Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
99s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/11/2024, 11:29
Behavioral task
behavioral1
Sample
8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe
Resource
win10v2004-20241007-en
General
-
Target
8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe
-
Size
952KB
-
MD5
41ccbb9f4e1b3b8acbe42f57842a6ab9
-
SHA1
777288aa34f632b9279a0ef0ef571ed8c32f6ede
-
SHA256
8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88
-
SHA512
b1030ff32bea991d7d1ce92fb6eebdeefb2637cc808becc73ff511112c8079cc7228891ab217d51953b22b768c339eaafe6052a6ba1b3b74fb78c6997d8c27e9
-
SSDEEP
24576:W+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXXe:x8/KfRTKQ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\sppsvc.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\System32\\dtsh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Windows\\sysmon\\explorer.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\Windows\\System32\\settings\\dllhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\sihost.exe\", \"C:\\Windows\\System32\\wiaaut\\lsass.exe\", \"C:\\Windows\\System32\\wimgapi\\fontdrvhost.exe\", \"C:\\Windows\\System32\\msxml6r\\dllhost.exe\", \"C:\\Windows\\System32\\SystemSupportInfo\\SppExtComObj.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\sppsvc.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\System32\\dtsh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Windows\\sysmon\\explorer.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\Windows\\System32\\settings\\dllhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\sihost.exe\", \"C:\\Windows\\System32\\wiaaut\\lsass.exe\", \"C:\\Windows\\System32\\wimgapi\\fontdrvhost.exe\", \"C:\\Windows\\System32\\msxml6r\\dllhost.exe\", \"C:\\Windows\\System32\\SystemSupportInfo\\SppExtComObj.exe\", \"C:\\Windows\\HelpPane\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\RuntimeBroker.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\sppsvc.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\sppsvc.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\System32\\dtsh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Windows\\sysmon\\explorer.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\Windows\\System32\\settings\\dllhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TextInputHost.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\sppsvc.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\System32\\dtsh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Windows\\sysmon\\explorer.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\Windows\\System32\\settings\\dllhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\sihost.exe\", \"C:\\Windows\\System32\\wiaaut\\lsass.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\sppsvc.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\System32\\dtsh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Windows\\sysmon\\explorer.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\Windows\\System32\\settings\\dllhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\sihost.exe\", \"C:\\Windows\\System32\\wiaaut\\lsass.exe\", \"C:\\Windows\\System32\\wimgapi\\fontdrvhost.exe\", \"C:\\Windows\\System32\\msxml6r\\dllhost.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\sppsvc.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\System32\\dtsh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Windows\\sysmon\\explorer.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\sppsvc.exe\", \"C:\\Documents and Settings\\dllhost.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\sppsvc.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\System32\\dtsh\\SppExtComObj.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\sppsvc.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\System32\\dtsh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Windows\\sysmon\\explorer.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\Windows\\System32\\settings\\dllhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\sihost.exe\", \"C:\\Windows\\System32\\wiaaut\\lsass.exe\", \"C:\\Windows\\System32\\wimgapi\\fontdrvhost.exe\", \"C:\\Windows\\System32\\msxml6r\\dllhost.exe\", \"C:\\Windows\\System32\\SystemSupportInfo\\SppExtComObj.exe\", \"C:\\Windows\\HelpPane\\explorer.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\sppsvc.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\System32\\dtsh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Windows\\sysmon\\explorer.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\Windows\\System32\\settings\\dllhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\sihost.exe\", \"C:\\Windows\\System32\\wiaaut\\lsass.exe\", \"C:\\Windows\\System32\\wimgapi\\fontdrvhost.exe\", \"C:\\Windows\\System32\\msxml6r\\dllhost.exe\", \"C:\\Windows\\System32\\SystemSupportInfo\\SppExtComObj.exe\", \"C:\\Windows\\HelpPane\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Pictures\\TrustedInstaller.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\sppsvc.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\System32\\dtsh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Windows\\sysmon\\explorer.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\Windows\\System32\\settings\\dllhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\sihost.exe\", \"C:\\Windows\\System32\\wiaaut\\lsass.exe\", \"C:\\Windows\\System32\\wimgapi\\fontdrvhost.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\sppsvc.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\System32\\dtsh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\sppsvc.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\System32\\dtsh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Windows\\sysmon\\explorer.exe\", \"C:\\Documents and Settings\\services.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\sppsvc.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\System32\\dtsh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Windows\\sysmon\\explorer.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\Windows\\System32\\settings\\dllhost.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\sppsvc.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\System32\\dtsh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Windows\\sysmon\\explorer.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\Windows\\System32\\settings\\dllhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\sihost.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe -
