Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/01/2025, 02:04
Static task
static1
Behavioral task
behavioral1
Sample
076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533.exe
Resource
win10v2004-20241007-en
General
-
Target
076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533.exe
-
Size
2.2MB
-
MD5
be4ae5e0b545e43608ae6a60ce297871
-
SHA1
ded512ee44ed38b7a6541b4e1d797387a27a5d93
-
SHA256
076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533
-
SHA512
45aafc3ec5787b1bf143a1d6b9f8ce79447157879c684849486d87a3a7b357862688016809277ff2c9e57a6d06a0613e12009c5a279d07ced4ecc3b3bc9cd0c3
-
SSDEEP
24576:2TbBv5rUyXVoEmEVLqBMwOk+ADUZjmwMUuTEZ/iJJjhs4P/r+iHtxItZPFtOObx5:IBJvZ+qwOZFM+aJJbL+iNuuMxoyW29L
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\explorer.exe\"" BridgePortsurrogateserverref.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft\\StartMenuExperienceHost.exe\"" BridgePortsurrogateserverref.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default\\Saved Games\\dwm.exe\"" BridgePortsurrogateserverref.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default\\Saved Games\\dwm.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\include\\win32\\bridge\\SppExtComObj.exe\"" BridgePortsurrogateserverref.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default\\Saved Games\\dwm.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\include\\win32\\bridge\\SppExtComObj.exe\", \"C:\\msportComWin\\csrss.exe\"" BridgePortsurrogateserverref.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default\\Saved Games\\dwm.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\include\\win32\\bridge\\SppExtComObj.exe\", \"C:\\msportComWin\\csrss.exe\", \"C:\\msportComWin\\BridgePortsurrogateserverref.exe\"" BridgePortsurrogateserverref.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 952 2524 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2524 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2524 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 848 2524 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4812 2524 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4104 2524 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5032 2524 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 636 2524 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 2524 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2524 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3096 2524 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3076 2524 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4324 2524 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4360 2524 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2524 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 2524 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4644 2524 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4584 2524 schtasks.exe 90 -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4676 powershell.exe 2140 powershell.exe 3476 powershell.exe 1200 powershell.exe 1292 powershell.exe 4028 powershell.exe 3932 powershell.exe 1560 powershell.exe 2272 powershell.exe 3032 powershell.exe 696 powershell.exe 2964 powershell.exe 3736 powershell.exe 4552 powershell.exe 4132 powershell.exe 4256 powershell.exe 4988 powershell.exe 4864 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation BridgePortsurrogateserverref.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation BridgePortsurrogateserverref.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation BridgePortsurrogateserverref.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation BridgePortsurrogateserverref.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation BridgePortsurrogateserverref.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation BridgePortsurrogateserverref.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation BridgePortsurrogateserverref.