Analysis Overview
SHA256
12137b32413d31781f51a13c09bd541efe0f27f270108d247099434df1d3b37f
Threat Level: Known bad
The file 93ADC545175ABEC10A0925CCE209DB34.exe was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Modifies WinLogon for persistence
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
System Network Configuration Discovery: Internet Connection Discovery
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Runs ping.exe
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:36
Reported
2024-10-27 21:38
Platform
win7-20240903-en
Max time kernel
143s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\sppsvc.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\dwm.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\sppsvc.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\dwm.exe\", \"C:\\Windows\\System32\\it\\csrss.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\sppsvc.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\dwm.exe\", \"C:\\Windows\\System32\\it\\csrss.exe\", \"C:\\MsContainerwinHost\\lsass.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\sppsvc.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\sppsvc.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\it\\csrss.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\sppsvc.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\sppsvc.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\dwm.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\dwm.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\it\\csrss.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MsContainerwinHost\\lsass.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MsContainerwinHost\\lsass.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Windows\System32\CSCE36A15B8482D4EC8BA86DD65FA3CAB32.TMP | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | \??\c:\Windows\System32\byyuy-.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | C:\Windows\System32\it\csrss.exe | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| File created | C:\Windows\System32\it\886983d96e3d3e | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| File opened for modification | C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\ja-JP\0a1fd5f707cd16 | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\it-IT\dwm.exe | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\it-IT\6cb0b6c459d5d3 | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe
"C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\MsContainerwinHost\XbzxyZcOnpQflcdDpiS9CmpLat40p7m47ZcP1aBzUSB3men3gAnTOw07Azp.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\MsContainerwinHost\pHO8PqclKXULkE03ccrG.bat" "
C:\MsContainerwinHost\comagentFontsavescommon.exe
"C:\MsContainerwinHost/comagentFontsavescommon.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zjtl1l1g\zjtl1l1g.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F6.tmp" "c:\Windows\System32\CSCE36A15B8482D4EC8BA86DD65FA3CAB32.TMP"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\System32\it\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\it\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\it\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MsContainerwinHost\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MsContainerwinHost\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MsContainerwinHost\lsass.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\it\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsContainerwinHost\lsass.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e6uH18j37v.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe
"C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 80.66.89.37:80 | 80.66.89.37 | tcp |
| RU | 80.66.89.37:80 | 80.66.89.37 | tcp |
| RU | 80.66.89.37:80 | 80.66.89.37 | tcp |
| RU | 80.66.89.37:80 | 80.66.89.37 | tcp |
Files
C:\MsContainerwinHost\XbzxyZcOnpQflcdDpiS9CmpLat40p7m47ZcP1aBzUSB3men3gAnTOw07Azp.vbe
| MD5 | 3c50898e9195eb3c1d7c8cea93468019 |
| SHA1 | 3b962be0c805f2f2a09c5c1794964c8159429bc4 |
| SHA256 | 10b09e9cc88f3bd4235046dbf39868d6f7a04fedd84da0d2fafea869dcbba32f |
| SHA512 | d6b15f2f9ba5bcdbefc9089eb3af061be7ccaaefd63ffc452aa394bafd9084d8bcef3c758284fbb4ca44d64a824ff35c74338e4aa366854b6f33e51055d27a1b |
