Analysis
-
max time kernel
37s -
max time network
41s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-11-2024 13:35
Static task
static1
Behavioral task
behavioral1
Sample
Enzo project.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
Enzo project.exe
Resource
win11-20241007-en
General
-
Target
Enzo project.exe
-
Size
2.2MB
-
MD5
83539ba7c5103e90cf7230812873abb5
-
SHA1
aa84fc6f29b943e714f7be00e4cc7af957484381
-
SHA256
e3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1
-
SHA512
e8183cbd06ae2f1930cf7a2d417562d1c90cc1e5bbe580f0049d2b303ab4699f59981d6ab6a3f774c01dc014e9f1c7cc1933e1e6aeaea62404f42e1e07d27487
-
SSDEEP
24576:2TbBv5rUyXVijPqBdzumpuWIax7RAxXo6MA17qm8w4tBPP+3wVwLsvMlDF/3cWA3:IBJiSr41q9FtBPW3+elDNMWAgPrc7H
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\spoolsv.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\", \"C:\\Users\\Public\\Music\\Local Security Authority Process.exe\", \"C:\\Windows\\Panther\\actionqueue\\SearchHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\sysmon.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Local Security Authority Process.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\spoolsv.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\spoolsv.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\spoolsv.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\", \"C:\\Users\\Public\\Music\\Local Security Authority Process.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\spoolsv.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\", \"C:\\Users\\Public\\Music\\Local Security Authority Process.exe\", \"C:\\Windows\\Panther\\actionqueue\\SearchHost.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\spoolsv.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\", \"C:\\Users\\Public\\Music\\Local Security Authority Process.exe\", \"C:\\Windows\\Panther\\actionqueue\\SearchHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\sysmon.exe\"" Local Security Authority Process.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 260 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 260 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 128 260 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 260 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 260 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 260 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3760 260 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 260 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 260 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 260 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 428 260 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3372 260 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 260 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3536 260 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5116 260 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 232 260 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 260 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 260 schtasks.exe 84 -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1940 powershell.exe 740 powershell.exe 4204 powershell.exe 4872 powershell.exe 848 powershell.exe 3416 powershell.exe 1724 powershell.exe 868 powershell.exe 4932 powershell.exe 432 powershell.exe 816 powershell.exe 3996 powershell.exe 4988 powershell.exe 3496 powershell.exe 4684 powershell.exe 736 powershell.exe 2808 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 4108 Local Security Authority Process.exe 5352 spoolsv.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Process = "\"C:\\Users\\Public\\Music\\Local Security Authority Process.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Process = "\"C:\\Users\\Public\\Music\\Local Security Authority Process.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchHost = "\"C:\\Windows\\Panther\\actionqueue\\SearchHost.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\sysmon.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\sysmon.