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation BridgePortsurrogateserverref.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation BridgePortsurrogateserverref.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation BridgePortsurrogateserverref.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation BridgePortsurrogateserverref.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation BridgePortsurrogateserverref.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation BridgePortsurrogateserverref.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation BridgePortsurrogateserverref.exe -
Executes dropped EXE 14 IoCs
pid Process 2080 BridgePortsurrogateserverref.exe 5508 BridgePortsurrogateserverref.exe 2564 BridgePortsurrogateserverref.exe 6000 BridgePortsurrogateserverref.exe 3336 BridgePortsurrogateserverref.exe 6048 BridgePortsurrogateserverref.exe 5212 BridgePortsurrogateserverref.exe 5504 BridgePortsurrogateserverref.exe 4416 BridgePortsurrogateserverref.exe 3652 BridgePortsurrogateserverref.exe 1984 BridgePortsurrogateserverref.exe 3336 BridgePortsurrogateserverref.exe 4884 BridgePortsurrogateserverref.exe 5552 BridgePortsurrogateserverref.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\msportComWin\\csrss.exe\"" BridgePortsurrogateserverref.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\msportComWin\\csrss.exe\"" BridgePortsurrogateserverref.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BridgePortsurrogateserverref = "\"C:\\msportComWin\\BridgePortsurrogateserverref.exe\"" BridgePortsurrogateserverref.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Mail\\explorer.exe\"" BridgePortsurrogateserverref.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Microsoft\\StartMenuExperienceHost.exe\"" BridgePortsurrogateserverref.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\Saved Games\\dwm.exe\"" BridgePortsurrogateserverref.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Java\\jdk-1.8\\include\\win32\\bridge\\SppExtComObj.exe\"" BridgePortsurrogateserverref.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Java\\jdk-1.8\\include\\win32\\bridge\\SppExtComObj.exe\"" BridgePortsurrogateserverref.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BridgePortsurrogateserverref = "\"C:\\msportComWin\\BridgePortsurrogateserverref.exe\"" BridgePortsurrogateserverref.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Mail\\explorer.exe\"" BridgePortsurrogateserverref.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Microsoft\\StartMenuExperienceHost.exe\"" BridgePortsurrogateserverref.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\Saved Games\\dwm.exe\"" BridgePortsurrogateserverref.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCFA575140291A4ADF8C8B4E814312586E.TMP csc.exe File created \??\c:\Windows\System32\ip2t47.exe csc.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\SppExtComObj.exe BridgePortsurrogateserverref.exe File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\e1ef82546f0b02 BridgePortsurrogateserverref.exe File created C:\Program Files (x86)\Microsoft\StartMenuExperienceHost.exe BridgePortsurrogateserverref.exe File created C:\Program Files (x86)\Microsoft\55b276f4edf653 BridgePortsurrogateserverref.exe File created C:\Program Files (x86)\Windows Mail\explorer.exe BridgePortsurrogateserverref.exe File created C:\Program Files (x86)\Windows Mail\7a0fd90576e088 BridgePortsurrogateserverref.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1644 PING.EXE 4016 PING.EXE 4956 PING.EXE 4148 PING.EXE 5904 PING.EXE 980 PING.EXE 5812 PING.EXE 1296 PING.EXE 2500 PING.EXE -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings BridgePortsurrogateserverref.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings BridgePortsurrogateserverref.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings BridgePortsurrogateserverref.