Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 21:07
Static task
static1
Behavioral task
behavioral1
Sample
270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8.exe
Resource
win10v2004-20241007-en
General
-
Target
270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8.exe
-
Size
113KB
-
MD5
7cf417d06a24c1ade73ec6d8ae589077
-
SHA1
128516790f9c6d8ac1d33a9f1f2b854162d94942
-
SHA256
270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8
-
SHA512
3f5615b04489cfc755e19efc30fe619026dfacd250bb1c1677e1c55ceb6f69a80d0f05760c157696985e1090c34e8e403b453e5680fb981f274bdd66e2fcb5bb
-
SSDEEP
3072:RSb0MKWY3tfR2y+/ESH7V3wy3OcpN4LBzl:44JWGJ+/ESx3wy+c34LBZ
Malware Config
Extracted
orcus
Roblox
89.23.100.155:1337
52641f3c61234743ba12f855fdae3135
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%AppData%\Windows\Helper\WinHelper32.exe
-
reconnect_delay
10000
-
registry_keyname
WinHelper32.exe
-
taskscheduler_taskname
WinHelper32
-
watchdog_path
AppData\WinHelperWatchdog.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/memory/3400-187-0x00000000055C0000-0x00000000055CA000-memory.dmp disable_win_def -
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\csrss.exe\", \"C:\\Windows\\InputMethod\\SHARED\\conhost.exe\", \"C:\\blockComAgentdll\\dllhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\csrss.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\csrss.exe\", \"C:\\Windows\\InputMethod\\SHARED\\conhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\csrss.exe\", \"C:\\Windows\\InputMethod\\SHARED\\conhost.exe\", \"C:\\blockComAgentdll\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\csrss.exe\", \"C:\\Windows\\InputMethod\\SHARED\\conhost.exe\", \"C:\\blockComAgentdll\\dllhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\csrss.exe\", \"C:\\Windows\\InputMethod\\SHARED\\conhost.exe\", \"C:\\blockComAgentdll\\dllhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" RunShell.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" WinHelper32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" WinHelper32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" WinHelper32.exe -
Orcus family
-
Orcus main payload 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023cba-139.dat family_orcus -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5016 4816 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 4816 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 4816 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 4816 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 4816 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4220 4816 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3180 4816 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 4816 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 4816 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 4816 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 4816 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4304 4816 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 4816 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 4816 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 4816 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4928 4816 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3288 4816 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3076 4816 schtasks.exe 95 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" WinHelper32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WinHelper32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WinHelper32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xdwd.exe -
DCRat payload 1 IoCs
resource yara_rule behavioral2/memory/1636-257-0x0000000001170000-0x0000000001242000-memory.dmp family_dcrat_v2 -