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Process = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Local Security Authority Process.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\Recent\\spoolsv.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\Recent\\spoolsv.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchHost = "\"C:\\Windows\\Panther\\actionqueue\\SearchHost.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Process = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Local Security Authority Process.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\"" Local Security Authority Process.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ipinfo.io 2 ipinfo.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\tztv-f.exe csc.exe File created \??\c:\Windows\System32\CSC3C9830F240514D029B99F451C10348F.TMP csc.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\c5b4cb5e9653cc Local Security Authority Process.exe File created C:\Program Files (x86)\Microsoft\Edge\sysmon.exe Local Security Authority Process.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\sysmon.exe Local Security Authority Process.exe File created C:\Program Files (x86)\Microsoft\Edge\121e5b5079f7c0 Local Security Authority Process.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe Local Security Authority Process.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Panther\actionqueue\cfa885d449487c Local Security Authority Process.exe File created C:\Windows\Panther\actionqueue\SearchHost.exe Local Security Authority Process.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enzo project.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings Enzo project.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings Local Security Authority Process.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4864 schtasks.exe 2932 schtasks.exe 428 schtasks.exe 2796 schtasks.exe 1596 schtasks.exe 1708 schtasks.exe 1408 schtasks.exe 232 schtasks.exe 3372 schtasks.exe 4620 schtasks.exe 2540 schtasks.exe 128 schtasks.exe 1512 schtasks.exe 2208 schtasks.exe 3760 schtasks.exe 1624 schtasks.exe 3536 schtasks.exe 5116 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe 4108 Local Security Authority Process.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 4108 Local Security Authority Process.exe Token: SeDebugPrivilege 4872 powershell.exe Token: SeDebugPrivilege 848 powershell.exe Token: SeDebugPrivilege 816 powershell.exe Token: SeDebugPrivilege 4204 powershell.exe Token: SeDebugPrivilege 736 powershell.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 4988 powershell.exe Token: SeDebugPrivilege 4932 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 432 powershell.exe Token: SeDebugPrivilege 4684 powershell.exe Token: SeDebugPrivilege 3496 powershell.exe Token: SeDebugPrivilege 3996 powershell.exe Token: SeDebugPrivilege 740 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 3416 powershell.exe Token: SeDebugPrivilege 5352 spoolsv.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 3540 wrote to memory of 4972 3540 Enzo project.exe 79 PID 3540 wrote to memory of 4972 3540 Enzo project.exe 79 PID 3540 wrote to memory of 4972 3540 Enzo project.exe 79 PID 4972 wrote to memory of 1456 4972 WScript.exe 81 PID 4972 wrote to memory of 1456 4972 WScript.exe 81 PID 4972 wrote to memory of 1456 4972 WScript.exe 81 PID 1456 wrote to memory of 4108 1456 cmd.exe 83 PID 1456 wrote to memory of 4108 1456 cmd.exe 83 PID 4108 wrote to memory of 352 4108 Local Security Authority Process.exe 88 PID 4108 wrote to memory of 352 4108 Local Security Authority Process.exe 88 PID 352 wrote to memory of 1576 352 csc.exe 90 PID 352 wrote to memory of 1576 352 csc.exe 90 PID 4108 wrote to memory of 868 4108 Local Security Authority Process.exe 106 PID 4108 wrote to memory of 868 4108 Local Security Authority Process.exe 106 PID 4108 wrote to memory of 816 4108 Local Security Authority Process.exe 107 PID 4108 wrote to memory of 816 4108 Local Security Authority Process.exe 107 PID 4108 wrote to memory of 4872 4108 Local Security Authority Process.exe 