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings BridgePortsurrogateserverref.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings BridgePortsurrogateserverref.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings BridgePortsurrogateserverref.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings BridgePortsurrogateserverref.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings BridgePortsurrogateserverref.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings BridgePortsurrogateserverref.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings BridgePortsurrogateserverref.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings BridgePortsurrogateserverref.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings BridgePortsurrogateserverref.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings BridgePortsurrogateserverref.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings BridgePortsurrogateserverref.exe -
Runs ping.exe 1 TTPs 9 IoCs
pid Process 5904 PING.EXE 1644 PING.EXE 2500 PING.EXE 4956 PING.EXE 4148 PING.EXE 980 PING.EXE 5812 PING.EXE 1296 PING.EXE 4016 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4324 schtasks.exe 4360 schtasks.exe 4092 schtasks.exe 692 schtasks.exe 4812 schtasks.exe 5032 schtasks.exe 636 schtasks.exe 1232 schtasks.exe 848 schtasks.exe 3076 schtasks.exe 2252 schtasks.exe 4644 schtasks.exe 2904 schtasks.exe 3012 schtasks.exe 4584 schtasks.exe 952 schtasks.exe 4104 schtasks.exe 3096 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe 2080 BridgePortsurrogateserverref.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 2080 BridgePortsurrogateserverref.exe Token: SeDebugPrivilege 4132 powershell.exe Token: SeDebugPrivilege 4864 powershell.exe Token: SeDebugPrivilege 3736 powershell.exe Token: SeDebugPrivilege 4028 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 696 powershell.exe Token: SeDebugPrivilege 3932 powershell.exe Token: SeDebugPrivilege 4256 powershell.exe Token: SeDebugPrivilege 3476 powershell.exe Token: SeDebugPrivilege 3032 powershell.exe Token: SeDebugPrivilege 4676 powershell.exe Token: SeDebugPrivilege 1200 powershell.exe Token: SeDebugPrivilege 4988 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeDebugPrivilege 1292 powershell.exe Token: SeDebugPrivilege 1560 powershell.exe Token: SeDebugPrivilege 4552 powershell.exe Token: SeDebugPrivilege 5508 BridgePortsurrogateserverref.exe Token: SeDebugPrivilege 2564 BridgePortsurrogateserverref.exe Token: SeDebugPrivilege 6000 BridgePortsurrogateserverref.exe Token: SeDebugPrivilege 3336 BridgePortsurrogateserverref.exe Token: SeDebugPrivilege 6048 BridgePortsurrogateserverref.exe Token: SeDebugPrivilege 5212 BridgePortsurrogateserverref.exe Token: SeDebugPrivilege 5504 BridgePortsurrogateserverref.exe Token: SeDebugPrivilege 4416 BridgePortsurrogateserverref.exe Token: SeDebugPrivilege 3652 BridgePortsurrogateserverref.exe Token: SeDebugPrivilege 1984 BridgePortsurrogateserverref.exe Token: SeDebugPrivilege 3336 BridgePortsurrogateserverref.exe Token: SeDebugPrivilege 4884 BridgePortsurrogateserverref.exe Token: SeDebugPrivilege 5552 BridgePortsurrogateserverref.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2432 wrote to memory of 5108 2432 076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533.exe 85 PID 2432 wrote to memory of 5108 2432 076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533.exe 85 PID 2432 wrote to memory of 5108 2432 076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533.exe 85 PID 5108 wrote to memory of 872 5108 WScript.exe 86 PID 5108 wrote to memory of 872 5108 WScript.exe 86 PID 5108 wrote to memory of 872 5108 WScript.exe 86 PID 872 wrote to memory of 2080 872 cmd.exe 88 PID 872 wrote to memory of 2080 872 cmd.exe 88 PID 2080 wrote to memory of 2076 2080 BridgePortsurrogateserverref.exe 95 PID 2080 wrote to memory of 2076 2080 BridgePortsurrogateserverref.exe 95 PID 2076 