Resubmissions
21-06-2024 16:00
240621-tf2q9sxanf 10Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 16:00
Static task
static1
Behavioral task
behavioral1
Sample
NurikCrack.exe
Resource
win10v2004-20240611-en
General
-
Target
NurikCrack.exe
-
Size
7.8MB
-
MD5
73e949ebe4fbc53e2b84960dd1a82e95
-
SHA1
cdeefd980bd57aa57766e9e7957a75aa4a66aba1
-
SHA256
eade2a8e603e63e2f28ee68a5003116cbbcc6029e2b5becf1f881c3ea0d1b73e
-
SHA512
02b98df55948358e3a3dbf2f1f32f0fd9cca10818b0e821d7b76ff097b62e3f1ba3129d6ccb9a9ac344558927f2c48095d7ee482ff648804a597af928c4108d5
-
SSDEEP
196608:O+RErBl8UUCQU8uND/GwPgYDgMV2RGxb08:OFrBl8UUCQHq/GQgcqp8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3340 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4080 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3816 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4288 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 424 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4288 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3340 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 424 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4792 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5160 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5176 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5196 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5220 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5256 4452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5276 4452 schtasks.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4440-72-0x00000000010D0000-0x00000000010FE000-memory.dmp family_redline -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe dcrat C:\blockBrowserPerf\hyperfont.exe dcrat behavioral1/memory/2656-105-0x0000000000C90000-0x0000000000EB6000-memory.dmp dcrat -
XMRig Miner payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/4340-350-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/4340-356-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/4340-357-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/4340-355-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/4340-354-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/4340-353-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/4340-351-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/4340-359-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/4340-360-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 5240 powershell.exe 3124 powershell.exe -
Creates new service(s) 2 TTPs
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
update.exeWScript.exehyperfont.exeNurikCrack.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation hyperfont.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation NurikCrack.exe -
Executes dropped EXE 6 IoCs
Processes:
Minecraft.exeLib.exeupdate.exehyperfont.exeservices.exegmstcccpdzbb.exepid process 4440 Minecraft.exe 4980 Lib.exe 5044 update.exe 2656 hyperfont.exe 5968 services.exe 1348 gmstcccpdzbb.exe -
Processes:
resource yara_rule behavioral1/memory/4340-345-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4340-350-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4340-347-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4340-356-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4340-357-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4340-355-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4340-354-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4340-353-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4340-351-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4340-346-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4340-349-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4340-348-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4340-359-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4340-360-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
Processes:
flow ioc 82 raw.githubusercontent.com 48 discord.com 71 raw.githubusercontent.com 76 raw.githubusercontent.com 79 raw.githubusercontent.com 67 raw.githubusercontent.com 45 discord.com 72 raw.githubusercontent.com 81 raw.githubusercontent.com 68 raw.githubusercontent.com 70 raw.githubusercontent.com 73 raw.githubusercontent.com 78 raw.githubusercontent.com -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 5620 powercfg.exe 5632 powercfg.exe 5648 powercfg.exe 4260 powercfg.exe 4552 powercfg.exe 2252 powercfg.exe 4296 powercfg.exe 5608 powercfg.exe -
