Analysis
-
max time kernel
1050s -
max time network
725s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 19:12
Static task
static1
Behavioral task
behavioral1
Sample
FunCheker.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
FunCheker.exe
Resource
win10v2004-20240709-en
General
-
Target
FunCheker.exe
-
Size
1.9MB
-
MD5
a69f81ab8922f56e786c95000e4ea238
-
SHA1
eec04e5776a155f4445260b46f8fa3b139ccedef
-
SHA256
c36b87352873121329f10440ce883510be4c7d829d6afe7ee28664b79cddfd8d
-
SHA512
de9a791be937925f0ab9d665e6282237f78b4b14f11e539bbcb9dd1ee95b0421a00ab841adb97ed3f41d3d92d94a569728edb486940afb690114bf825a42aeab
-
SSDEEP
49152:mIduhWrW/Si9FPOcS/up3M4vsEVXxQ4mxS5WDK:BuMr6zxSmp8Bi6I
Malware Config
Signatures
-
DcRat 28 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exereg.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1380 schtasks.exe 1544 schtasks.exe 1660 schtasks.exe 924 schtasks.exe 1832 schtasks.exe 1552 schtasks.exe 236 schtasks.exe 2044 schtasks.exe 2132 schtasks.exe 2188 schtasks.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe 1328 schtasks.exe 1200 schtasks.exe 1032 schtasks.exe 320 schtasks.exe 2940 schtasks.exe 904 schtasks.exe 632 schtasks.exe 3024 schtasks.exe 1508 schtasks.exe 2060 schtasks.exe 1676 schtasks.exe 1332 schtasks.exe 2420 schtasks.exe 1804 schtasks.exe 2384 schtasks.exe 2012 schtasks.exe 2956 schtasks.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 904 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 632 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 236 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 924 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2032 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2032 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe dcrat \Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe dcrat behavioral1/memory/1808-49-0x0000000000A40000-0x0000000000C64000-memory.dmp dcrat behavioral1/memory/2448-78-0x0000000000F70000-0x0000000001194000-memory.dmp dcrat behavioral1/memory/2580-92-0x00000000011E0000-0x0000000001404000-memory.dmp dcrat behavioral1/memory/1716-117-0x00000000012B0000-0x00000000014D4000-memory.dmp dcrat behavioral1/memory/1608-125-0x0000000000370000-0x0000000000594000-memory.dmp dcrat behavioral1/memory/2232-133-0x0000000000950000-0x0000000000B74000-memory.dmp dcrat behavioral1/memory/2008-140-0x0000000000EB0000-0x00000000010D4000-memory.dmp dcrat behavioral1/memory/2552-153-0x00000000011C0000-0x00000000013E4000-memory.dmp dcrat behavioral1/memory/2180-179-0x0000000000360000-0x0000000000584000-memory.dmp dcrat behavioral1/memory/3052-186-0x0000000000160000-0x0000000000384000-memory.dmp dcrat behavioral1/memory/880-193-0x0000000000AF0000-0x0000000000D14000-memory.dmp dcrat behavioral1/memory/852-200-0x0000000000200000-0x0000000000424000-memory.dmp dcrat behavioral1/memory/2140-207-0x0000000000220000-0x0000000000444000-memory.dmp dcrat behavioral1/memory/2376-214-0x0000000000C20000-0x0000000000E44000-memory.dmp dcrat behavioral1/memory/2396-227-0x0000000001130000-0x0000000001354000-memory.dmp dcrat behavioral1/memory/964-255-0x00000000002F0000-0x0000000000514000-memory.dmp dcrat behavioral1/memory/1040-260-0x00000000001E0000-0x0000000000404000-memory.dmp dcrat behavioral1/memory/1584-265-0x0000000000E50000-0x0000000001074000-memory.dmp dcrat behavioral1/memory/1792-270-0x0000000000390000-0x00000000005B4000-memory.dmp dcrat behavioral1/memory/2332-275-0x0000000000130000-0x0000000000354000-memory.dmp dcrat behavioral1/memory/592-281-0x00000000000C0000-0x00000000002E4000-memory.dmp dcrat behavioral1/memory/1536-287-0x0000000000860000-0x0000000000A84000-memory.dmp dcrat behavioral1/memory/2688-293-0x0000000001210000-0x0000000001434000-memory.dmp dcrat behavioral1/memory/1584-323-0x00000000012A0000-0x00000000014C4000-memory.dmp dcrat behavioral1/memory/3056-328-0x0000000000210000-0x0000000000434000-memory.dmp dcrat behavioral1/memory/2352-333-0x0000000000840000-0x0000000000A64000-memory.dmp dcrat behavioral1/memory/592-338-0x00000000013A0000-0x00000000015C4000-memory.dmp dcrat behavioral1/memory/2776-343-0x00000000003B0000-0x00000000005D4000-memory.dmp dcrat behavioral1/memory/2984-349-0x00000000003F0000-0x0000000000614000-memory.dmp dcrat behavioral1/memory/2300-354-0x0000000000ED0000-0x00000000010F4000-memory.dmp dcrat behavioral1/memory/1176-363-0x00000000003C0000-0x00000000005E4000-memory.dmp dcrat behavioral1/memory/2308-368-0x0000000000FA0000-0x00000000011C4000-memory.dmp dcrat behavioral1/memory/1160-373-0x00000000002E0000-0x0000000000504000-memory.dmp dcrat behavioral1/memory/1780-378-0x0000000000330000-0x0000000000554000-memory.dmp dcrat behavioral1/memory/3032-387-0x0000000000240000-0x0000000000464000-memory.dmp dcrat behavioral1/memory/888-393-0x00000000012D0000-0x00000000014F4000-memory.dmp dcrat behavioral1/memory/560-421-0x0000000000270000-0x0000000000494000-memory.dmp dcrat behavioral1/memory/3060-430-0x0000000000D90000-0x0000000000FB4000-memory.dmp dcrat behavioral1/memory/852-435-0x00000000011D0000-0x00000000013F4000-memory.dmp dcrat behavioral1/memory/1824-444-0x0000000000F00000-0x0000000001124000-memory.dmp dcrat behavioral1/memory/2376-449-0x00000000012F0000-0x0000000001514000-memory.dmp dcrat behavioral1/memory/2636-455-0x0000000001220000-0x0000000001444000-memory.dmp dcrat