wrote to memory of 3924 2076 csc.exe 97 PID 2076 wrote to memory of 3924 2076 csc.exe 97 PID 2080 wrote to memory of 1560 2080 BridgePortsurrogateserverref.exe 113 PID 2080 wrote to memory of 1560 2080 BridgePortsurrogateserverref.exe 113 PID 2080 wrote to memory of 1292 2080 BridgePortsurrogateserverref.exe 114 PID 2080 wrote to memory of 1292 2080 BridgePortsurrogateserverref.exe 114 PID 2080 wrote to memory of 1200 2080 BridgePortsurrogateserverref.exe 115 PID 2080 wrote to memory of 1200 2080 BridgePortsurrogateserverref.exe 115 PID 2080 wrote to memory of 4988 2080 BridgePortsurrogateserverref.exe 116 PID 2080 wrote to memory of 4988 2080 BridgePortsurrogateserverref.exe 116 PID 2080 wrote to memory of 4132 2080 BridgePortsurrogateserverref.exe 117 PID 2080 wrote to memory of 4132 2080 BridgePortsurrogateserverref.exe 117 PID 2080 wrote to memory of 4256 2080 BridgePortsurrogateserverref.exe 118 PID 2080 wrote to memory of 4256 2080 BridgePortsurrogateserverref.exe 118 PID 2080 wrote to memory of 4028 2080 BridgePortsurrogateserverref.exe 119 PID 2080 wrote to memory of 4028 2080 BridgePortsurrogateserverref.exe 119 PID 2080 wrote to memory of 3932 2080 BridgePortsurrogateserverref.exe 120 PID 2080 wrote to memory of 3932 2080 BridgePortsurrogateserverref.exe 120 PID 2080 wrote to memory of 696 2080 BridgePortsurrogateserverref.exe 121 PID 2080 wrote to memory of 696 2080 BridgePortsurrogateserverref.exe 121 PID 2080 wrote to memory of 4864 2080 BridgePortsurrogateserverref.exe 122 PID 2080 wrote to memory of 4864 2080 BridgePortsurrogateserverref.exe 122 PID 2080 wrote to memory of 4676 2080 BridgePortsurrogateserverref.exe 123 PID 2080 wrote to memory of 4676 2080 BridgePortsurrogateserverref.exe 123 PID 2080 wrote to memory of 2272 2080 BridgePortsurrogateserverref.exe 124 PID 2080 wrote to memory of 2272 2080 BridgePortsurrogateserverref.exe 124 PID 2080 wrote to memory of 2964 2080 BridgePortsurrogateserverref.exe 125 PID 2080 wrote to memory of 2964 2080 BridgePortsurrogateserverref.exe 125 PID 2080 wrote to memory of 2140 2080 BridgePortsurrogateserverref.exe 126 PID 2080 wrote to memory of 2140 2080 BridgePortsurrogateserverref.exe 126 PID 2080 wrote to memory of 3476 2080 BridgePortsurrogateserverref.exe 127 PID 2080 wrote to memory of 3476 2080 BridgePortsurrogateserverref.exe 127 PID 2080 wrote to memory of 3032 2080 BridgePortsurrogateserverref.exe 128 PID 2080 wrote to memory of 3032 2080 BridgePortsurrogateserverref.exe 128 PID 2080 wrote to memory of 4552 2080 BridgePortsurrogateserverref.exe 129 PID 2080 wrote to memory of 4552 2080 BridgePortsurrogateserverref.exe 129 PID 2080 wrote to memory of 3736 2080 BridgePortsurrogateserverref.exe 130 PID 2080 wrote to memory of 3736 2080 BridgePortsurrogateserverref.exe 130 PID 2080 wrote to memory of 232 2080 BridgePortsurrogateserverref.exe 148 PID 2080 wrote to memory of 232 2080 BridgePortsurrogateserverref.exe 148 PID 232 wrote to memory of 5484 232 cmd.exe 151 PID 232 wrote to memory of 5484 232 cmd.exe 151 PID 232 wrote to memory of 5904 232 cmd.exe 152 PID 232 wrote to memory of 5904 232 cmd.exe 152 PID 232 wrote to memory of 5508 232 cmd.exe 165 PID 232 wrote to memory of 5508 232 cmd.exe 165 PID 5508 wrote to memory of 3268 5508 BridgePortsurrogateserverref.exe 167 PID 5508 wrote to memory of 3268 5508 BridgePortsurrogateserverref.exe 167 PID 3268 wrote to memory of 5496 3268 cmd.exe 169 PID 3268 wrote to memory of 5496 3268 cmd.exe 169 PID 3268 wrote to memory of 980 3268 cmd.exe 170 PID 3268 wrote to memory of 980 3268 cmd.exe 170 PID 3268 wrote to memory of 2564 3268 cmd.exe 172 PID 3268 wrote to memory of 2564 3268 cmd.exe 172 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533.exe"C:\Users\Admin\AppData\Local\Temp\076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\msportComWin\xtUjCOEXV8hvxooNRYyHQv7v29HXxWwl.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\msportComWin\5Jq5kgQebZBPc8KIFjklSaK6KtfwfF1rpT92XeRglY4x6Z5YYulxiLU9VV.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:872 -