C:\MsContainerwinHost\pHO8PqclKXULkE03ccrG.bat
| MD5 | 353975b28ea6dfcd7b3ee7c2222fc2bf |
| SHA1 | fb9cfcb87c2e971ff15ca8c84ad532fc01de3621 |
| SHA256 | f0afad62ce1c068549a41b3c6a227dc2f93150b12932fa3b4aad475e010455b0 |
| SHA512 | 6202b04157c2464b85dd07eb51fd96a80140c2d12d7715df74cb9a77140cfc63c7997d303b2607d7b92dd672cdadf1ba9c0dd0ec34e3ad8fc907f8b018fd09fa |
\MsContainerwinHost\comagentFontsavescommon.exe
| MD5 | c1be88dd3db1295cc201b02d8a17e77f |
| SHA1 | 45ae6da495be64a0d3d39cd39147a05711b228dc |
| SHA256 | f904ec745306831a78366b38809a00d5b90e9c950f035ee0a1d4154d34191405 |
| SHA512 | cd9a0ecefe5566f33656761d9c5d3e7b157f674f5638c0f2616941726580885f2566f93dcb80b4e266aaf9b3a068beb6acd6f32d960090a776065e30d59ae757 |
memory/2772-13-0x0000000000C50000-0x0000000000E9E000-memory.dmp
memory/2772-15-0x0000000000420000-0x000000000042E000-memory.dmp
memory/2772-17-0x0000000000A90000-0x0000000000AAC000-memory.dmp
memory/2772-19-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2772-21-0x0000000000AB0000-0x0000000000AC8000-memory.dmp
memory/2772-23-0x00000000009E0000-0x00000000009EE000-memory.dmp
memory/2772-25-0x0000000000A70000-0x0000000000A7C000-memory.dmp
memory/2772-27-0x0000000000A80000-0x0000000000A90000-memory.dmp
memory/2772-29-0x0000000000AF0000-0x0000000000B06000-memory.dmp
memory/2772-31-0x0000000000B10000-0x0000000000B22000-memory.dmp
memory/2772-33-0x0000000000AD0000-0x0000000000ADE000-memory.dmp
memory/2772-35-0x0000000000BD0000-0x0000000000BE8000-memory.dmp
memory/2772-37-0x0000000000AE0000-0x0000000000AEC000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\zjtl1l1g\zjtl1l1g.cmdline
| MD5 | 2982a48d8cc00de54dab80852f18866c |
| SHA1 | 1a41b3869e3c93e7b767875ead3f48bf15a1fffa |
| SHA256 | fada2175f31c94fc0e0a4b87112236170448cdb9ac129b68cd88ea4a70edc029 |
| SHA512 | 0eb46cfe7b6847a99314da52c0b18283932d3dd5bd1d1d9079f318005b5ab7177907acaa302d053e7bb6fc9e386afd8097f8ab87baae5cbda1f8ccf3e1c91692 |
\??\c:\Users\Admin\AppData\Local\Temp\zjtl1l1g\zjtl1l1g.0.cs
| MD5 | 7fd347e1c7f3d1365fea314828d5beac |
| SHA1 | 666e046bfa9e53f299105a1d0d4facc1a334a62f |
| SHA256 | 95eaf06e3d592783dfa8b94c2eb63543b80dac5d17bce20ce13cc0402674c97d |
| SHA512 | b8cfc7005da264f648da3815e2843deaaa35ef21cfe7862225b9f43668f66d2c5bf457c9fb0387ef1f25ecbaf689f7e9873415f5aab61a2a6c3accc24e528b85 |
\??\c:\Windows\System32\CSCE36A15B8482D4EC8BA86DD65FA3CAB32.TMP
| MD5 | 078586b266e519b5c113064d7a0bf45c |
| SHA1 | a9395c0ef35add5c75591ebb94c85c1f33f408bf |
| SHA256 | ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e |
| SHA512 | 5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959 |
C:\Users\Admin\AppData\Local\Temp\RES8F6.tmp
| MD5 | b28b54de0b6298bb57209e81b21762dc |
| SHA1 | 9626b3357323e2df265e65ab1167e58fe2913295 |
| SHA256 | 0aa48b82bae55bc514381dd5975ce75a5888bac016ea23275581e18d46b7387c |
| SHA512 | ed8f6094fcbb91e7888e82c1697e0f029fe16c913982ad528d41afc25744882389e1e1e65288117dd9d0558c13a7a277b72b5744b05b92a0892495065605f577 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 703475b363326984b2083fe23a6b75b1 |
| SHA1 | 8f3ebb3ba3ad18120824f2d865524914f10130e0 |
| SHA256 | 5c83f399bbac0871d03a25bdde539182bf9c9ed67ad711501d667d5e899c534a |
| SHA512 | 4c4f0699f927b0798acd31efafb27d69beb0c8f6644435438f2cfad4e7c574b4890954d773e11638e27b187bf44f6fd4f1026c3ca474c3ac12bbac2b750bcf06 |
memory/3012-88-0x000000001B670000-0x000000001B952000-memory.dmp
memory/3008-89-0x0000000002720000-0x0000000002728000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e6uH18j37v.bat
| MD5 | e772bf2b98dccf9e6eeaf9ff6cd3c56e |
| SHA1 | 0bb2614e6dae74a7d65059fbe791dee77e59ed2c |
| SHA256 | 565d738a43cba674b50b2e2ecff9a6ed73a61d9436836576294f7661a0e4d3b7 |
| SHA512 | 173f11441c3040016f863d054b94660c1ab0ccdbafb0625e1d2daf9a6ed8155d56c955a6d6a4173c28368a667412c579eeca75d4580206d7f89ebaec264d5f1e |
memory/2344-93-0x00000000000A0000-0x00000000002EE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:36
Reported
2024-10-27 21:38