Orcurs Rat Executable 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023cba-139.dat orcus behavioral2/memory/3400-171-0x0000000000180000-0x0000000000482000-memory.dmp orcus -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1088 powershell.exe 728 powershell.exe 2896 powershell.exe 2640 powershell.exe 2688 powershell.exe 2940 powershell.exe 3588 powershell.exe 3308 powershell.exe -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation WinHelperWatchdog.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation xdwd.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation RunShell.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation hypercommonSvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation WinHelper32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation WinHelper32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Boostrapper.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinHelper32.exe javaw.exe -
Executes dropped EXE 13 IoCs
pid Process 4868 WinHelper32.exe 3400 xdwd.exe 3628 Boostrapper.exe 3144 WindowsInput.exe 1620 WindowsInput.exe 1636 RunShell.exe 4180 WinHelper32.exe 448 WinHelper32.exe 1060 hypercommonSvc.exe 4692 csrss.exe 4256 WinHelperWatchdog.exe 1344 WinHelperWatchdog.exe 3460 sihost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" WinHelper32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features xdwd.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\csrss.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\csrss.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\InputMethod\\SHARED\\conhost.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\blockComAgentdll\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\InputMethod\\SHARED\\conhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\blockComAgentdll\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" RunShell.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" xdwd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WinHelper32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" WinHelper32.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" WinHelper32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 13 raw.githubusercontent.com 14 raw.githubusercontent.com -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsInput.exe xdwd.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config xdwd.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe File created \??\c:\Windows\System32\CSC65690CAE25442DCAE2A1BDACD90A6A2.TMP csc.exe File created \??\c:\Windows\System32\ewkptm.exe csc.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\MSBuild\csrss.exe RunShell.exe File created C:\Program Files\MSBuild\886983d96e3d3e RunShell.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TextInputHost.exe hypercommonSvc.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\22eafd247d37c3 hypercommonSvc.exe File created C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe hypercommonSvc.exe File created C:\Program Files (x86)\Windows Portable Devices\38384e6a620884 hypercommonSvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe RunShell.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\5940a34987c991 RunShell.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\InputMethod\SHARED\conhost.exe RunShell.exe File created C:\Windows\InputMethod\SHARED\088424020bedd6 RunShell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinHelper32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdwd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinHelperWatchdog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinHelper32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinHelper32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boostrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinHelperWatchdog.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings Boostrapper.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings RunShell.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings hypercommonSvc.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings WinHelper32.