C:\msportComWin\BridgePortsurrogateserverref.exe"C:\msportComWin/BridgePortsurrogateserverref.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2zqp3myp\2zqp3myp.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D50.tmp" "c:\Windows\System32\CSCFA575140291A4ADF8C8B4E814312586E.TMP"6⤵PID:3924
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/msportComWin/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk-1.8\include\win32\bridge\SppExtComObj.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\BridgePortsurrogateserverref.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3736
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFGbDNzCnz.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:5484
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5904
-
-
C:\msportComWin\BridgePortsurrogateserverref.exe"C:\msportComWin\BridgePortsurrogateserverref.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5508 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yRPxJCkWkW.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:5496
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:980
-
-
C:\msportComWin\BridgePortsurrogateserverref.exe"C:\msportComWin\BridgePortsurrogateserverref.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aqn4VxW4jp.bat"9⤵PID:5960
-
C:\Windows\system32\chcp.comchcp 6500110⤵PID:5976
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5812
-
-
C:\msportComWin\BridgePortsurrogateserverref.exe"C:\msportComWin\BridgePortsurrogateserverref.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ghJDzcD21F.bat"11⤵PID:3684
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:3712
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1296
-
-
C:\msportComWin\BridgePortsurrogateserverref.exe"C:\msportComWin\BridgePortsurrogateserverref.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GCUhdmH1So.bat"13⤵PID:4744
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:3716
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1644
-
-
C:\msportComWin\BridgePortsurrogateserverref.exe"C:\msportComWin\BridgePortsurrogateserverref.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6048 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N21q8QyzlD.bat"15⤵PID:4800
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:1744
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2500
-
-
C:\msportComWin\BridgePortsurrogateserverref.exe"C:\msportComWin\BridgePortsurrogateserverref.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5212 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KZMa9uzHOO.bat"17⤵PID:6136
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1436
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:5244
-
-
C:\msportComWin\BridgePortsurrogateserverref.exe"C:\msportComWin\BridgePortsurrogateserverref.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5504 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7laNmMQDQm.bat"19⤵PID:212
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:3252
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4956
-
-
C:\msportComWin\BridgePortsurrogateserverref.exe"C:\msportComWin\BridgePortsurrogateserverref.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4416 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dYHSyFVcIa.bat"21⤵PID:5976
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2276
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:4936
-
-
C:\msportComWin\BridgePortsurrogateserverref.exe"C:\msportComWin\BridgePortsurrogateserverref.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dYHSyFVcIa.bat"23⤵PID:4736
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:5644
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:5716
-
-