behavioral1/memory/2628-465-0x0000000000120000-0x0000000000344000-memory.dmp dcrat behavioral1/memory/2112-483-0x00000000001C0000-0x00000000003E4000-memory.dmp dcrat behavioral1/memory/1156-496-0x00000000000D0000-0x00000000002F4000-memory.dmp dcrat behavioral1/memory/2948-505-0x0000000000080000-0x00000000002A4000-memory.dmp dcrat behavioral1/memory/2780-514-0x0000000000D50000-0x0000000000F74000-memory.dmp dcrat behavioral1/memory/1688-528-0x00000000013D0000-0x00000000015F4000-memory.dmp dcrat behavioral1/memory/2424-533-0x0000000000DA0000-0x0000000000FC4000-memory.dmp dcrat behavioral1/memory/1820-546-0x0000000001080000-0x00000000012A4000-memory.dmp dcrat behavioral1/memory/1372-551-0x00000000002B0000-0x00000000004D4000-memory.dmp dcrat behavioral1/memory/472-556-0x00000000010E0000-0x0000000001304000-memory.dmp dcrat behavioral1/memory/3064-557-0x0000000000CF0000-0x0000000000F14000-memory.dmp dcrat behavioral1/memory/2460-562-0x0000000000FB0000-0x00000000011D4000-memory.dmp dcrat behavioral1/memory/2624-572-0x0000000000180000-0x00000000003A4000-memory.dmp dcrat behavioral1/memory/2816-578-0x0000000000970000-0x0000000000B94000-memory.dmp dcrat behavioral1/memory/1676-587-0x00000000001D0000-0x00000000003F4000-memory.dmp dcrat behavioral1/memory/2100-601-0x0000000000300000-0x0000000000524000-memory.dmp dcrat behavioral1/memory/2144-606-0x0000000000A00000-0x0000000000C24000-memory.dmp dcrat behavioral1/memory/2080-607-0x00000000010F0000-0x0000000001314000-memory.dmp dcrat behavioral1/memory/2396-621-0x0000000000020000-0x0000000000244000-memory.dmp dcrat behavioral1/memory/1572-630-0x00000000011A0000-0x00000000013C4000-memory.dmp dcrat -
Executes dropped EXE 64 IoCs
Processes:
Micrasoft.execomcommon.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exepid process 2300 Micrasoft.exe 1808 comcommon.exe 2448 System.exe 2444 System.exe 2580 System.exe 2716 System.exe 1884 System.exe 2320 System.exe 1716 System.exe 1608 System.exe 2232 System.exe 2008 System.exe 2656 System.exe 2552 System.exe 2284 System.exe 2724 System.exe 560 System.exe 2180 System.exe 3052 System.exe 880 System.exe 852 System.exe 2140 System.exe 2376 System.exe 816 System.exe 2396 System.exe 612 System.exe 2840 System.exe 2852 System.exe 2108 System.exe 964 System.exe 1040 System.exe 1584 System.exe 1792 System.exe 2332 System.exe 592 System.exe 1536 System.exe 2688 System.exe 1668 System.exe 2824 System.exe 1784 System.exe 2928 System.exe 2260 System.exe 2088 System.exe 1584 System.exe 3056 System.exe 2352 System.exe 592 System.exe 2776 System.exe 2984 System.exe 2300 System.exe 2032 System.exe 1176 System.exe 2308 System.exe 1160 System.exe 1780 System.exe 276 System.exe 3032 System.exe 888 System.exe 2364 System.exe 2704 System.exe 2768 System.exe 2816 System.exe 2504 System.exe 560 System.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 3016 cmd.exe 3016 cmd.exe -
Drops file in Program Files directory 2 IoCs
Processes:
comcommon.exedescription ioc process File created C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe comcommon.exe File created C:\Program Files (x86)\Windows Defender\es-ES\ebf1f9fa8afd6d comcommon.exe -
Drops file in Windows directory 4 IoCs
Processes:
comcommon.exedescription ioc process File created C:\Windows\Help\csrss.exe comcommon.exe File created C:\Windows\Help\886983d96e3d3e comcommon.exe File created C:\Windows\L2Schemas\csrss.exe comcommon.exe File created C:\Windows\L2Schemas\886983d96e3d3e comcommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 320 schtasks.exe 632 schtasks.exe 2420 schtasks.exe 1544 schtasks.exe 236 schtasks.exe 1676 schtasks.exe 1832 schtasks.exe 1804 schtasks.exe 1660 schtasks.exe 2044 schtasks.exe 904 schtasks.exe 2012 schtasks.exe 2188 schtasks.exe 3024 schtasks.exe 1508 schtasks.exe 2940 schtasks.exe 2060 schtasks.exe 1380 schtasks.exe 1552 schtasks.exe 1328 schtasks.exe 1332 schtasks.exe 924 schtasks.exe 1200 schtasks.exe 1032 schtasks.exe 2384 schtasks.exe 2132 schtasks.exe 2956 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
comcommon.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exepid process 1808 comcommon.exe 2448 System.exe 2444 System.exe 2580 System.exe 2716 System.exe 1884 System.exe 2320 System.exe 1716 System.exe 1608 System.exe 2232 System.exe 2008 System.exe 2656 System.exe 2552 System.exe 2284 System.exe 2724 System.exe 560 System.exe 2180 System.exe 3052 System.exe 880 System.exe 852 System.exe 2140 System.exe 2376 System.exe 816 System.exe 2396 System.exe 612 System.exe 2840 System.exe 2852 System.exe 2108 System.exe 964 System.exe 1040 System.exe 1584 System.exe 1792 System.exe 2332 System.exe 592 System.exe 1536 System.exe 2688 System.exe 1668 System.exe 2824 System.exe 1784 System.exe 2928 System.exe 2260 System.exe 2088 System.exe 1584 System.exe 3056 System.exe 2352 System.exe 592 System.exe 2776 System.exe 2984 System.exe 2300 System.exe 2032 System.exe 1176 System.exe 2308 System.exe 1160 System.exe 1780 System.exe 276 System.exe 3032 System.exe 888 System.exe 2364 System.exe 2704 System.exe 2768 System.exe 2816 System.exe 2504 System.exe 560 System.exe 340 System.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