Drops file in System32 directory 4 IoCs
Processes:
Lib.exepowershell.exegmstcccpdzbb.exedescription ioc process File opened for modification C:\Windows\system32\MRT.exe Lib.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe gmstcccpdzbb.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
gmstcccpdzbb.exedescription pid process target process PID 1348 set thread context of 452 1348 gmstcccpdzbb.exe conhost.exe PID 1348 set thread context of 4340 1348 gmstcccpdzbb.exe conhost.exe -
Drops file in Program Files directory 5 IoCs
Processes:
hyperfont.exedescription ioc process File created C:\Program Files\Windows Sidebar\Shared Gadgets\msedge.exe hyperfont.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\61a52ddc9dd915 hyperfont.exe File created C:\Program Files\Java\jre-1.8\bin\server\backgroundTaskHost.exe hyperfont.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\backgroundTaskHost.exe hyperfont.exe File created C:\Program Files\Java\jre-1.8\bin\server\eddb19405b7ce1 hyperfont.exe -
Drops file in Windows directory 2 IoCs
Processes:
hyperfont.exedescription ioc process File created C:\Windows\RemotePackages\msedge.exe hyperfont.exe File created C:\Windows\RemotePackages\61a52ddc9dd915 hyperfont.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1820 sc.exe 1900 sc.exe 5588 sc.exe 2120 sc.exe 2212 sc.exe 2616 sc.exe 5760 sc.exe 3008 sc.exe 5484 sc.exe 3424 sc.exe 5564 sc.exe 3600 sc.exe 2324 sc.exe 3076 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5940 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
powershell.execonhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe -
Modifies registry class 3 IoCs
Processes:
update.exemsedge.exehyperfont.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings update.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-200405930-3877336739-3533750831-1000\{82E9A447-2E8F-4D2D-BAD6-FC487735F43E} msedge.exe Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings hyperfont.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4288 schtasks.exe 3340 schtasks.exe 5176 schtasks.exe 5256 schtasks.exe 1240 schtasks.exe 2708 schtasks.exe 5276 schtasks.exe 748 schtasks.exe 2552 schtasks.exe 4080 schtasks.exe 4288 schtasks.exe 1976 schtasks.exe 3972 schtasks.exe 3816 schtasks.exe 4548 schtasks.exe 4984 schtasks.exe 3972 schtasks.exe 5196 schtasks.exe 2196 schtasks.exe 5020 schtasks.exe 5220 schtasks.exe 3972 schtasks.exe 672 schtasks.exe 1664 schtasks.exe 424 schtasks.exe 424 schtasks.exe 4792 schtasks.exe 1144 schtasks.exe 5160 schtasks.exe 3340 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exehyperfont.exemsedge.exeservices.exeLib.exepowershell.exegmstcccpdzbb.exepowershell.execonhost.exepid process 4340 msedge.exe 4340 msedge.exe 4828 msedge.exe 4828 msedge.exe 2656 hyperfont.exe 2656 hyperfont.exe 2656 hyperfont.exe 2656 hyperfont.exe 2656 hyperfont.exe 1976 msedge.exe 1976 msedge.exe 5968 services.exe 5968 services.exe 4980 Lib.exe 5240 powershell.exe 5240 powershell.exe 5240 powershell.exe 4980 Lib.exe 4980 Lib.exe 4980 Lib.exe 4980 Lib.exe 4980 Lib.exe 4980 Lib.exe 4980 Lib.exe 4980 Lib.exe 4980 Lib.exe 4980 Lib.exe 4980 Lib.exe 4980 Lib.exe 4980 Lib.exe 4980 Lib.exe 1348 gmstcccpdzbb.exe 3124 powershell.exe 3124 powershell.exe 3124 powershell.exe 1348 gmstcccpdzbb.exe 1348 gmstcccpdzbb.exe 1348 gmstcccpdzbb.exe 1348 gmstcccpdzbb.exe 1348 gmstcccpdzbb.exe 1348 gmstcccpdzbb.exe 1348 gmstcccpdzbb.exe 1348 gmstcccpdzbb.exe 1348 gmstcccpdzbb.exe 1348 gmstcccpdzbb.exe 1348 gmstcccpdzbb.exe 1348 gmstcccpdzbb.exe 4340 conhost.exe 4340 conhost.exe 4340 conhost.exe 4340 conhost.exe 4340 conhost.exe 4340 conhost.exe 4340 conhost.exe 4340 conhost.exe 4340 conhost.exe 4340 conhost.exe 4340 conhost.exe 4340 conhost.exe 4340 conhost.exe 4340 conhost.exe 4340 conhost.exe 4340 conhost.exe 4340 conhost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
msedge.exepid process 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