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4808 schtasks.exe 1836 schtasks.exe 5068 schtasks.exe 3180 schtasks.exe 2904 schtasks.exe 4928 schtasks.exe 5016 schtasks.exe 3288 schtasks.exe 4220 schtasks.exe 752 schtasks.exe 776 schtasks.exe 4956 schtasks.exe 544 schtasks.exe 448 schtasks.exe 4304 schtasks.exe 4944 schtasks.exe 2004 schtasks.exe 3076 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2896 powershell.exe 2640 powershell.exe 2896 powershell.exe 2640 powershell.exe 3400 xdwd.exe 368 powershell.exe 368 powershell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 368 powershell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe 1636 RunShell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4692 csrss.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 3400 xdwd.exe Token: SeDebugPrivilege 1636 RunShell.exe Token: SeDebugPrivilege 368 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 3308 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 1088 powershell.exe Token: SeDebugPrivilege 3588 powershell.exe Token: SeDebugPrivilege 728 powershell.exe Token: SeDebugPrivilege 4180 WinHelper32.exe Token: SeDebugPrivilege 1060 hypercommonSvc.exe Token: SeDebugPrivilege 3620 powershell.exe Token: SeDebugPrivilege 4692 csrss.exe Token: SeDebugPrivilege 4256 WinHelperWatchdog.exe Token: SeDebugPrivilege 1344 WinHelperWatchdog.exe Token: SeDebugPrivilege 3460 sihost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4180 WinHelper32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1880 wrote to memory of 1184 1880 270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8.exe 83 PID 1880 wrote to memory of 1184 1880 270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8.exe 83 PID 1184 wrote to memory of 2640 1184 javaw.exe 87 PID 1184 wrote to memory of 2640 1184 javaw.exe 87 PID 1184 wrote to memory of 2896 1184 javaw.exe 88 PID 1184 wrote to memory of 2896 1184 javaw.exe 88 PID 1184 wrote to memory of 4868 1184 javaw.exe 99 PID 1184 wrote to memory of 4868 1184 javaw.exe 99 PID 1184 wrote to memory of 4868 1184 javaw.exe 99 PID 4868 wrote to memory of 4440 4868 WinHelper32.exe 103 PID 4868 wrote to memory of 4440 4868 WinHelper32.exe 103 PID 4868 wrote to memory of 4440 4868 WinHelper32.exe 103 PID 4868 wrote to memory of 3400 4868 WinHelper32.exe 104 PID 4868 wrote to memory of 3400 4868 WinHelper32.exe 104 PID 4868 wrote to memory of 3400 4868 WinHelper32.exe 104 PID 4868 wrote to memory of 3628 4868 WinHelper32.exe 106 PID 4868 wrote to memory of 3628 4868 WinHelper32.exe 106 PID 4868 wrote to memory of 3628 4868 WinHelper32.exe 106 PID 3628 wrote to memory of 4168 3628 Boostrapper.exe 108 PID 3628 wrote to memory of 4168 3628 Boostrapper.exe 108 PID 3628 wrote to memory of 4168 3628 Boostrapper.exe 108 PID 3400 wrote to memory of 3144 3400 xdwd.exe 109 PID 3400 wrote to memory of 3144 3400 xdwd.exe 109 PID 4440 wrote to memory of 4752 4440 WScript.exe 112 PID 4440 wrote to memory of 4752 4440 WScript.exe 112 PID 4440 wrote to memory of 4752 4440 WScript.exe 112 PID 4752 wrote to memory of 1636 4752 cmd.exe 114 PID 4752 wrote to memory of 1636 4752 cmd.exe 114 PID 3400 wrote to memory of 368 3400 xdwd.exe 115 PID 3400 wrote to memory of 368 3400 xdwd.exe 115 PID 3400 wrote to memory of 368 3400 xdwd.exe 115 PID 1636 wrote to memory of 1880 1636 RunShell.exe 120 PID 1636 wrote to memory of 1880 1636 RunShell.exe 120 PID 1880 wrote to memory of 3644 1880 csc.exe 122 PID 1880 wrote to memory of 3644 1880 csc.exe 122 PID 1636 wrote to memory of 2688 1636 RunShell.exe 138 PID 1636 wrote to memory of 2688 1636 RunShell.exe 138 PID 1636 wrote to memory of 728 1636 RunShell.exe 139 PID 1636 wrote to memory of 728 1636 RunShell.exe 139 PID 1636 wrote to memory of 1088 1636 RunShell.exe 140 PID 1636 wrote to memory of 1088 1636 RunShell.exe 140 PID 1636 wrote to memory of 3308 1636 RunShell.exe 141 PID 1636 wrote to memory of 3308 