comcommon.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exedescription pid process Token: SeDebugPrivilege 1808 comcommon.exe Token: SeDebugPrivilege 2448 System.exe Token: SeDebugPrivilege 2444 System.exe Token: SeDebugPrivilege 2580 System.exe Token: SeDebugPrivilege 2716 System.exe Token: SeDebugPrivilege 1884 System.exe Token: SeDebugPrivilege 2320 System.exe Token: SeDebugPrivilege 1716 System.exe Token: SeDebugPrivilege 1608 System.exe Token: SeDebugPrivilege 2232 System.exe Token: SeDebugPrivilege 2008 System.exe Token: SeDebugPrivilege 2656 System.exe Token: SeDebugPrivilege 2552 System.exe Token: SeDebugPrivilege 2284 System.exe Token: SeDebugPrivilege 2724 System.exe Token: SeDebugPrivilege 560 System.exe Token: SeDebugPrivilege 2180 System.exe Token: SeDebugPrivilege 3052 System.exe Token: SeDebugPrivilege 880 System.exe Token: SeDebugPrivilege 852 System.exe Token: SeDebugPrivilege 2140 System.exe Token: SeDebugPrivilege 2376 System.exe Token: SeDebugPrivilege 816 System.exe Token: SeDebugPrivilege 2396 System.exe Token: SeDebugPrivilege 612 System.exe Token: SeDebugPrivilege 2840 System.exe Token: SeDebugPrivilege 2852 System.exe Token: SeDebugPrivilege 2108 System.exe Token: SeDebugPrivilege 964 System.exe Token: SeDebugPrivilege 1040 System.exe Token: SeDebugPrivilege 1584 System.exe Token: SeDebugPrivilege 1792 System.exe Token: SeDebugPrivilege 2332 System.exe Token: SeDebugPrivilege 592 System.exe Token: SeDebugPrivilege 1536 System.exe Token: SeDebugPrivilege 2688 System.exe Token: SeDebugPrivilege 1668 System.exe Token: SeDebugPrivilege 2824 System.exe Token: SeDebugPrivilege 1784 System.exe Token: SeDebugPrivilege 2928 System.exe Token: SeDebugPrivilege 2260 System.exe Token: SeDebugPrivilege 2088 System.exe Token: SeDebugPrivilege 1584 System.exe Token: SeDebugPrivilege 3056 System.exe Token: SeDebugPrivilege 2352 System.exe Token: SeDebugPrivilege 592 System.exe Token: SeDebugPrivilege 2776 System.exe Token: SeDebugPrivilege 2984 System.exe Token: SeDebugPrivilege 2300 System.exe Token: SeDebugPrivilege 2032 System.exe Token: SeDebugPrivilege 1176 System.exe Token: SeDebugPrivilege 2308 System.exe Token: SeDebugPrivilege 1160 System.exe Token: SeDebugPrivilege 1780 System.exe Token: SeDebugPrivilege 276 System.exe Token: SeDebugPrivilege 3032 System.exe Token: SeDebugPrivilege 888 System.exe Token: SeDebugPrivilege 2364 System.exe Token: SeDebugPrivilege 2704 System.exe Token: SeDebugPrivilege 2768 System.exe Token: SeDebugPrivilege 2816 System.exe Token: SeDebugPrivilege 2504 System.exe Token: SeDebugPrivilege 560 System.exe Token: SeDebugPrivilege 340 System.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
FunCheker.execmd.execmd.exedescription pid process target process PID 2444 wrote to memory of 2300 2444 FunCheker.exe Micrasoft.exe PID 2444 wrote to memory of 2300 2444 FunCheker.exe Micrasoft.exe PID 2444 wrote to memory of 2300 2444 FunCheker.exe Micrasoft.exe PID 2444 wrote to memory of 2300 2444 FunCheker.exe Micrasoft.exe PID 2444 wrote to memory of 2604 2444 FunCheker.exe cmd.exe PID 2444 wrote to memory of 2604 2444 FunCheker.exe cmd.exe PID 2444 wrote to memory of 2604 2444 FunCheker.exe cmd.exe PID 2444 wrote to memory of 1256 2444 FunCheker.exe cmd.exe PID 2444 wrote to memory of 1256 2444 FunCheker.exe cmd.exe PID 2444 wrote to memory of 1256 2444 FunCheker.exe cmd.exe PID 2444 wrote to memory of 2736 2444 FunCheker.exe cmd.exe PID 2444 wrote to memory of 2736 2444 FunCheker.exe cmd.exe PID 2444 wrote to memory of 2736 2444 FunCheker.exe cmd.exe PID 1256 wrote to memory of 2776 1256 cmd.exe chcp.com PID 1256 wrote to memory of 2776 1256 cmd.exe chcp.com PID 1256 wrote to memory of 2776 1256 cmd.exe chcp.com PID 2736 wrote to memory of 1036 2736 cmd.exe reg.exe PID 2736 wrote to memory of 1036 2736 cmd.exe reg.exe PID 2736 wrote to memory of 1036 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2908 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2908 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2908 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2688 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2688 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2688 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2312 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2312 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2312 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2984 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2984 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2984 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2552 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2552 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2552 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2692 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2692 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2692 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2460 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2460 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2460 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2640 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2640 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2640 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2580 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2580 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2580 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2528 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2528 