C:\msportComWin\BridgePortsurrogateserverref.exe"C:\msportComWin\BridgePortsurrogateserverref.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KZMa9uzHOO.bat"25⤵PID:3000
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:3104
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:6068
-
-
C:\msportComWin\BridgePortsurrogateserverref.exe"C:\msportComWin\BridgePortsurrogateserverref.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FxfZ91HAHt.bat"27⤵PID:1808
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:6080
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4016
-
-
C:\msportComWin\BridgePortsurrogateserverref.exe"C:\msportComWin\BridgePortsurrogateserverref.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4884 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N21q8QyzlD.bat"29⤵PID:5176
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:3248
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4148
-
-
C:\msportComWin\BridgePortsurrogateserverref.exe"C:\msportComWin\BridgePortsurrogateserverref.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5552 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dYHSyFVcIa.bat"31⤵PID:3536
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:3640
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:232⤵PID:2256
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk-1.8\include\win32\bridge\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\include\win32\bridge\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk-1.8\include\win32\bridge\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\msportComWin\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\msportComWin\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\msportComWin\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgePortsurrogateserverrefB" /sc MINUTE /mo 8 /tr "'C:\msportComWin\BridgePortsurrogateserverref.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgePortsurrogateserverref" /sc ONLOGON /tr "'C:\msportComWin\BridgePortsurrogateserverref.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgePortsurrogateserverrefB" /sc MINUTE /mo 5 /tr "'C:\msportComWin\BridgePortsurrogateserverref.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5af6acd95d59de87c04642509c30e81c1
SHA1f9549ae93fdb0a5861a79a08f60aa81c4b32377b
SHA2567521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6
SHA51293ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
64B
MD57e6fdff3e0906e5768bd9d1aaf79e7c6
SHA1e39e8876af795de368317df21434a776aaf08739
SHA256d2d0a34b64ca5fd333ac94e141b79473dae5d2aa55affeaf0d7fc4c0a1f46e2c
SHA512e0232e4c521b0b36812ca369823b955dc71915a738e1c4c442b1d252da6319b9a2313b9e5db936fc83a7db70c8d120a1335323d26034db07dc91f6a6d13d70a4
-
Filesize
176B
MD52d92e66903ff4d43f924dc3417cef554
SHA19d53d99c8ac5cdf4889d6a263d7b6751a79471e7
SHA256c7cea9ee88c03ab71c7cca5802fa8696a018064d1dbcb4722677f52113b88e59
SHA5124506ad131fbc9f14db5e4df367ffc8eac21bff61f72a4d25d7e13a99de484e0c7b42855490c74cb4cd7230643f85d347c34ae44c55f904d7ed630ca1263790a4
-
Filesize
176B
MD51d7762ced4de8bafb0121f2c05721ea9
SHA13d66579410364037b283b15485872b8900f3bca0
SHA2567e0a41b203fd20ed16a25c0141b19f5059ef432148c6faf31bb9bdc5b2a95035
SHA512383c3cbd5a2657f6e96b9845d2e5a4ec4ab3c8d9a5ee21b84bc732e72dd01f80f3031ceeee5aae6ee2374f6d350cad66977bd2aeca288a247d42cfd5a3e6a589
-
Filesize
176B
MD52dec09a7b2cd847a85817b676f43e6d0
SHA14c0e5835e399e8fb4bd332c96d2e87d0dd0ce4a0
SHA2560139842a0a2fcd0b4078aa939ec761d50353f675e719e243d15f815be6be3d84
SHA5122cc79a7065678f9db3414fe797a7622691467c9cca5f7ce32000e24141dd2565d7ed6befc2a19ced736a9091346bebd0c67873ed1de4a065a8d62f190c98b694
-
Filesize
224B
MD5a1fadf7625cd5b168758b9feccdaef8e
SHA10e57f173399b2653cb1738543522e2639ed9a391
SHA256c40a85f404a4a091d0da06dae99829fcd70a5bf0c224d2a72364b2f9e271b517
SHA512dc75955a05984adfb8d1eb8475af89deb03b0a2c2b731407165f79d803a05ee90a0b69bbc7c034fb82414c2b17593163c1d30e9a52ad56b8b34f61c86bbeb08b
-
Filesize
176B
MD5c4b20ab430befafcd819d05b5c2a1ea3