hyperfont.exeservices.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.execonhost.exedescription pid process Token: SeDebugPrivilege 2656 hyperfont.exe Token: SeDebugPrivilege 5968 services.exe Token: SeDebugPrivilege 5240 powershell.exe Token: SeShutdownPrivilege 5608 powercfg.exe Token: SeCreatePagefilePrivilege 5608 powercfg.exe Token: SeShutdownPrivilege 5648 powercfg.exe Token: SeCreatePagefilePrivilege 5648 powercfg.exe Token: SeShutdownPrivilege 5620 powercfg.exe Token: SeCreatePagefilePrivilege 5620 powercfg.exe Token: SeShutdownPrivilege 5632 powercfg.exe Token: SeCreatePagefilePrivilege 5632 powercfg.exe Token: SeDebugPrivilege 3124 powershell.exe Token: SeShutdownPrivilege 4260 powercfg.exe Token: SeCreatePagefilePrivilege 4260 powercfg.exe Token: SeShutdownPrivilege 4552 powercfg.exe Token: SeCreatePagefilePrivilege 4552 powercfg.exe Token: SeShutdownPrivilege 4296 powercfg.exe Token: SeCreatePagefilePrivilege 4296 powercfg.exe Token: SeLockMemoryPrivilege 4340 conhost.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
NurikCrack.exemsedge.exepid process 1936 NurikCrack.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
NurikCrack.execmd.exemsedge.exeupdate.exedescription pid process target process PID 1936 wrote to memory of 3880 1936 NurikCrack.exe cmd.exe PID 1936 wrote to memory of 3880 1936 NurikCrack.exe cmd.exe PID 1936 wrote to memory of 3880 1936 NurikCrack.exe cmd.exe PID 3880 wrote to memory of 4828 3880 cmd.exe msedge.exe PID 3880 wrote to memory of 4828 3880 cmd.exe msedge.exe PID 4828 wrote to memory of 3088 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 3088 4828 msedge.exe msedge.exe PID 3880 wrote to memory of 4440 3880 cmd.exe Minecraft.exe PID 3880 wrote to memory of 4440 3880 cmd.exe Minecraft.exe PID 3880 wrote to memory of 4440 3880 cmd.exe Minecraft.exe PID 3880 wrote to memory of 4980 3880 cmd.exe Lib.exe PID 3880 wrote to memory of 4980 3880 cmd.exe Lib.exe PID 3880 wrote to memory of 5044 3880 cmd.exe update.exe PID 3880 wrote to memory of 5044 3880 cmd.exe update.exe PID 3880 wrote to memory of 5044 3880 cmd.exe update.exe PID 5044 wrote to memory of 4716 5044 update.exe WScript.exe PID 5044 wrote to memory of 4716 5044 update.exe WScript.exe PID 5044 wrote to memory of 4716 5044 update.exe WScript.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 660 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 4340 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 4340 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1940 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1940 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1940 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1940 4828 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NurikCrack.exe"C:\Users\Admin\AppData\Local\Temp\NurikCrack.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Expensive.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/fWqCvcakY73⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdf8546f8,0x7fffdf854708,0x7fffdf8547184⤵PID:3088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,14607935967724134760,16339296770007003336,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:24⤵PID:660
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,14607935967724134760,16339296770007003336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4340 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,14607935967724134760,16339296770007003336,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:84⤵PID:1940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,14607935967724134760,16339296770007003336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:14⤵PID:3444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,14607935967724134760,16339296770007003336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:14⤵PID:4644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,14607935967724134760,16339296770007003336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:14⤵PID:4112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,14607935967724134760,16339296770007003336,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4056 /prefetch:84⤵PID:4332
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2188,14607935967724134760,16339296770007003336,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3508 /prefetch:84⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Minecraft.exeMinecraft.exe3⤵