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2528 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2568 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2568 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2568 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2596 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2596 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2596 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2648 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2648 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2648 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2988 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2988 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2988 2736 cmd.exe reg.exe PID 2736 wrote to memory of 2576 2736 cmd.exe schtasks.exe PID 2736 wrote to memory of 2576 2736 cmd.exe schtasks.exe PID 2736 wrote to memory of 2576 2736 cmd.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"2⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"3⤵PID:1892
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "4⤵
- Loads dropped DLL
PID:3016 -
C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CbarT2SBYT.bat"6⤵PID:2472
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2116
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat"8⤵PID:2784
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1956
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"10⤵PID:2700
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2744
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RIE4o2SCx.bat"12⤵PID:3020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2844
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat"14⤵PID:1652
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2160
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"16⤵PID:1684
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2492
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat"18⤵PID:340
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1176
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"20⤵PID:632
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2316
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"22⤵PID:1792
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1992
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat"24⤵PID:2956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2384
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat"26⤵PID:2144
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2720
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat"28⤵PID:1088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:1396
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat"30⤵PID:2052
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:2600
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"32⤵PID:1976
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:2812
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat"34⤵PID:1096
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:235⤵PID:984
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat"36⤵PID:1632
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:237⤵PID:1116
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"38⤵PID:2424
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:239⤵PID:572
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"40⤵PID:2148
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:241⤵PID:632
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat"42⤵PID:2940
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:243⤵PID:2972
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat"44⤵PID:2012
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:245⤵PID:1828
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uuaNNDTqg5.bat"46⤵PID:2800
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:247⤵PID:3032
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"48⤵PID:1220
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:249⤵PID:2304
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"50⤵PID:2792
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:251⤵PID:2168
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat"52⤵PID:2552
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:253⤵PID:2524
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat"54⤵PID:2284
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:255⤵PID:1976
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat"56⤵PID:2884
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:257⤵PID:2512
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"58⤵PID:780
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:259⤵PID:2340
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"59⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"60⤵PID:1508
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:261⤵PID:1812
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"62⤵PID:272
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:263⤵PID:1380
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"64⤵PID:2960
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:265⤵PID:1780
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"65⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"66⤵PID:3016
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:267⤵PID:2436