108 PID 4108 wrote to memory of 4872 4108 Local Security Authority Process.exe 108 PID 4108 wrote to memory of 3996 4108 Local Security Authority Process.exe 109 PID 4108 wrote to memory of 3996 4108 Local Security Authority Process.exe 109 PID 4108 wrote to memory of 4932 4108 Local Security Authority Process.exe 110 PID 4108 wrote to memory of 4932 4108 Local Security Authority Process.exe 110 PID 4108 wrote to memory of 4988 4108 Local Security Authority Process.exe 111 PID 4108 wrote to memory of 4988 4108 Local Security Authority Process.exe 111 PID 4108 wrote to memory of 3496 4108 Local Security Authority Process.exe 112 PID 4108 wrote to memory of 3496 4108 Local Security Authority Process.exe 112 PID 4108 wrote to memory of 2808 4108 Local Security Authority Process.exe 113 PID 4108 wrote to memory of 2808 4108 Local Security Authority Process.exe 113 PID 4108 wrote to memory of 1724 4108 Local Security Authority Process.exe 116 PID 4108 wrote to memory of 1724 4108 Local Security Authority Process.exe 116 PID 4108 wrote to memory of 4204 4108 Local Security Authority Process.exe 118 PID 4108 wrote to memory of 4204 4108 Local Security Authority Process.exe 118 PID 4108 wrote to memory of 736 4108 Local Security Authority Process.exe 119 PID 4108 wrote to memory of 736 4108 Local Security Authority Process.exe 119 PID 4108 wrote to memory of 740 4108 Local Security Authority Process.exe 120 PID 4108 wrote to memory of 740 4108 Local Security Authority Process.exe 120 PID 4108 wrote to memory of 432 4108 Local Security Authority Process.exe 122 PID 4108 wrote to memory of 432 4108 Local Security Authority Process.exe 122 PID 4108 wrote to memory of 1940 4108 Local Security Authority Process.exe 123 PID 4108 wrote to memory of 1940 4108 Local Security Authority Process.exe 123 PID 4108 wrote to memory of 3416 4108 Local Security Authority Process.exe 124 PID 4108 wrote to memory of 3416 4108 Local Security Authority Process.exe 124 PID 4108 wrote to memory of 4684 4108 Local Security Authority Process.exe 125 PID 4108 wrote to memory of 4684 4108 Local Security Authority Process.exe 125 PID 4108 wrote to memory of 848 4108 Local Security Authority Process.exe 126 PID 4108 wrote to memory of 848 4108 Local Security Authority Process.exe 126 PID 4108 wrote to memory of 4004 4108 Local Security Authority Process.exe 140 PID 4108 wrote to memory of 4004 4108 Local Security Authority Process.exe 140 PID 4004 wrote to memory of 4040 4004 cmd.exe 142 PID 4004 wrote to memory of 4040 4004 cmd.exe 142 PID 4004 wrote to memory of 5160 4004 cmd.exe 143 PID 4004 wrote to memory of 5160 4004 cmd.exe 143 PID 4004 wrote to memory of 5352 4004 cmd.exe 144 PID 4004 wrote to memory of 5352 4004 cmd.exe 144 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Enzo project.exe"C:\Users\Admin\AppData\Local\Temp\Enzo project.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\qp9vGmuwSr0nkeo7qSVAnhO3kZyMkfu12RZ0OBiQNAI58E5ZggR.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\ZkitL4SswB6Acn9KQ4n8phMXm8v73bXNMxhzpq69L79HkSe5Tb.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe"C:\Users\Admin\AppData\Roaming\Microsoft/Local Security Authority Process.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wwji3ezw\wwji3ezw.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE918.tmp" "c:\Windows\System32\CSC3C9830F240514D029B99F451C10348F.TMP"6⤵PID:1576
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Local Security Authority Process.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\actionqueue\SearchHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WuJvDQTIso.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4040
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:5160
-
-
C:\Users\Admin\Recent\spoolsv.exe"C:\Users\Admin\Recent\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5352
