Analysis
-
max time kernel
31s -
max time network
31s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250207-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
09-02-2025 02:04
Behavioral task
behavioral1
Sample
xyz4568/dControl.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral2
Sample
xyz4568/dControl.exe
Resource
win10ltsc2021-20250207-en
General
-
Target
xyz4568/dControl.exe
-
Size
447KB
-
MD5
58008524a6473bdf86c1040a9a9e39c3
-
SHA1
cb704d2e8df80fd3500a5b817966dc262d80ddb8
-
SHA256
1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
-
SHA512
8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
-
SSDEEP
6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" dControl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "1" MsMpEng.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" dControl.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" dControl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "2" dControl.exe -
Windows security bypass 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\TemporaryPaths MsMpEng.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 42 5224 Process not Found -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpcmdrun.exe dControl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpcmdrun.exe\Debugger = "C:\\Windows\\System32\\systray.exe" dControl.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpcmdrun.exe dControl.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Windows security modification 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection dControl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" dControl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features dControl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" dControl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1" dControl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus = "1" dControl.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "\"%ProgramFiles%\\Windows Defender\\MSASCuiL.exe\"" MsMpEng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "\"%ProgramFiles%\\Windows Defender\\MSASCuiL.exe\"" MsMpEng.exe -
pid Process 5600 powershell.exe -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpcmdrun.exe dControl.exe -
Modifies Security services 2 TTPs 6 IoCs
Modifies the startup behavior of a security service.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" dControl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" dControl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "0" dControl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "3" dControl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "3" dControl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" dControl.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3236-22-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral2/memory/2228-44-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral2/memory/4380-134-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral2/memory/3048-136-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral2/memory/2056-137-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral2/memory/3856-537-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral2/memory/1144-558-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral2/memory/1144-583-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral2/memory/3856-581-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe -
Drops file in System32 directory 16 IoCs
description ioc Process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol dControl.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Packages\mpeng_844dc954-cec6-49dd-939f-e65533177d55\AC\INetCookies MsMpEng.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol dControl.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Packages\mpeng_844dc954-cec6-49dd-939f-e65533177d55\AC MsMpEng.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Packages\mpeng_844dc954-cec6-49dd-939f-e65533177d55\AC\INetCache MsMpEng.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini dControl.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Packages\mpeng_844dc954-cec6-49dd-939f-e65533177d55\AC\INetHistory MsMpEng.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Packages\mpeng_844dc954-cec6-49dd-939f-e65533177d55\AC\INetCookies MsMpEng.