1636 RunShell.exe 141 PID 1636 wrote to memory of 3588 1636 RunShell.exe 142 PID 1636 wrote to memory of 3588 1636 RunShell.exe 142 PID 1636 wrote to memory of 2940 1636 RunShell.exe 143 PID 1636 wrote to memory of 2940 1636 RunShell.exe 143 PID 1636 wrote to memory of 2452 1636 RunShell.exe 150 PID 1636 wrote to memory of 2452 1636 RunShell.exe 150 PID 2452 wrote to memory of 4832 2452 cmd.exe 152 PID 2452 wrote to memory of 4832 2452 cmd.exe 152 PID 2452 wrote to memory of 4260 2452 cmd.exe 153 PID 2452 wrote to memory of 4260 2452 cmd.exe 153 PID 3400 wrote to memory of 4180 3400 xdwd.exe 155 PID 3400 wrote to memory of 4180 3400 xdwd.exe 155 PID 3400 wrote to memory of 4180 3400 xdwd.exe 155 PID 4168 wrote to memory of 3428 4168 WScript.exe 157 PID 4168 wrote to memory of 3428 4168 WScript.exe 157 PID 4168 wrote to memory of 3428 4168 WScript.exe 157 PID 3428 wrote to memory of 1060 3428 cmd.exe 159 PID 3428 wrote to memory of 1060 3428 cmd.exe 159 PID 4180 wrote to memory of 3620 4180 WinHelper32.exe 160 PID 4180 wrote to memory of 3620 4180 WinHelper32.exe 160 PID 4180 wrote to memory of 3620 4180 WinHelper32.exe 160 -
System policy modification 1 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" WinHelper32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" WinHelper32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" WinHelper32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WinHelper32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WinHelper32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" WinHelper32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" WinHelper32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xdwd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8.exe"C:\Users\Admin\AppData\Local\Temp\270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8.exe"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exeC:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\Defender\yjJlDaeiCtZ3rPY3voT8EfypAtNWVOHqwTO.vbe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe"C:\Users\Admin\AppData\Roaming\Windows/Defender/RunShell.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q42puxjw\q42puxjw.cmdline"7⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES913.tmp" "c:\Windows\System32\CSC65690CAE25442DCAE2A1BDACD90A6A2.TMP"8⤵PID:3644
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\InputMethod\SHARED\conhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockComAgentdll\dllhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QEUkYeQnTA.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:4832
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:4260
-
-
C:\Program Files\MSBuild\csrss.exe"C:\Program Files\MSBuild\csrss.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4692
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\xdwd.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\xdwd.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3400 -
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install5⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3144
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:368
-
-
C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe"C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4180 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3620
-
-
C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe"C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe" 4180 /protectFile6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4256 -
C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe"C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe" /watchProcess "C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe" 4180 "/protectFile"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\Boostrapper.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\Boostrapper.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\blockComAgentdll\l2A594olLEJWUEUfw4GfnauDbYxQl.vbe"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\blockComAgentdll\Q5HIcCBrM4kJ2gRS.bat" "6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\blockComAgentdll\hypercommonSvc.exe"C:\blockComAgentdll/hypercommonSvc.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PmQZXrSoop.bat"8⤵PID:1252