Process spawned unexpected child process 16 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4164 2216 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2216 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3184 2216 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3684 2216 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3716 2216 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4884 2216 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4184 2216 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2216 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1168 2216 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 2216 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 516 2216 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4208 2216 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2216 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4100 2216 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2216 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4192 2216 schtasks.exe 82 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe -
resource yara_rule behavioral2/memory/2396-1-0x0000000000AA0000-0x0000000000B94000-memory.dmp dcrat behavioral2/files/0x000a000000023b79-20.dat dcrat behavioral2/files/0x000e000000023b80-73.dat dcrat behavioral2/files/0x0033000000023b75-84.dat dcrat behavioral2/files/0x000c000000023b81-95.dat dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe -
Executes dropped EXE 3 IoCs
pid Process 3888 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe 4844 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe 4316 dllhost.exe -
Adds Run key to start application 2 TTPs 32 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\wiaaut\\lsass.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Documents and Settings\\sppsvc.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\dtsh\\SppExtComObj.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\dtsh\\SppExtComObj.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\sysmon\\explorer.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\settings\\dllhost.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\7-Zip\\Lang\\TextInputHost.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Defender\\de-DE\\RuntimeBroker.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Defender\\de-DE\\RuntimeBroker.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Documents and Settings\\sppsvc.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\settings\\dllhost.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Google\\Temp\\sihost.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\wiaaut\\lsass.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\SystemSupportInfo\\SppExtComObj.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\HelpPane\\explorer.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Users\\Default\\Pictures\\TrustedInstaller.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Documents and Settings\\dllhost.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\wimgapi\\fontdrvhost.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\msxml6r\\dllhost.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\SystemSupportInfo\\SppExtComObj.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\msxml6r\\dllhost.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\sysmon\\explorer.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Documents and Settings\\services.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Documents and Settings\\dllhost.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\HelpPane\\explorer.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Documents and Settings\\services.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\7-Zip\\Lang\\TextInputHost.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Google\\Temp\\sihost.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\wimgapi\\fontdrvhost.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Users\\Default\\Pictures\\TrustedInstaller.exe\"" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe -
Drops file in System32 directory 20 IoCs
description ioc Process File opened for modification C:\Windows\System32\dtsh\RCX7A19.tmp 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Windows\System32\settings\dllhost.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Windows\System32\wiaaut\lsass.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File opened for modification C:\Windows\System32\wiaaut\lsass.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File opened for modification C:\Windows\System32\msxml6r\dllhost.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File opened for modification C:\Windows\System32\SystemSupportInfo\SppExtComObj.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Windows\System32\dtsh\SppExtComObj.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Windows\System32\msxml6r\dllhost.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Windows\System32\msxml6r\5940a34987c99120d96dace90a3f93f329dcad63 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Windows\System32\SystemSupportInfo\SppExtComObj.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File opened for modification C:\Windows\System32\dtsh\RCX7A18.tmp 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File opened for modification C:\Windows\System32\settings\dllhost.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Windows\System32\settings\5940a34987c99120d96dace90a3f93f329dcad63 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Windows\System32\wiaaut\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Windows\System32\wimgapi\fontdrvhost.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File opened for modification C:\Windows\System32\wimgapi\fontdrvhost.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Windows\System32\dtsh\e1ef82546f0b02b7e974f28047f3788b1128cce1 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Windows\System32\wimgapi\5b884080fd4f94e2695da25c503f9e33b9605b83 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Windows\System32\SystemSupportInfo\e1ef82546f0b02b7e974f28047f3788b1128cce1 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File opened for modification C:\Windows\System32\dtsh\SppExtComObj.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Temp\sihost.