- Executes dropped EXE
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lib.exeLib.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4980 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5240 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:5400
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:5412
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:3600 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:3008 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:5484 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:3424 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:5564 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5608 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5620 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5632 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5648 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "XLZQHCLS"4⤵
- Launches sc.exe
PID:5588 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "XLZQHCLS" binpath= "C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe" start= "auto"4⤵
- Launches sc.exe
PID:2324 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:2120 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "XLZQHCLS"4⤵
- Launches sc.exe
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exeupdate.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\blockBrowserPerf\6DWknRX7zda6IaA3y.vbe"4⤵
- Checks computer location settings
PID:4716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\blockBrowserPerf\NoM3GP4vCmmtcbr8rD5Wo9I42Fr.bat" "5⤵PID:4056
-
C:\blockBrowserPerf\hyperfont.exe"C:\blockBrowserPerf\hyperfont.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TNAYXJwdkj.bat"7⤵PID:5340
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:5684
-
C:\blockBrowserPerf\services.exe"C:\blockBrowserPerf\services.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5968 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f6⤵
- Modifies registry key
PID:5524 -
C:\Windows\SysWOW64\timeout.exetimeout 5 /nobreak3⤵
- Delays execution with timeout.exe
PID:5940
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2972
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre-1.8\bin\server\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\bin\server\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre-1.8\bin\server\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\blockBrowserPerf\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\blockBrowserPerf\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\blockBrowserPerf\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\blockBrowserPerf\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\blockBrowserPerf\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\blockBrowserPerf\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\Users\Default\TrustedInstaller.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Default\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\Users\Default\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\RemotePackages\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\_71A7E9C2-5189-42F5-A478-BE0C8DD09DC3\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Temp\_71A7E9C2-5189-42F5-A478-BE0C8DD09DC3\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\_71A7E9C2-5189-42F5-A478-BE0C8DD09DC3\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\blockBrowserPerf\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\blockBrowserPerf\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\blockBrowserPerf\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5276
-
C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exeC:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1348 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:5780
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:2424
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:5760 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2212 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2616 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:1900 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:1820 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4260 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4552 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