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Packages\mpeng_844dc954-cec6-49dd-939f-e65533177d55\AC\Temp MsMpEng.exe File created C:\Windows\system32\wbem\AutoRecover\D9B050B7A24E09624652E41AC4639DDE.mof mofcomp.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Packages\mpeng_844dc954-cec6-49dd-939f-e65533177d55\AC\Temp MsMpEng.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Packages\mpeng_844dc954-cec6-49dd-939f-e65533177d55\AC\INetCache MsMpEng.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Packages\mpeng_844dc954-cec6-49dd-939f-e65533177d55\AC MsMpEng.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Packages\mpeng_844dc954-cec6-49dd-939f-e65533177d55\AC\INetHistory MsMpEng.exe -
resource yara_rule behavioral2/memory/3236-0-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral2/memory/3236-22-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral2/memory/2228-44-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral2/memory/3048-87-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral2/memory/4380-134-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral2/memory/3048-136-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral2/memory/2056-137-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral2/memory/3856-537-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral2/memory/1144-558-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral2/memory/1144-583-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral2/memory/3856-581-0x0000000000400000-0x00000000004CD000-memory.dmp upx -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\MpCmdRun.log MpCmdRun.exe File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\MpCmdRun.log MpCmdRun.exe File created C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\MpCmdRun-82-53C9D589-6B66-4F30-9BAB-9A0193B0BAFC.lock MpCmdRun.exe File opened for modification C:\Windows\logs\StorGroupPolicy.log svchost.exe File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\MpCmdRun.log MpCmdRun.exe File created C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\MpCmdRun-82-53C9D589-6B66-4F30-9BAB-9A0193B0BAFC.lock MpCmdRun.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dControl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dControl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dControl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dControl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dControl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dControl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dControl.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1520 MicrosoftEdgeUpdate.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 MsMpEng.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MsMpEng.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MsMpEng.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU MsMpEng.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS MsMpEng.exe -
Kills process with taskkill 1 IoCs
pid Process 1672 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Extension Validation MsMpEng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE} MsMpEng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extension Validation MsMpEng.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE} MsMpEng.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-617247543-3304409524-1607655435-1420967395-3892632781-3683841641-1231045534\Children MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\mpeng_844dc954-cec6-49dd-939f-e65533177d55\Children MsMpEng.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\mpeng_844dc954-cec6-49dd-939f-e65533177d55\Children MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MsMpEng.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MsMpEng.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-617247543-3304409524-1607655435-1420967395-3892632781-3683841641-1231045534 MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MsMpEng.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-617247543-3304409524-1607655435-1420967395-3892632781-3683841641-1231045534 MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Defender MsMpEng.