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Recent\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Recent\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\Local Security Authority Process.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Local Security Authority Process" /sc ONLOGON /tr "'C:\Users\Public\Music\Local Security Authority Process.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\Local Security Authority Process.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\actionqueue\SearchHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\SearchHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\actionqueue\SearchHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Edge\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\Edge\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Local Security Authority Process" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
Filesize
944B
MD545f53352160cf0903c729c35c8edfdce
SHA1b35a4d4fbaf2a3cc61e540fc03516dd70f3c34ab
SHA2569cf18d157a858fc143a6de5c2dd3f618516a527b34478ac478d8c94ff027b0d2
SHA512e3fa27a80a1df58acb49106c306dab22e5ed582f6b0cd7d9c3ef0a85e9f5919333257e88aa44f42a0e095fd577c9e12a02957a7845c0d109f821f32d8d3343f3
-
Filesize
944B
MD5dc4dd6766dd68388d8733f1b729f87e9
SHA17b883d87afec5be3eff2088409cd1f57f877c756
SHA2563407d8ad0c68a148aef81c7f124849573ac02097acd15f9bbe80f86e0498e826
SHA5123084c1b7bb0fd998cddb8c917bac87f163a0f134a420158db4f354cb81ec1d5d65d3bac1d9b3e11b0a6707deacece47f819b1ed55ddf2b1d287fbdb244bf65a4
-
Filesize
944B
MD52ab9885ed803576dfcb4df976a3e7ca0
SHA149a54d1bb797dca76c41f6af288f9df6c705cf56
SHA2569a7f8ca5a6bfcd5839a1cd029a116378bec3be1baec9db19bbe4f127199fb322
SHA512b1f90e17c21425cd94a7f00438386ae40c7414784a96694432e340e35ba6a60e1176a2871a732474db4bd7080ebdbf4c476b61efa49fedf8208b382252ae25ba
-
Filesize
1KB
MD55230ec071aac6e5ed8c0120ace0e78ed
SHA118b91791163bbf5051db1ee215141c4e61524150
SHA256036398275a586dc2e7741c95e9e53a066b217aaa93a699e1c10ca70577f6936f
SHA5122fef45f865835cb41ee25636c7c36720145d8af68af519e935e902422c8def6a37e516cb91e5366e27ba3f244e7e8b1dabfa6b0d56cd0785c1f5b6df6cab185d
-
Filesize
209B
MD542a5e9a735b973505dc297ca767a309b
SHA1edfade69edf57b706802bb501ac038480687ce02
SHA256c1c2025a41e2584dece6997badbc958c437828b623886829ad46ea27e273e10f
SHA512bd6e6bdce8ec6fe8791279e1ac6e06bba6e852a27db52288ec0f2e2878e5ba5e0d60cf533f6a2165ceef7af733f25d99c3ef288f91e1c324054402c28e8402a1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.9MB
MD54ba31fe7c90af2148e83fe198cf99d7b
SHA1bd86eece0e892752950a13282cb323e0775ecae4
SHA256196706cf85ccf38343444deecaeaced58faf7c22963fe45aaa8ea9938fe19a0e
SHA51279991360ad8d5c8968f2aa4836b3b7b39074c99ad28aa25cc69931c4bdf2115921042d818d4cc319984cfa0ed8a9ee015506f3b4b8c026aeda82c5b03a5328f7
-
Filesize
93B
MD5fb55729d3f331e20fb5c1e5377634743
SHA1ad5d1b461d7608598e2683d66eeee3c2a38c625f
SHA2568603cadb532a5ab019b7f07a2c9652905a459f88c8cfe74d387f0d9594f323c9
SHA5122ed609b4ad5d0d9da2d12c12947091e0ce2937a12856d95979a7d2c4248b1d5244e5fc3616d0be8a1fd8febc888eeb0bb6fe08fe38a359ceb2345510645d1870
-
Filesize
245B
MD5dde897c67a0ad3384e01f44658e986d0
SHA151e5a863d22d2305da3d6e82ed2da727a6db5ffa
SHA256f3ea38d1aea5a693f1b87b3d1152f8a1de82391b34e2061ee0fbb29f2ec6dc57
SHA512901990365c1539d432871ef01d36261f537e0928e3afbd93f0833d04355a55464dbe2ca07c59d7d495bb93ad0bf73ed33db748e5856d75941c18f232503c1892
-
Filesize
365B
MD54ada0d13c435f631b778e9a184eff177
SHA149f853bff8379e4e11e057d7fe2b6e5b972c78d6
SHA256db649b7edeff47ab70a17f7df16a8b3381f10301d1e1b882683eab1882892c05
SHA512e7ea29898224a318690ae7814097f2fa9957fa133d41691b756bf8d53eef30fd4c84493adc6485dad15d55fa3fc5b0713cff5fb1b9e16f4361041fa21256f193
-
Filesize
235B
MD5f59b5f3e1fad8001428ab8a817a3a4b4
SHA1c73a77ee2a7f1f5d6d2adc54520aa0aa3cf7f7a0
SHA2563a2e0600cdd530eba74dd6d59fcae0d034758d4751e6e090b9cec3dd73db917c
SHA51273ef6e857d7de67765f600c7021e2a20f302f01934365f6f855ddc08498739a230761e04e1b2d1f97d24b685dbc9d3c86a8ee7a76be984bcbb5ab7a318a613cf
-
Filesize
1KB
MD518cd3c457518e309b27cd1caa876f4da
SHA1571463a0db7261c16f516b1e9a17f6aa934c8195
SHA25624bdbb7671e171fb67e389cbb8357594d227ac851f3545b296c1d7b429f8ac4c
SHA5121dcd29d3b8601a2d8ab094b635c5a1150cd2a6779725ca8c023df5f8e481eaa5da47c48b5f45a1cdc96c05f957a5076bb99d5277313d4d4d56fbb15ed9d8605e