-
C:\Windows\system32\chcp.comchcp 650019⤵PID:1400
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2444
-
-
C:\Users\Admin\Start Menu\sihost.exe"C:\Users\Admin\Start Menu\sihost.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3460
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\InputMethod\SHARED\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\InputMethod\SHARED\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\blockComAgentdll\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\blockComAgentdll\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\blockComAgentdll\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShell" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076
-
C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exeC:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:448
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD58f5b63c1cb9e3df554a695199e7eda37
SHA17275432ca8b39040fa068de0f72a4cc8893bd658
SHA256b3400b1cb9b503998092d8b272a84e9df8e4262d40ecc99aaf2bb4ef47b1e822
SHA51251faa4a166fd2fbe4935fff0bc012873118be549f83debc6ddf9a6b87c6ade5f00dabf8243b58198cd05f44a0197717559003da6d5a2f68eb99341e744396069
-
Filesize
944B
MD5e2efbfd23e33d8d07d019bdd9ca20649
SHA168d3b285c423d311bdf8dc53354f5f4000caf386
SHA256f4386e3a103dafd6e85bebc2ad649069d168b4da8a0ded51b3ec96fa1408a828
SHA512b7a961002557ff2efb785f756c9347e250392eab3dcb5168c67e89238e85368a41d0a5bdc94bfbbc192ba427c83e982234b3cf8824b166a69973f3f9df177443
-
Filesize
944B
MD52ea91e7d1b473f8290ae52d13e105194
SHA15e565d99a7733250427e70f5f6e1951a081deed6
SHA256712db2b991a3c11ccd71b36cfe99fad0b5b1eb1026b12d28c35a43334128671a
SHA5120d6e2f0f8963986cb27a5cb853c5a87af5d2b65142ff082b4a12681b467d4a72efbcaea71307513523915aa4f27e7b238c67f4ab563f69525938f38253599424
-
Filesize
944B
MD507ab6cc81c5230a598c0ad1711b6bd97
SHA1de7e270e12d447dfc5896b7c96777eb32725778a
SHA256900aa2c83ec8773c3f9705f75b28fff0eaca57f7adb33dc82564d7ea8f8069a3
SHA512ffef0ad0824ea0fdab29eb3c44448100f79365a1729c7665eba9aef85a88e60901bc6a6c248de15a28d21be9ce5839d68861e4449ff557d8845927c740ba3a25
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
212B
MD5e38e9781a42f832c9afb98ad1295dd2d
SHA112281d188b601aef89fae851acb54327d967e8b2
SHA256ea60e25b750b69581e43dbae5effe01e600006bc06deda68e27040e034e3ee52
SHA512fd29e1d13b1f7b6202b04e0ad5ce92fe292a48ed6d4c697c63721b189b16a7228e353f6e5bab4e092f856c6c0f4358c1d3df7f3c2b7f8e6e7b4580d948804647
-
Filesize
210B
MD58b68b6398793abc3f6cd7e74bc410651
SHA1ee1742796d38890f36b77ee858f5886046e19adf
SHA256eccb4b7273ebe4cd9160a626496100605d9aeddae09b98b19f54cb7a20bcf367
SHA5129deb192b2be6d7d6ac9c429f945ebfc2161a495bf46bdcc1e6b673a24f424a79f36c17a5e8ef359cdef6422e48f8d1c0a58a948b141372e8c183d42e897c82e2
-
Filesize
1KB
MD518ee312499b4893a6a2d4f92c8af5423
SHA1ec449c18380e97f519d91f1949db3ba1fba31f81
SHA256d1faadd5493412715612744bac71668cce939683992539d116ff2d0b6173d76c
SHA512410b3ec0833eedce25959e3cf29ca70fb8a9163e663fc8bd6c6f4ce3ddd7f8be24ad24aa81f3b18ab2597592b8dabeac690e8e91ade29d01bc15f01d9bacba93
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
9KB
MD57a195b6c9de2d5cab015f649da6931a1
SHA189f7372dd92a90a8e13b74ee512b464412e4cf9b
SHA25630183935449a625c2a61f6342dc3b9907028194173f2e3d594eaa3126ee316bc
SHA5123c2aeef85b51e7f955072fba042bcedf8dd0b66ad813def58c0134355665ba56a713d58005a322561c62be5777d0adea2803da214459f362f22fe2a0dba5a1c7
-
Filesize
4.9MB
MD572982e4d77aaee2ef6d16876037b3dbe
SHA1bfffbe69bfc0cb1fb5e23199dba5ea69c4f3d9df
SHA256bbe1c2a2af47b4e32fa9b6e8a44da455473604bd1aae5481524403f878a86662