PID:2252 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4296 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:452
-
C:\Windows\system32\conhost.execonhost.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4340
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b704c9ca0493bd4548ac9c69dc4a4f27
SHA1a3e5e54e630dabe55ca18a798d9f5681e0620ba7
SHA2562ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411
SHA51269c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5477462b6ad8eaaf8d38f5e3a4daf17b0
SHA186174e670c44767c08a39cc2a53c09c318326201
SHA256e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d
SHA512a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
432B
MD5cc59f7bd0b7025b5d41052915204599d
SHA1d08e5011038c83a3d59ddebafb3b25f49963a1f2
SHA256588fd970156cfc61bcf1d7c78990e1ed6e5c8a8685a89b8ab5ac3a2e37ff09eb
SHA5129c523aa1f95f1e09edf69d83b087a2e3324dbd36f2eb207a54ef440cf4baeee6a08ea113c129bc7d80856d8be1de77a8c59c3f014b0c5deb10e8683d06ab47f0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
247B
MD594bd83393ee4e3c749f28c3414160cbc
SHA168effb04ecc392f2ae4ad7bdc1e99b9116da474c
SHA256e1dbf44fca250f32925910fcd7f59276e46d0d916eff30fdf9f85ef91bcd3d4b
SHA512203109a405cd685a195e6cdae5d0a624abcd6c6a9333b88f312e50f96bafa03057366bd78bf62df8784ec97f14677d56f8b78b472000044618a784bcf7af3e8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD53558f19053f1d82e4560e102c9a5b314
SHA1e9ca0dfb17d591dfebad9a7ded7b5144d26a92b1
SHA256b13e17b2349b2344df360534e11b3b8316f1db7babf99a1d644cc11a166a3209
SHA512e8dc39fbcf58a8c6521161a1fb5202b6a65d7404cc85da1e8285215d7fcdeda59594409d8a097ba8e450af58205e6eb44f65cdcfc5178bb2a8578b4e45b67e2d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD570ea4a9383dd840c9b2b6224e85a0ab1
SHA1fd96bf6492e683767f3e4365680c9b7e27858a92
SHA256dac7569d2e14eaea9375055f075e4027f1bca195e45ee5533fb55bf3993ddc9d
SHA5128b2caf9a02945bcea4f5de3bf6fb25a67e7a67f2ff9d9be3a5ad3e21a53b5c4c1366f7988494537eb61225c46ccca26c5d4ca76710d12d47dcad2f81002d46ff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5536f9cfb0a8eb550ff6c8d449c463dc2
SHA12b5e29ca606e19bd744d7519faa61febffbac591
SHA256da9ad254879f8ee9f1bd42246731eda55e11ed9dca88619871bcd03bc92d867b
SHA512e6323563d0257b5c64eb8595815e1bb6ed0fa34b6e085875f6194d9d9af30671ed6486335235b67e0cd13813b5cedcda1d327b8d0cdc92b109552ff6693c7ba8
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Expensive.batFilesize
8KB
MD567e858a068d539dfca53bb06af90c5c1
SHA13364c5d1d551e4c11e69099a681692ca8fb7ac1b
SHA2561f739401add693c984f990e49ee8794dff2be98572e9854cde81e3b8044b9780
SHA5128ae87f31e2eaf220b898337510fefb9a3ffa36e2ca070ad44b57d843b7e87a14e88c40fd6c6854264669fcd59277fc33766222184afe28c1b3daf00c9073e18d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lib.exeFilesize
5.0MB
MD5f969eaefb625c88b9d83ed8c96dc608c
SHA14f894ffa1564545fd7b54a85faccd5a332734bf4
SHA2569e5708e33635209b5598e5f40fd2b67ad55a22b70fc812bf22f258a75660307e
SHA512a15d30f0228291e0c9a58e06a1400524837b7723539c045b03be79b64f433e9e47f331d022a134b6f1b40e44891d7d6630c59125b8b4917ff0d9e1034cd72137
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Minecraft.exeFilesize
481KB
MD58c251fa2938b9c4ba23c6a3637104785
SHA19d7f4f1f86c7ecbfb5d45c278d5687822edc332f
SHA256664dd86f1e7f1ea4210f35979ffaf00114427f94ff3ae8218f1b3bfd0e50b371
SHA512819a74664d6f037c61a2283e56fd50cead65c74771a0b223ecc9bd35b450c3f31882a7fbfc71ac3c6e7771f525c6183f82cacc5751c5c74a20b7ab1897fc690e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exeFilesize
2.4MB
MD557314abde7c6c9698e31029bcc12d31d
SHA163aa91a43ab364e597f677136d6d254fa50afd8e
SHA256f899d9451f2806c55207bacaac6b34de2f845b35f440b882cccef4732c08027c
SHA512f751fbe13f55a6f1b9d4d2ed0bf6ca44923c81a0a0887791e06e05702c806e00f5ef6801585998c00eb28e96fda9881af75b8fa9bd1d04f3430bbfff7979e56d
-
C:\Users\Admin\AppData\Local\Temp\TNAYXJwdkj.batFilesize
197B
MD585d8babbc9c3fc919863dbc9d1b80dd3
SHA114b62056e3590e41a57d1ce7adffdc0ed6023cb7
SHA256b5a7ee891d7755a37cae0ed19fed7bcba0876f243d35cb1d611de8ee82e6ab34
SHA51297fd80f097a1eaa0c9cce374546f165aa4cbefd58ed2b0f39aa2d4d5e6bc9a7e070888ba04620a909bb8faa54c8e1594c5d1165175d61ca2652429776fd45be3
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dg33sybo.3hs.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\blockBrowserPerf\6DWknRX7zda6IaA3y.vbeFilesize