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-617247543-3304409524-1607655435-1420967395-3892632781-3683841641-1231045534 MsMpEng.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-617247543-3304409524-1607655435-1420967395-3892632781-3683841641-1231045534\Moniker = "mpeng_844dc954-cec6-49dd-939f-e65533177d55" MsMpEng.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\mpeng_844dc954-cec6-49dd-939f-e65533177d55\Children MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-617247543-3304409524-1607655435-1420967395-3892632781-3683841641-1231045534\Children MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MsMpEng.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\mpeng_844dc954-cec6-49dd-939f-e65533177d55 MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MsMpEng.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-617247543-3304409524-1607655435-1420967395-3892632781-3683841641-1231045534\Children MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MsMpEng.exe -
Modifies registry class 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP\ = "{09A47860-11B0-4DA5-AFA5-26D86198A780}" MsMpEng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP\ = "{09A47860-11B0-4DA5-AFA5-26D86198A780}" MsMpEng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32\ = "\"%ProgramFiles%\\Windows Defender\\MpOav.dll\"" MsMpEng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32\ = "\"%ProgramFiles%\\Windows Defender\\MpOav.dll\"" MsMpEng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}\InprocServer32\ = "\"%ProgramFiles%\\Windows Defender\\DefenderCSP.dll\"" MsMpEng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP\ = "{09A47860-11B0-4DA5-AFA5-26D86198A780}" MsMpEng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} MsMpEng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP\ = "{09A47860-11B0-4DA5-AFA5-26D86198A780}" MsMpEng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}\InprocServer32\ = "\"%ProgramFiles%\\Windows Defender\\ProtectionManagement.dll\"" MsMpEng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} MsMpEng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP\ = "{09A47860-11B0-4DA5-AFA5-26D86198A780}" MsMpEng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP\ = "{09A47860-11B0-4DA5-AFA5-26D86198A780}" MsMpEng.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3236 dControl.exe 3236 dControl.exe 3236 dControl.exe 3236 dControl.exe 3236 dControl.exe 3236 dControl.exe 2228 dControl.exe 2228 dControl.exe 2228 dControl.exe 2228 dControl.exe 2228 dControl.exe 2228 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 3048 dControl.exe 3048 dControl.exe 4380 dControl.exe 4380 dControl.exe 4380 dControl.exe 4380 dControl.exe 4380 dControl.exe 4380 dControl.exe 3048 dControl.exe 4380 dControl.exe 4380 dControl.exe 4380 dControl.exe 4380 dControl.exe 3048 dControl.exe 3048 dControl.exe 3048 dControl.exe 3048 dControl.exe 3048 dControl.exe 3048 dControl.exe 3048 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 5600 powershell.exe 5600 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2056 dControl.exe -
Suspicious behavior: LoadsDriver 4 IoCs
pid Process 676 Process not Found 2476 MsMpEng.exe 676 Process not Found 5140 MsMpEng.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3236 dControl.exe Token: SeAssignPrimaryTokenPrivilege 3236 dControl.exe Token: SeIncreaseQuotaPrivilege 3236 dControl.exe Token: 0 3236 dControl.exe Token: SeDebugPrivilege 2228 dControl.exe Token: SeAssignPrimaryTokenPrivilege 2228 dControl.exe Token: SeIncreaseQuotaPrivilege 2228 dControl.exe Token: SeAssignPrimaryTokenPrivilege 2476 MsMpEng.exe Token: SeIncreaseQuotaPrivilege 2476 MsMpEng.exe Token: SeTcbPrivilege 2476 MsMpEng.exe Token: SeSecurityPrivilege 2476 MsMpEng.exe Token: SeTakeOwnershipPrivilege 2476 MsMpEng.exe Token: SeLoadDriverPrivilege 2476 MsMpEng.exe Token: SeIncBasePriorityPrivilege 2476 MsMpEng.exe Token: SeBackupPrivilege 2476 MsMpEng.exe Token: SeRestorePrivilege 2476 MsMpEng.exe Token: SeShutdownPrivilege 2476 MsMpEng.exe Token: SeDebugPrivilege 2476 MsMpEng.exe Token: SeSystemEnvironmentPrivilege 2476 MsMpEng.exe Token: SeChangeNotifyPrivilege 2476 MsMpEng.exe Token: SeImpersonatePrivilege 2476 MsMpEng.exe Token: SeDebugPrivilege 2056 