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File opened for modification C:\Program Files\7-Zip\Lang\TextInputHost.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Program Files (x86)\Windows Defender\de-DE\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX7C2D.tmp 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Program Files (x86)\Google\Temp\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File opened for modification C:\Program Files (x86)\Google\Temp\sihost.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\RuntimeBroker.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Program Files\7-Zip\Lang\TextInputHost.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Program Files\7-Zip\Lang\22eafd247d37c30fed3795ee41d259ec72bb351c 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX7CAB.tmp 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Program Files (x86)\Windows Defender\de-DE\RuntimeBroker.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\sysmon\explorer.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Windows\HelpPane\explorer.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Windows\HelpPane\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File opened for modification C:\Windows\HelpPane\explorer.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Windows\sysmon\explorer.exe 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File created C:\Windows\sysmon\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File opened for modification C:\Windows\sysmon\RCX7ECF.tmp 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe File opened for modification C:\Windows\sysmon\RCX7F4D.tmp 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4884 schtasks.exe 1436 schtasks.exe 516 schtasks.exe 4100 schtasks.exe 4192 schtasks.exe 3184 schtasks.exe 3716 schtasks.exe 4184 schtasks.exe 1168 schtasks.exe 4164 schtasks.exe 3684 schtasks.exe 1656 schtasks.exe 2944 schtasks.exe 2352 schtasks.exe 1552 schtasks.exe 4208 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2396 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe 3888 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe 4844 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe 4844 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe 4844 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe 4844 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe 4844 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2396 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Token: SeDebugPrivilege 3888 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Token: SeDebugPrivilege 4844 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Token: SeDebugPrivilege 4316 dllhost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2396 wrote to memory of 3888 2396 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe 92 PID 2396 wrote to memory of 3888 2396 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe 92 PID 3888 wrote to memory of 4844 3888 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe 97 PID 3888 wrote to memory of 4844 3888 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe 97 PID 4844 wrote to memory of 3732 4844 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe 107 PID 4844 wrote to memory of 3732 4844 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe 107 PID 3732 wrote to memory of 2984 3732 cmd.exe 109 PID 3732 wrote to memory of 2984 3732 cmd.exe 109 PID 3732 wrote to memory of 4316 3732 cmd.exe 110 PID 3732 wrote to memory of 4316 3732 cmd.exe 110 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe"C:\Users\Admin\AppData\Local\Temp\8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe"C:\Users\Admin\AppData\Local\Temp\8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3888 -
C:\Users\Admin\AppData\Local\Temp\8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe"C:\Users\Admin\AppData\Local\Temp\8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4844 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e0hKMR8rXX.bat"4⤵
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵PID:2984
-
-
C:\Windows\System32\msxml6r\dllhost.exe"C:\Windows\System32\msxml6r\dllhost.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4316
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\dtsh\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\sysmon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\settings\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\wiaaut\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\wimgapi\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\msxml6r\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\SystemSupportInfo\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\HelpPane\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Default\Pictures\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
952KB
MD52b18fa2331e7384237799d480b482cc8
SHA1ec6b378f43a468e600668b6556545f6d0344e8de
SHA25694cfe19c17e06ba5fd4ba2ab354036dcb41433908cb114688709c24813619d0d
SHA512d9da31bccb6e0ded5355333c0cfa571931322feb6db1e22fefff99c9ec02c303db3c88a3a658aeabdf14f785effd71475e836a785ba8ce43be896fd674b749ab
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe.log
Filesize1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
203B
MD57561861a3b011bdaf75f800d929df2cf
SHA116f6b11a5f94c09d40675baae6efbb4681d2d2c5
SHA2563418fcf87c308cc413692a468833b191459d7665d1c80b0e4ab04d68c91833f3
SHA512902476043a8f124210aba5139bd58f221e5e557a9188ea4eb0b00a59426525d1b8877cf5bb700110ee5e3674f2acd87e42e7bd9da82fc4ccf3aa1e63d1e0fcd7
-
Filesize
952KB
MD5b39877034a1b442c2c2011fc0e7622c9
SHA14a7af69610839f93306a3c9864393a08cb07f0c0
SHA2567186d7fd6a306bf00048322bcfb0b57a3c4592436880712e87f3fe9fbcdfdd7c
SHA512739afe5f03d0506615e959f739f9becbb7ca90a7531eb13413c37cded444a7e5df1a6c4e4ad8de54d0e665a7fb4d88a82b2b773197572eadea42cc372df1c696
-
Filesize
952KB
MD541ccbb9f4e1b3b8acbe42f57842a6ab9
SHA1777288aa34f632b9279a0ef0ef571ed8c32f6ede
SHA2568437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88
SHA512b1030ff32bea991d7d1ce92fb6eebdeefb2637cc808becc73ff511112c8079cc7228891ab217d51953b22b768c339eaafe6052a6ba1b3b74fb78c6997d8c27e9
-
Filesize
952KB
MD57a5d7a8a7908fb824c5d6dae7159e0a7
SHA16d909ea93d92d04aa9a2e7c220320479da886380
SHA2561742a2487d0a2ed20d55afac0c5c4761c01a083b87aaacddb36988d197abd086
SHA5123915800e172bfd426560bf6ccc15cfce879452067a1920f99b50d9654f6ecf56823e3722d54979783db7fe8e93a518f2b58f577b5505b785058251303cb18eb5