217B
MD58f7428e756007f5136cd2fe2e3cb9c2b
SHA1c248e589ea0915a24499fa7ac6636073bd0690db
SHA256ca7c904d4dbf05387d30c6576b32dfa7a09d117e91e09c1933d85d330429d3ef
SHA5126156b7399a52663c1a84da769c3eefdef3e8f1adb0e4216f3d229c2055830e298517c87be4742ed46ac4527cabdb0f3ea158f9bdf7320c9ff2e6e9769b54d3d1
-
C:\blockBrowserPerf\NoM3GP4vCmmtcbr8rD5Wo9I42Fr.batFilesize
147B
MD5bd66c18320261e175404edddb79901d2
SHA18267cfc85681594193a81f4e3f74945222250ca0
SHA25625919544e741ec69432621d6853cbb86a42166e7a9ec305003eba0026d6e1b55
SHA51287d0adb5f9fa4d41574890a2545ea3db36d123dc2e3b2af05e039f0513ddc44a5c072533b44222b71079b880582ef9a867221cf3b4230e9e064f478aec14a866
-
C:\blockBrowserPerf\hyperfont.exeFilesize
2.1MB
MD52b249a7350b1cc720a1b86d5521a8095
SHA1c40c7bc6676c50e9b7453936d3eb2fc1c718e6dc
SHA256a016313bc090d337a66dcefc7cc18a889f5c1cfc721185fa9ad7038159efb728
SHA51209e7e83581df24d06e0dcb249e9a76e8eed4296858b70d78d9b8a2e9b19579c759c6898ce3901d6c5da1981da31f029dd1d6a1b80fea064ff670a87dd5af3cbb
-
\??\pipe\LOCAL\crashpad_4828_YNJURQWUPZXLDNMRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/452-340-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/452-341-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/452-339-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/452-338-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/452-337-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/452-344-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2656-114-0x000000001BB20000-0x000000001BB76000-memory.dmpFilesize
344KB
-
memory/2656-115-0x0000000002FD0000-0x0000000002FD8000-memory.dmpFilesize
32KB
-
memory/2656-113-0x0000000003110000-0x0000000003126000-memory.dmpFilesize
88KB
-
memory/2656-112-0x000000001BB70000-0x000000001BBC0000-memory.dmpFilesize
320KB
-
memory/2656-111-0x00000000030F0000-0x000000000310C000-memory.dmpFilesize
112KB
-
memory/2656-105-0x0000000000C90000-0x0000000000EB6000-memory.dmpFilesize
2.1MB
-
memory/3124-334-0x000002AC75F00000-0x000002AC75F0A000-memory.dmpFilesize
40KB
-
memory/3124-333-0x000002AC75EF0000-0x000002AC75EF6000-memory.dmpFilesize
24KB
-
memory/3124-326-0x000002AC75C80000-0x000002AC75C9C000-memory.dmpFilesize
112KB
-
memory/3124-327-0x000002AC75CA0000-0x000002AC75D55000-memory.dmpFilesize
724KB
-
memory/3124-328-0x000002AC75D60000-0x000002AC75D6A000-memory.dmpFilesize
40KB
-
memory/3124-329-0x000002AC75ED0000-0x000002AC75EEC000-memory.dmpFilesize
112KB
-
memory/3124-330-0x000002AC75EB0000-0x000002AC75EBA000-memory.dmpFilesize
40KB
-
memory/3124-331-0x000002AC75F10000-0x000002AC75F2A000-memory.dmpFilesize
104KB
-
memory/3124-332-0x000002AC75EC0000-0x000002AC75EC8000-memory.dmpFilesize
32KB
-
memory/4340-345-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4340-351-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4340-360-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4340-359-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4340-348-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4340-349-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4340-346-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4340-353-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4340-352-0x0000025C4E130000-0x0000025C4E150000-memory.dmpFilesize
128KB
-
memory/4340-350-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4340-347-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4340-356-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4340-357-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4340-355-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4340-354-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4440-94-0x0000000005E10000-0x0000000006428000-memory.dmpFilesize
6.1MB
-
memory/4440-95-0x0000000005730000-0x0000000005742000-memory.dmpFilesize
72KB
-
memory/4440-97-0x0000000005900000-0x0000000005A0A000-memory.dmpFilesize
1.0MB
-
memory/4440-98-0x0000000005790000-0x00000000057CC000-memory.dmpFilesize
240KB
-
memory/4440-72-0x00000000010D0000-0x00000000010FE000-memory.dmpFilesize
184KB
-
memory/4440-99-0x00000000057F0000-0x000000000583C000-memory.dmpFilesize
304KB
-
memory/5240-298-0x0000024545160000-0x0000024545182000-memory.dmpFilesize
136KB
-
memory/5968-292-0x000000001CBC0000-0x000000001CC16000-memory.dmpFilesize
344KB