SHA1234794c064b007b056a8a3f5c605ee66284f8fb5
SHA256a90c339ee3c13de139906b62d5a6b9d23726fa94b51ceed0c609a7bf004e68ff
SHA512a4c04f65216bf79ce4cbcf4413d8554fa63f6800e2c2e580cd1301d985617fb6da11627452fd896d0a574bb9a2c3316f0ce6386d0b56e0dc24ba37b4fc198e45
-
Filesize
1KB
MD5827f30ba869a19b4aa19df274f1e4fc7
SHA14b28d505fc31233bddb2b3006b0031c3123862f7
SHA256f2eaa90921bf113963d409b5d0c05af0d3c04f6c8752546e5fc4afcc5c45a159
SHA5122989ad2ae7686d6972ffaba1f0582d5ac9adb6d2665e2a5b00d871779a614a4ef10fea5e5bb83801f09d198a7e7b61efda0aee050dae3e20778e2c70485555ef
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
176B
MD5583897510c8dda9849afd41991788130
SHA114fae7a773927307366b19e38fc14fea7953ff8c
SHA2565c66fd9354a081da66ff2222970a6906fdea3a74e43b0ec702179a11e403b10c
SHA512083f48f34108598f0e1e4cec1898336b34717884cb6a085136890b4444a21d0651bce45aa89a0487328eb90acd7d6e77822c0fba1b1601ce0a06fdb5c085571e
-
Filesize
224B
MD5e925089b54e3a1e966c3a19698dc124d
SHA1ff8684f0f2d356807fbbf681576c060c1085789a
SHA256909ff0a29207aad049a77bdc139ba935036adf6f1a4d3ce75c60658fa5e58fd5
SHA512dbd96b7837d7968495ee4ef75f1747a1790ae1c620d3ce97cc02645defdecb2296fa0a31883d3189196fd36347d30e1fb0f701a11698e2b724a444fb40a00bd6
-
Filesize
176B
MD536d2e13291f633423fbf7148b0308e76
SHA15ab26b610f7faeecdebe69ed70984d2ef279efc4
SHA256a3646f993a431fe7784945762d6522aa19e4c5f94c2288be60ffe8e0b286f5c1
SHA51204d3c02f1236d1f57e859ba89b7c83f5ee1fab70e986237a94ce53d943ddfeb956619b32507d147bc99dd0e6f9aecdb7281cdfc28ecf4f786c185e3fe5fcf053
-
Filesize
176B
MD5ecbaeeb749d539d19344c09a8fa9c1d7
SHA1f70cfc572cb3545b6b4b4b9e8741909094e1c0f1
SHA256e02ff8251b9610d571a2efd5dc1d814f3c69b7808ef885537b9f346d0b676fb3
SHA512369ee4fbdd2107ac3956365c1b0198f4a4c16f451fded61643554a8ea050fdc29efa08645c4e32f9b60b163a56bfd9729470d04fa7b026829d2d2293a1c4f7fb
-
Filesize
176B
MD5f8e937abf5d3af2eb9a9661f111bef5b
SHA1761b1dce74522e6081bc7dba69a733697d6e66b5
SHA2560c970743938f8795834fdbdc1e9a26500e7d9cf75ae76fc0e2675deb67431b58
SHA51250e628fbd0a6c02e0db715408f6860cb9c99c6d13490aaf2424cea695c1572b78821e8684660c0d7f44543cbf8c2a2686081861beffa49e5f3d4ff7a7a0339f6
-
Filesize
114B
MD5ec4930435249e865ec0910b90ce34010
SHA1e00242ba6b91abe0291ee6c003c7cda9f280a20c
SHA256aecaccc8288e076efa186171eab1ce946b8c0438e607f00a442b04e1e080dfbb
SHA512f1bb3a20bd279b62b94349d253b64a4bb9227fa214785e265b5f5457a552bddb141faea48109ed80a6d77f34c8ba68fd2911daa178893daee52259e89a6b80aa
-
Filesize
1.9MB
MD55f80a11e82cc7495cf5ad7df3d052721
SHA13a20eb31195a97cf5da7d3c20c1b8c4913b95a13
SHA256851aa5f3636700f9bb71a4c0d040255f19871ba306f87d9f66b39f3b207ec15b
SHA5127acdd2a4f5170212beabeba86dcb7a6be74c4c83815db3bb328d6541f6a259ec3c6ff469f103eb125163371f103ae3060404e1c34622f2d4d9cb34d2cc7b3c0d
-
Filesize
248B
MD5528d2d62b3a0a43e28f6c5bc9e59fb49
SHA1b8347b3f11fdb951bf4c930bef813180c42f98c1
SHA2569d271ddb2a3de2347db1800f94865bab4758e8f89760f7f0fc6368eb14a9597b
SHA512a208e41f97a080ab5550632daa10ac7d4d43ca603207406df14e749765662089f38ff52feced3083dbcb08daa2821e9fc6df511fa1a1f18b4b9e8e38f68fa171
-
Filesize
380B
MD58662a1d53b912bd9b5e23f7670363ec2
SHA1d28476b949e58b4388ba65b077524b1e758cb4ca
SHA256c54055a7ae365e817943c9caf2d79671466d7a87ecb93018ab5771f4b6c1ea48
SHA512aca91b4f7f83b7fe4ec423906dc84c17d313bb06a74ecb875dc8b5ecaacbfd1244ec253040b7a09f4c6c7bdc385cc8bfa2586b67f68cc5b4cc13b58d61867e7b
-
Filesize
235B
MD58e47419723d5471841472e0d6692b4ee
SHA1f8da0df1fc8aa26dc1bd24a608fee2331a958018
SHA256637a5654a5982260bc80876689decc165b3f25b028f3db404f00e4e98321e02a
SHA512e20bf2ba8da4358db47c9684023207f3427040442bdff002fcd94214d73762673adc934d54411188d42c9bc43cd28201904d1c5e08d1283e237645e527f7ce7c
-
Filesize
1KB
MD5034b083b6729ade0b138a24cbdd66c6d
SHA1299c5a9dd91498cfc4226a5fe6d52ea633c2d148
SHA2568e3aa7a68c0bfea6cae11fe40e79aa1483bc2e43c4c3fd11fcebca1f7bcea0d2
SHA51243f68ec3211f2d1eb3a095713b3988a5b45a6fb03136876431edd3b25b628f904079557cbb60d0107c0444551db274c8e6817d63a543e8a7e390206af64d1cc3