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\SearchApp.exe\", \"C:\\MsContainerwinHost\\unsecapp.exe\", \"C:\\Windows\\PolicyDefinitions\\conhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\SearchApp.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\SearchApp.exe\", \"C:\\MsContainerwinHost\\unsecapp.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\SearchApp.exe\", \"C:\\MsContainerwinHost\\unsecapp.exe\", \"C:\\Windows\\PolicyDefinitions\\conhost.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\SearchApp.exe\", \"C:\\MsContainerwinHost\\unsecapp.exe\", \"C:\\Windows\\PolicyDefinitions\\conhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\RuntimeBroker.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| N/A | N/A | C:\Windows\PolicyDefinitions\conhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\RuntimeBroker.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\VideoLAN\\VLC\\SearchApp.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\VideoLAN\\VLC\\SearchApp.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\MsContainerwinHost\\unsecapp.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\PolicyDefinitions\\conhost.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\MsContainerwinHost\\unsecapp.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\PolicyDefinitions\\conhost.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\RuntimeBroker.exe\"" | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Windows\System32\CSC254CE15FA28448E792A23A14DFFD392D.TMP | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | \??\c:\Windows\System32\-63gkj.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\VideoLAN\VLC\SearchApp.exe | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\SearchApp.exe | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\38384e6a620884 | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Configuration\Schema\9e8d7a4ca61bd9 | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\PolicyDefinitions\conhost.exe | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| File created | C:\Windows\PolicyDefinitions\088424020bedd6 | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\PolicyDefinitions\conhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\MsContainerwinHost\comagentFontsavescommon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\PolicyDefinitions\conhost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe
"C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\MsContainerwinHost\XbzxyZcOnpQflcdDpiS9CmpLat40p7m47ZcP1aBzUSB3men3gAnTOw07Azp.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\MsContainerwinHost\pHO8PqclKXULkE03ccrG.bat" "
C:\MsContainerwinHost\comagentFontsavescommon.exe
"C:\MsContainerwinHost/comagentFontsavescommon.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vfsew3fg\vfsew3fg.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7C9.tmp" "c:\Windows\System32\CSC254CE15FA28448E792A23A14DFFD392D.TMP"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\MsContainerwinHost\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\MsContainerwinHost\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\MsContainerwinHost\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\SearchApp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsContainerwinHost\unsecapp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JXdCwbXGR5.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\PolicyDefinitions\conhost.exe
"C:\Windows\PolicyDefinitions\conhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 80.66.89.37:80 | 80.66.89.37 | tcp |
| RU | 80.66.89.37:80 | 80.66.89.37 | tcp |
| US | 8.8.8.8:53 | 37.89.66.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| RU | 80.66.89.37:80 | 80.66.89.37 | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| RU | 80.66.89.37:80 | 80.66.89.37 | tcp |
| RU | 80.66.89.37:80 | 80.66.89.37 | tcp |
| RU | 80.66.89.37:80 | 80.66.89.37 | tcp |
Files
C:\MsContainerwinHost\XbzxyZcOnpQflcdDpiS9CmpLat40p7m47ZcP1aBzUSB3men3gAnTOw07Azp.vbe
| MD5 | 3c50898e9195eb3c1d7c8cea93468019 |
| SHA1 | 3b962be0c805f2f2a09c5c1794964c8159429bc4 |
| SHA256 | 10b09e9cc88f3bd4235046dbf39868d6f7a04fedd84da0d2fafea869dcbba32f |
| SHA512 | d6b15f2f9ba5bcdbefc9089eb3af061be7ccaaefd63ffc452aa394bafd9084d8bcef3c758284fbb4ca44d64a824ff35c74338e4aa366854b6f33e51055d27a1b |
C:\MsContainerwinHost\pHO8PqclKXULkE03ccrG.bat
| MD5 | 353975b28ea6dfcd7b3ee7c2222fc2bf |
