53aa2e3457206a243b8b3f1d2f3a8f92c6b0

SHA512
bb063fab2048403c3c4a7c94f30203515f17f7369a0bddb26bbef2c0b4ec6845c84f0e0dc4b3a2e818f304889e47f4957812bdb2da936c32c319344a28a10d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\DlrfZSSjBm.bat

Filesize
168B

MD5
8a4a2bb12a110b5ca0487e0431b2a2bb

SHA1
56054e66c0a510013234a56b9fb5d40ad938fb61

SHA256
bd53bf8ff3713a1248e100ea892addba215fe05f24a2493f52f9deef2755b009

SHA512
8e870563461458870fd93188065f7294a6b17e9205f1f324b62328e0d29ba83bea5bdc35a40d278967928b9f9bd32d8bc632e88c4dcca4ac07dca8ae45a0b4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAk7xcglkE.bat

Filesize
168B

MD5
01a7980eca99aa08876aecc31df93b0f

SHA1
c683da6c65facb36074a51805adac887c38df72b

SHA256
06fb28bdef297698e9177e51e8c9a48ce55a5c5414c7e01cf56f557e3879e0c9

SHA512
dea54728f96dc1f745f6151542cd84f1b1f7ee8b0595cacc49fd127dab4673c73e5bb5e4a63708a413b7d3a1e1a49ee2e45582077d0a81e96e3c8deffa2b0b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2BB2.tmp

Filesize
1KB

MD5
7db9bb9e91194e9ab8f663425f7fddb1

SHA1
56eeb78bab68e9aeba39c8c1b94a6835f78cdaec

SHA256
1538bc0875e79a7db3c15403858980cf695465f0b3b3e592019876fa70a5f6b0

SHA512
5689113866bd880329f74e4f74f6700168f5482bfbdfab0dc145c02c5156f7fafe70663b85e0a416adf69805d3d4f147e2ee8bdaf0631715369745777ea9a132

Download Submit
C:\Users\Admin\AppData\Local\Temp\fVfPD2qQtb.bat

Filesize
216B

MD5
dc961d59737f3472c4b0574d71d5a334

SHA1
2096891008bee257c3586172e67d7866aa4158ed

SHA256
0cabc1bdd32762ac849e79e6b565976fb0e3d15aeeef7a3bdaa76dd389d225f8

SHA512
8cfd3e4a6c4de409337a887f5314b2a54d9ae0e11c85f8a63a75f421dbe542f0fa3b83de96a7a9d41bfe2158c74b4b79e08f525f2e62eb32b1946fe4e5926f8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
459efd83b0316365ba9b40706be783a3

SHA1
dae3640956f88d5d6fa2c57305d726c07901bf84

SHA256
048a3947bfe848385a20199d66961c7c609b13b5f84e4b657f4599aeaea1e9d6

SHA512
10bae3446b1dfd3c7658ab6712a59259ab7c1a1a4ce9a4d8ec50a9c76391d0a5faf227321edd23c70c13df643c3f7c43621b1f65f60226621c9c444c0840cde3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l0pbzdhy\l0pbzdhy.0.cs

Filesize
372B

MD5
9f945582f3f687a737c9623c2954b738

SHA1
3c9b61fa2419ffa55de5d629cb6ab79759bf60c0

SHA256
49970f5e67de4b3260a5d7d6b0bfbbf752e7c392bdbc9f2e9b8c08942ffb0efe

SHA512
cb66f194e499c2e1bea27c59197f81faba05bc8cb4066819fd802b4c0ab5b19bfa4fffcb173e032754f884d9798f9821b39de5c4501bc1ac63f1fd968f601594

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l0pbzdhy\l0pbzdhy.cmdline

Filesize
235B

MD5
0f5baeae69c092d225e4562c708c83f6

SHA1
eb30202b4960376e02918193ed22f8611ab7bee1

SHA256
e5e96e26f0bfa042f48a374e4ed817015a2b4c62af5377075169938110b0c19c

SHA512
1f2b6393dc64871725610203257ea0d7e5d67d26aef988eeb6492d422da5ec0a05c40eca168888c299a7ad0ab47d0de627f0fc6b291925e85944c69f8042c243

Download Submit
\??\c:\Windows\System32\CSC30A80D55D99445EE8BB79617A73BD.TMP

Filesize
1KB

MD5
dc62d02b56d310e294d158c225b91f50

SHA1
844e69b5ff0328e80441c54dbdff39d82c3263ba

SHA256
be8b5c97dc2eb2b7a62245da79d879ac20bb8e123c06b565f27e330bfe4fa0f8

SHA512
23e9004baf3f7dc17611fa3fa65e5c8dbd0c49cb43b831688eec9b938c28a3ca6029d737de77810271ac9f0779c27f62db123d2831aee13527d0a3088c39c209

Download Submit
memory/604-116-0x00000000001D0000-0x0000000000502000-memory.dmp

Filesize
3.2MB

Download
memory/1252-18-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/1252-53-0x000000001AA00000-0x000000001AA0C000-memory.dmp

Filesize
48KB

Download
memory/1252-23-0x0000000000560000-0x000000000056E000-memory.dmp

Filesize
56KB

Download
memory/1252-25-0x0000000000770000-0x0000000000782000-memory.dmp

Filesize
72KB

Download
memory/1252-26-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1252-28-0x0000000000750000-0x0000000000760000-memory.dmp

Filesize
64KB

Download
memory/1252-30-0x00000000007B0000-0x00000000007C6000-memory.dmp

Filesize
88KB

Download
memory/1252-32-0x000000001A9C0000-0x000000001A9D2000-memory.dmp

Filesize
72KB

Download
memory/1252-33-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1252-35-0x0000000000760000-0x000000000076E000-memory.dmp

Filesize
56KB

Download
memory/1252-37-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/1252-39-0x00000000007A0000-0x00000000007B0000-memory.dmp

Filesize
64KB

Download
memory/1252-40-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1252-42-0x000000001AE50000-0x000000001AEAA000-memory.dmp

Filesize
360KB

Download
memory/1252-44-0x0000000000970000-0x000000000097E000-memory.dmp

Filesize
56KB

Download
memory/1252-47-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1252-49-0x000000001A9F0000-0x000000001A9FE000-memory.dmp

Filesize
56KB

Download
memory/1252-46-0x000000001A9E0000-0x000000001A9F0000-memory.dmp

Filesize
64KB

Download
memory/1252-51-0x000000001AA20000-0x000000001AA38000-memory.dmp

Filesize
96KB

Download
memory/1252-21-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/1252-19-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1252-0-0x000007FEF5623000-0x000007FEF5624000-memory.dmp

Filesize
4KB

Download
memory/1252-16-0x0000000000620000-0x0000000000638000-memory.dmp

Filesize
96KB

Download
memory/1252-14-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/1252-83-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1252-1-0x0000000000980000-0x0000000000CB2000-memory.dmp

Filesize
3.2MB

Download
memory/1252-12-0x0000000000540000-0x000000000055C000-memory.dmp

Filesize
112KB

Download
memory/1252-2-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1252-10-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download
memory/1252-8-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1252-3-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1252-7-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1252-6-0x00000000005F0000-0x0000000000616000-memory.dmp

Filesize
152KB

Download
memory/1252-4-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1260-88-0x00000000008A0000-0x0000000000BD2000-memory.dmp

Filesize
3.2MB

Download
memory/1940-82-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/1964-84-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2972-144-0x0000000001290000-0x00000000015C2000-memory.dmp

Filesize
3.2MB

Download