dControl.exe Token: SeAssignPrimaryTokenPrivilege 2056 dControl.exe Token: SeIncreaseQuotaPrivilege 2056 dControl.exe Token: 0 2056 dControl.exe Token: SeSecurityPrivilege 2688 mofcomp.exe Token: SeDebugPrivilege 2056 dControl.exe Token: SeAssignPrimaryTokenPrivilege 2056 dControl.exe Token: SeIncreaseQuotaPrivilege 2056 dControl.exe Token: 0 2056 dControl.exe Token: SeDebugPrivilege 1672 taskkill.exe Token: SeDebugPrivilege 2476 MsMpEng.exe Token: SeBackupPrivilege 2476 MsMpEng.exe Token: SeRestorePrivilege 2476 MsMpEng.exe Token: SeDebugPrivilege 5600 powershell.exe Token: SeAssignPrimaryTokenPrivilege 5600 powershell.exe Token: SeIncreaseQuotaPrivilege 5600 powershell.exe Token: SeSecurityPrivilege 5600 powershell.exe Token: SeTakeOwnershipPrivilege 5600 powershell.exe Token: SeLoadDriverPrivilege 5600 powershell.exe Token: SeSystemtimePrivilege 5600 powershell.exe Token: SeBackupPrivilege 5600 powershell.exe Token: SeRestorePrivilege 5600 powershell.exe Token: SeShutdownPrivilege 5600 powershell.exe Token: SeSystemEnvironmentPrivilege 5600 powershell.exe Token: SeUndockPrivilege 5600 powershell.exe Token: SeManageVolumePrivilege 5600 powershell.exe Token: SeAssignPrimaryTokenPrivilege 5140 MsMpEng.exe Token: SeIncreaseQuotaPrivilege 5140 MsMpEng.exe Token: SeTcbPrivilege 5140 MsMpEng.exe Token: SeSecurityPrivilege 5140 MsMpEng.exe Token: SeTakeOwnershipPrivilege 5140 MsMpEng.exe Token: SeLoadDriverPrivilege 5140 MsMpEng.exe Token: SeIncBasePriorityPrivilege 5140 MsMpEng.exe Token: SeBackupPrivilege 5140 MsMpEng.exe Token: SeRestorePrivilege 5140 MsMpEng.exe Token: SeShutdownPrivilege 5140 MsMpEng.exe Token: SeDebugPrivilege 5140 MsMpEng.exe Token: SeSystemEnvironmentPrivilege 5140 MsMpEng.exe Token: SeChangeNotifyPrivilege 5140 MsMpEng.exe Token: SeImpersonatePrivilege 5140 MsMpEng.exe Token: SeDebugPrivilege 2056 dControl.exe Token: SeDebugPrivilege 5140 MsMpEng.exe Token: SeBackupPrivilege 5140 MsMpEng.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 8 SecurityHealthSystray.exe 8 SecurityHealthSystray.exe 8 SecurityHealthSystray.exe 8 SecurityHealthSystray.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 5236 SecurityHealthSystray.exe 5236 SecurityHealthSystray.exe 5236 SecurityHealthSystray.exe 5236 SecurityHealthSystray.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe -
Suspicious use of SendNotifyMessage 58 IoCs
pid Process 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 8 SecurityHealthSystray.exe 8 SecurityHealthSystray.exe 8 SecurityHealthSystray.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 5236 SecurityHealthSystray.exe 5236 SecurityHealthSystray.exe 5236 SecurityHealthSystray.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe 2056 dControl.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2324 SecHealthUI.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2688 2476 MsMpEng.exe 95 PID 2476 wrote to memory of 2688 2476 MsMpEng.exe 95 PID 2056 wrote to memory of 3048 2056 dControl.exe 98 PID 2056 wrote to memory of 3048 2056 dControl.exe 98 PID 2056 wrote to memory of 3048 2056 dControl.exe 98 PID 2056 wrote to memory of 4176 2056 dControl.exe 99 PID 2056 wrote to memory of 4176 2056 dControl.exe 99 PID 2056 wrote to memory of 4380 2056 dControl.exe 102 PID 2056 wrote to memory of 4380 2056 dControl.exe 102 PID 2056 wrote to memory of 4380 2056 dControl.exe 102 PID 2476 wrote to memory of 1672 2476 MsMpEng.exe 106 PID 2476 wrote to memory of 1672 2476 MsMpEng.exe 106 PID 3968 wrote to memory of 8 3968 explorer.exe 108 PID 3968 wrote to memory of 8 3968 explorer.exe 108 PID 2476 wrote to memory of 5224 2476 MsMpEng.exe 120 PID 2476 wrote to memory of 5224 2476 MsMpEng.exe 120 PID 5224 wrote to memory of 5288 5224 MpCmdRun.exe 122 PID 5224 wrote to memory of 5288 5224 MpCmdRun.exe 122 PID 2476 wrote to memory of 5304 2476 MsMpEng.exe 123 PID 2476 wrote to memory of 5304 2476 MsMpEng.exe 123 PID 2476 wrote to memory of 5368 2476 MsMpEng.exe 124 PID 2476 wrote to memory of 5368 2476 MsMpEng.exe 124 PID 2056 wrote to memory of 5600 2056 dControl.exe 128 PID 2056 wrote to memory of 5600 2056 dControl.exe 128 PID 2056 wrote to memory of 3856 2056 dControl.exe 136 PID 2056 wrote to memory of 3856 2056 dControl.exe 136 PID 2056 wrote to