| SHA1 | fb9cfcb87c2e971ff15ca8c84ad532fc01de3621 |
| SHA256 | f0afad62ce1c068549a41b3c6a227dc2f93150b12932fa3b4aad475e010455b0 |
| SHA512 | 6202b04157c2464b85dd07eb51fd96a80140c2d12d7715df74cb9a77140cfc63c7997d303b2607d7b92dd672cdadf1ba9c0dd0ec34e3ad8fc907f8b018fd09fa |
C:\MsContainerwinHost\comagentFontsavescommon.exe
| MD5 | c1be88dd3db1295cc201b02d8a17e77f |
| SHA1 | 45ae6da495be64a0d3d39cd39147a05711b228dc |
| SHA256 | f904ec745306831a78366b38809a00d5b90e9c950f035ee0a1d4154d34191405 |
| SHA512 | cd9a0ecefe5566f33656761d9c5d3e7b157f674f5638c0f2616941726580885f2566f93dcb80b4e266aaf9b3a068beb6acd6f32d960090a776065e30d59ae757 |
memory/4920-12-0x00007FFE56CF3000-0x00007FFE56CF5000-memory.dmp
memory/4920-13-0x0000000000030000-0x000000000027E000-memory.dmp
memory/4920-15-0x0000000000E40000-0x0000000000E4E000-memory.dmp
memory/4920-17-0x0000000000EB0000-0x0000000000ECC000-memory.dmp
memory/4920-18-0x000000001AF50000-0x000000001AFA0000-memory.dmp
memory/4920-20-0x0000000000E90000-0x0000000000EA0000-memory.dmp
memory/4920-22-0x0000000000EF0000-0x0000000000F08000-memory.dmp
memory/4920-24-0x0000000000EA0000-0x0000000000EAE000-memory.dmp
memory/4920-26-0x0000000000ED0000-0x0000000000EDC000-memory.dmp
memory/4920-28-0x0000000000EE0000-0x0000000000EF0000-memory.dmp
memory/4920-30-0x00000000014D0000-0x00000000014E6000-memory.dmp
memory/4920-32-0x000000001AFA0000-0x000000001AFB2000-memory.dmp
memory/4920-33-0x000000001C7E0000-0x000000001CD08000-memory.dmp
memory/4920-35-0x00000000014B0000-0x00000000014BE000-memory.dmp
memory/4920-37-0x000000001C2B0000-0x000000001C2C8000-memory.dmp
memory/4920-39-0x00000000014C0000-0x00000000014CC000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\vfsew3fg\vfsew3fg.cmdline
| MD5 | 473d383eab773382fdc36f3dc3e21a66 |
| SHA1 | b0f4c5f7a4e9fa023372083d6503203f23fb1023 |
| SHA256 | da2ed2cc7db5dbbecbe2288ee11c0e089e29c0264efdd378fc9cf6f227b686ea |
| SHA512 | be12a1e971d06324472eb822c4e90151b24f902173c0cb53c969f75b0c940b7fda6bca32406fe67dc8e96e0a375e3c2bc6bab3436bf93ba50935e0ec9d215ca3 |
\??\c:\Users\Admin\AppData\Local\Temp\vfsew3fg\vfsew3fg.0.cs
| MD5 | c50ce1596750a294c1eb612e42d16e60 |
| SHA1 | 92d7f48133d3a6491adfd59ff16177ff136a2ad0 |
| SHA256 | 2cf5a7e1510e8e012bd29fc5ae50a5e6061e3013e7858bcc4b88aa6406964c4f |
| SHA512 | 2672b1528ade372b538a8a36e656a6edd856ab544b2d6203892f32c70c2e361614dbce5eee6b6a7d9cbe8a4728d6f6f30e15482872f53cb4a6f17917a2c7325b |
\??\c:\Windows\System32\CSC254CE15FA28448E792A23A14DFFD392D.TMP
| MD5 | 82a7b8ef3bc275711e3b27c6df93c7ff |
| SHA1 | bdac909f26475c94c74145576bcf22adb0f8203c |
| SHA256 | 582921e5e6617cb736006c46c9c8576d8fdefb8763469bdbf305d52d298f6124 |
| SHA512 | f2100bca60280f6ad93f40254d6fe69bd9917a44973516874aa54c28042796503daac5c51869924f5ecd17615f461dda6441f479e1201c44ad07f5a7728af248 |
C:\Users\Admin\AppData\Local\Temp\RESA7C9.tmp
| MD5 | 6ab8454b524a53c061105ff324580b07 |
| SHA1 | eb986e755575a2b7055d2cd9a369d7905e5c5e5c |
| SHA256 | 76fe48ded928d9ea95e089db37e9491d12ef2337b669c9b3f16ce7a6e3114935 |
| SHA512 | 5970f06b9836bad027957eb675aea0899e80d5c779ed52a38aba426ee42ae29ac8cbecfc6db24af987bf43d8cf9029ca19c3b31ffe942b3a9c1737cfcb51b136 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_epajmdvr.gtl.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4068-73-0x0000021679620000-0x0000021679642000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JXdCwbXGR5.bat
| MD5 | a69d3dc7c1acfa7d32dce6f0397a2fb3 |
| SHA1 | 1fd81c4c271a25f4bd931e3faafd8d5b1788a5b8 |
| SHA256 | 0c5b90db8513aa96e8bc6492cb5c2d431c6e12e408f382346f3eaece29abe7c0 |
| SHA512 | 8709d4389eb02efa531f0346af6c6aec2bd56038bbba24b321c1f48201026bb7c0a1de8004cfcb43279b5218afbcd763cf2eae9152df58d325002fb50a88e846 |
memory/1128-116-0x000002623EFB0000-0x000002623F11A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/4068-120-0x0000021679930000-0x0000021679A9A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
memory/3000-126-0x0000019AF4470000-0x0000019AF45DA000-memory.dmp
memory/3204-125-0x000001DC54BD0000-0x000001DC54D3A000-memory.dmp
memory/3468-129-0x000001447AE60000-0x000001447AFCA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
memory/3084-145-0x000000001C0B0000-0x000000001C0B8000-memory.dmp