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"67⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat"68⤵PID:2384
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:269⤵PID:3056
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"69⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat"70⤵PID:1544
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:271⤵PID:1788
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"71⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"72⤵PID:2360
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:273⤵PID:2676
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"73⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat"74⤵PID:2560
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:275⤵PID:2664
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"75⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat"76⤵PID:2552
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:277⤵PID:988
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"77⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat"78⤵PID:3004
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:279⤵PID:2816
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"79⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"80⤵PID:2228
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:281⤵PID:2504
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"81⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat"82⤵PID:1152
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:283⤵PID:1852
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"83⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mw1PlbJmoj.bat"84⤵PID:1320
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:285⤵PID:3048
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"85⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat"86⤵PID:1596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:287⤵PID:3068
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"87⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat"88⤵PID:1868
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:289⤵PID:2536
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"89⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"90⤵PID:2068
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:291⤵PID:2072
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"91⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat"92⤵PID:2956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:293⤵PID:472
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"93⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat"94⤵PID:1100
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:295⤵PID:1220
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"95⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"96⤵PID:2912
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:297⤵PID:2784
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"97⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat"98⤵PID:2600
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:299⤵PID:2756
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"99⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"100⤵PID:2156
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2101⤵PID:2596
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"101⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat"102⤵PID:2584
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2103⤵PID:2716
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"103⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jhJpXqSaXt.bat"104⤵PID:1164
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2105⤵PID:1620
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"105⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat"106⤵PID:2192
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2107⤵PID:1324
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"107⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"108⤵PID:964
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2109⤵PID:3052
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"109⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"110⤵PID:2428
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2111⤵PID:1328
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"111⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat"112⤵PID:1808
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2113⤵PID:1972
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"113⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat"114⤵PID:3024
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2115⤵PID:2384
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"115⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat"116⤵PID:2392
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2117⤵PID:2008
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"117⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat"118⤵PID:2896
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2119⤵PID:2288
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"119⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat"120⤵PID:2788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2121⤵PID:2744
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"121⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat"122⤵PID:2632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-