SHA512cb28f33f6c3acaa74ddb3e9f50922e764926fbf2b8a3d7317f13b57f6f30e259a5a8b0213c77dee27cf542ad860762909c1f46f695f2b2c45bb778de957f02db
-
Filesize
2.2MB
MD5f21f63c5ac1e7afc50125b10c75e30af
SHA109be95306a2e9f48934b6f3ec4e789eefaaefc94
SHA256a4bf1fbf3c41613a6ca44ec770bca60ed1a23206bd01a2296513c302ff63e046
SHA512681ba321321fe8c856a1d6d3de10f23e4f313d943e0e83abfa4ab575cc8932b8be28024eaec282f21dabafa4848b9305d4a15bbd3db7591bccf46d1ee369d58c
-
Filesize
427KB
MD58d860de39a47014bb85432844205defc
SHA116b6485662cc4b57af26f1ee2fe5e5595156264d
SHA2566f64566b9adc350458221bc7312acaa09290c58241659336b9921c3dcf27fbbb
SHA512c76408b4390d9aeae243f7333c5acdc68b6fe08efd1694c774069627d09e91e97ab1a5ccf55b60a247f3b00e8b95166d3dfcc41ac92150f00dfb897480a5a539
-
Filesize
3.0MB
MD5c33b516c2f5105562cc621929d2f3a5a
SHA1ac89044573fc5b586b43c1bf784c3bcc50a46c1f
SHA25642fcea19c41fd2e09ce01b6f0f48027f7f58aac75f93b7aeae8d24af7eb23f3c
SHA512eace4742d8f75a2093cfeab3cd20f8ddb23514f6d5a598b16927621afc6e2bc4dff58d775e0c2c261f7c1ffc20a4b7d1004fe1ef8c7f904d8ef1cd94636caec6
-
Filesize
249B
MD55299f191d092a082374029620d0184cd
SHA1154c0f2d892c0dde9914e1d2e114995ab5f1a8cb
SHA2569c46745f3776d8f344029103da41e060516a4bf324e7238b112a3069abececf9
SHA512670159a1352e91ad4739903c7d5bbca2b91e81ab542ac6b4532db8701d5bf01b900909812164db6ce4dbdc2fc1af59593d9abc84daff835de07eb7d383869e39
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat
Filesize104B
MD5b33c8997ecd39b1b7e8af929abd526c7
SHA1e30e21ca9e74d508cfc35e9affd57a7fbc089a77
SHA25671340cb564242cd1454892eaa33aae6eaf8e444d9301731753a9aa993bb9785c
SHA512394a9df69628162228d6a8934d6df532d5055a65a41788ef7d2b8170fae3bd586d80c8592ebc10e32650b81d43efd2eefdef865523d687b6def20fe4374afefc
-
Filesize
21KB
MD5f6285edd247fa58161be33f8cf662d31
SHA1e2b49bca43cd0bd6cc1eee582ba58f0ed6de1470
SHA256bc16993d1a774793044ca37eb2ce84ecbdb5c578e3c710ed82879e07dcef2fec
SHA5126f3e6073a1dafc679da1caa4a4c9cb7cc2da79c3f81034d7b7b7b1d855fd5421cbb517a7d3f9520f49d4d3b7f9577f4f8f92486994c8b78fabff5033b390a788
-
Filesize
349B
MD589817519e9e0b4e703f07e8c55247861
SHA14636de1f6c997a25c3190f73f46a3fd056238d78
SHA256f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3
-
Filesize
98B
MD51316b7f40530ee0c903a091d248c63dd
SHA16e9322f825d3d18a712458d98430a54b17c9f904
SHA25643c1d785f81931b200e0be0a9fc40a736f26f397fda6571e26f52c21acf1065f
SHA5121c9a435ca6d25466b715d2d4505dc33d42ab33fe192e89820929ee01b1962a2128c0ce9281ae96d27a9c18a4d035e55d912f673e17c6e7936d96160fea253345
-
Filesize
1.9MB
MD5c9cda0ef2f246e5a640c25ff468a87a4
SHA144c7046f6251c49905cc569d1836361d0ae7856a
SHA256cc66b2f2a0bcd9104078ed351c6b313a488f6b895c5fef9743b227c0397c4d6f
SHA5122731df92281b29a4421b5071891676a4048bb39378956674c99dddea5b27f7684c71b7e3808942fd758c3c60e3eae93da535de95d702a3ae6f8829aae598ff21
-
Filesize
211B
MD5386552a2a95b01f9b62bbf076f55204a
SHA14b202d016dc86a72837fdcb080caea7b8761842c
SHA256be3ca473daa12562ac27843de069cca900d4413f08703b0cefee87303b8ec414
SHA512dbba55a57db75cb351606a7dbc89cd0cf37dd333fa7456f94c6c2f9fd0480af28a27c29ca411cc5745c9929a92222123f770a870b046a84b25b23f4417ec62c4
-
Filesize
366B
MD509e5e8935dfe60855d3e0baa454cf4ca
SHA1830fa6302244f5fd77dec60f3ab08f692b643845
SHA256936836042f363d3a5a58309d612a2e4712c3a250e10c3d48b2602fceabb7cc94
SHA512d97b00b5ef19048dd9d5a54d49a92c774dc90d6e8d15782a7a4548806502db28f58dafac7de92599bdcc9cc5181e2f29f95d5fa96b71eb1075ebaf10c6a4935d
-
Filesize
235B
MD5e56a983f213e0245d1e3fa2884433eb3
SHA17977d7217af5489bd5bbefea8e9ad9293af4f602
SHA25696064fbee3ab0f6dcc7f067815127ecd7a47fca0d12e69a08b4b3b01d2aa318c
SHA512a8b07ee4d2dc60dd6bb6ec917f69b290e8d85a2d04e77a405d87ab8b0db0ba580118fd1e77a3b297b4bcac62124d20663ac2de8b53d32c0f68865ca94a95e55b
-
Filesize
1KB
MD5be99f41194f5159cc131a1a4353a0e0a
SHA1f24e3bf06e777b4de8d072166cff693e43f2295c
SHA256564d9051e5639603c83562a9ff2c2e478cc7e13d54faf39f761297bac78603bf
SHA51251d1a50772bb7d689193e6a9b2e363185cf5438103644b2b68cf13e08274c5d99407b99f8cdc856143d28669f5ee4ee316041a8e33df42f55bfd181aa3f3c0f5