memory of 3856 2056 dControl.exe 136 PID 2056 wrote to memory of 2828 2056 dControl.exe 137 PID 2056 wrote to memory of 2828 2056 dControl.exe 137 PID 2056 wrote to memory of 1144 2056 dControl.exe 140 PID 2056 wrote to memory of 1144 2056 dControl.exe 140 PID 2056 wrote to memory of 1144 2056 dControl.exe 140 PID 4504 wrote to memory of 5236 4504 explorer.exe 146 PID 4504 wrote to memory of 5236 4504 explorer.exe 146 PID 5140 wrote to memory of 5436 5140 MsMpEng.exe 144 PID 5140 wrote to memory of 5436 5140 MsMpEng.exe 144 PID 5436 wrote to memory of 5236 5436 MpCmdRun.exe 146 PID 5436 wrote to memory of 5236 5436 MpCmdRun.exe 146 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\xyz4568\dControl.exe"C:\Users\Admin\AppData\Local\Temp\xyz4568\dControl.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\xyz4568\dControl.exeC:\Users\Admin\AppData\Local\Temp\xyz4568\dControl.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\xyz4568\dControl.exe"C:\Users\Admin\AppData\Local\Temp\xyz4568\dControl.exe" /TI3⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender TamperProtection settings
- Modifies security service
- Event Triggered Execution: Image File Execution Options Injection
- Windows security modification
- Indicator Removal: Clear Persistence
- Modifies Security services
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\Explorer.exe"C:\Windows\Explorer.exe" C:\Windows\System32\SecurityHealthSystray.exe4⤵PID:3012
-
-
C:\Users\Admin\AppData\Local\Temp\xyz4568\dControl.exe"C:\Users\Admin\AppData\Local\Temp\xyz4568\dControl.exe" /EXP |3648|4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3048
-
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable4⤵PID:4176
-
-
C:\Windows\Explorer.exe"C:\Windows\Explorer.exe" windowsdefender://Threatsettings4⤵PID:4436
-
-
C:\Users\Admin\AppData\Local\Temp\xyz4568\dControl.exe"C:\Users\Admin\AppData\Local\Temp\xyz4568\dControl.exe" /EXP |3648|3012|4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring 14⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5600
-
-
C:\Windows\Explorer.exe"C:\Windows\Explorer.exe" C:\Windows\System32\SecurityHealthSystray.exe4⤵PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\xyz4568\dControl.exe"C:\Users\Admin\AppData\Local\Temp\xyz4568\dControl.exe" /EXP |3648|4⤵
- System Location Discovery: System Language Discovery
PID:3856
-
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable4⤵PID:2828
-
-
C:\Windows\Explorer.exe"C:\Windows\Explorer.exe" windowsdefender://Threatsettings4⤵PID:856
-
-
C:\Users\Admin\AppData\Local\Temp\xyz4568\dControl.exe"C:\Users\Admin\AppData\Local\Temp\xyz4568\dControl.exe" /EXP |3648|2696|4⤵
- System Location Discovery: System Language Discovery
PID:1144
-
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3548
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
- Drops file in Windows directory
PID:5092
-
C:\Program Files\Windows Defender\MsMpEng.exe"C:\Program Files\Windows Defender\MsMpEng.exe"1⤵
- Modifies Windows Defender TamperProtection settings
- Windows security bypass
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\system32\wbem\mofcomp.exeC:\Windows\system32\wbem\mofcomp.exe "C:\Program Files\Windows Defender\ProtectionManagement.mof"2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\system32\taskkill.exeC:\Windows\system32\taskkill.exe /f /FI "MODULES eq protectionmanagement.dll" /IM WmiPrvSE.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges2⤵
- Suspicious use of WriteProcessMemory
PID:5224 -
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges -Reinvoke3⤵
- Drops file in Windows directory
PID:5288
-
-
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" GetDeviceTicket -AccessKey 170F2644-8CEA-F6A7-B9AA-0FCE89E2128A2⤵
- Drops file in Windows directory
PID:5304
-
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate2⤵PID:5368
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\System32\SecurityHealthSystray.exe"C:\Windows\System32\SecurityHealthSystray.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:8
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:5032
-
C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2324
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵PID:1872
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵PID:2024
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵PID:640
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1148
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjMzRjZCNUYtODlENy00RjhFLThGMTYtREYyRkNFMTlBQ0M1fSIgdXNlcmlkPSJ7MEY3MUQ0NjAtNDAxOS00NDk0LThFNTAtMjE1QjZFNzY3Q0NCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjMwM0E3RjgtMkZDQS00QjQwLTk5NkQtMUM3QzgxMjg4MzFFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NjE1IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NTE4NzcwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDk2ODY1NjU3MSIvPjwvYXBwPjwvcmVxdWVzdD41⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1520
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:5956
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:4440
-
C:\Program Files\Windows Defender\MsMpEng.exe"C:\Program Files\Windows Defender\MsMpEng.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5140 -
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges2⤵
- Suspicious use of WriteProcessMemory
PID:5436 -
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges -Reinvoke3⤵
- Drops file in Windows directory
PID:5236
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\System32\SecurityHealthSystray.exe"C:\Windows\System32\SecurityHealthSystray.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5236
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:5240
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Impair Defenses
5Disable or Modify Tools
4Indicator Removal
1Clear Persistence
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\43E7A5B1-0000-0000-0000-D08302000000-0.bin
Filesize312KB
MD51c82bb26d5b5d7def813ee93a991777f
SHA1dfd634f3db70d9fd99f3a570109a294117833ca2
SHA256e02ebcf88f70d5e173746efe64db122e768d61f797584bd3de57bc3ae5bb4d24
SHA51264c7c96c96eecad9eaaf086d9f9ef667324beb21fe723ded915e2c84b6237aefdf67f0400fee334533809ebe61b622b3726a3f9ace25d6c56b0c46eecd368303
-
Filesize
376B
MD5dc4fc41b5007f11496b5eac614751b81
SHA194539b79a63dac0895be08f5e9baa4be47070d1c
SHA256a05267bd886213d0565d19b89aec4192736d814e89efcf0ec76fd5d18e0802ba
SHA512662fad11d7224396b1d75aa8bfd29bd91b68d23b08fe022d8146668781a2c8ed0b3ab336f6dbe6df657a6e9027201b2b27f73a27f1c69a4fee5644baa537b213
-
Filesize
101KB
MD51e30c694410f9ea55c87a3b6e221b881
SHA1bcf6110a9588c99849219044b103fd8d63c52787
SHA256cba23cca92a404d32a1bf0b5f6576f6c10117c9bd535cf06954069b15428f490
SHA512c00e1eaec640ded07b76db3d91c9119170030c7a66893a87f471436fd6bda4c008d78674603dd7a6f966fc8042a4022a2e872a57e797b505508991d351ba6570
-
C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-C8025B016BA80092F8D2B2278EDB2D28B0DEF151.bin
Filesize11.8MB
MD5f38ab17ddbac2b614e08c6b63a8a71d0
SHA1fd0e6a3b971a2cf512c6611a98116e000fa16867
SHA25639ef0f22177186978d44d2870746d424c67848fa2555b32addf955d481839671
SHA512a623b0ef72fe393848157fe34f928cde5dbebac933ea94203ea109dfcb1df4aa763f39ae52de0b639e30608e2e50c892872aceb725ff4cf07128d5abb1cbe179
-
C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-C8025B016BA80092F8D2B2278EDB2D28B0DEF151.bin.5B
Filesize3.3MB
MD58f18699a95413c4bf34e676ede86fa9e
SHA1e3b2e8cdd365f36c71a01bd28f69a55e9435b484
SHA256c74b78786313f0971e1de045a3c08fee9f4ff66842a0308439b7e1ae7afe6ffb
SHA512acded2bd7fb979a70f5b24063816cb51c1054791c6a1e44ea15149057fa7497ba6e7b2d56f458b2c6d91e338eb2ef9a675456110e04297d130edfa3dc68f9b42
-
C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-C8025B016BA80092F8D2B2278EDB2D28B0DEF151.bin.67
Filesize44.7MB
MD58249fd17d9d087c24d5be11b53fd0ef6
SHA14b6a8e4fe59f8625dc11ef78b0ef105527001fb4
SHA2567481ddd56b1d50d1d5c47d99775a49df865eb0ea619788c827c53ed9408bea71
SHA5127e296b29cb5d78275ee390b61c864346c843e7bd7d4af78c45e1999b14c85d2de537eda4a04c2741681dedb0b019dd9beb2e923486be655dbb703aebc2502b09
-
C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-C8025B016BA80092F8D2B2278EDB2D28B0DEF151.bin.6C
Filesize4.4MB
MD52fc6bd428f0bd35aebb1462a74eadffe
SHA12bfce9882701f24c61f73fce8da2392e3d4c0cc4
SHA256ed4452ada5d6a51ab38de76cff422ac06e19a0f6208876d7662957c237582c29
SHA5126166bc1454fcb76ac0450d004c616b444caaa2eb634b1f9001b48ee243aaf5f3e2690a5ad5845e9b89f5cb181d0330d33dbbb8ee5f3290c6c91c74242b9c58e5
-
C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-C8025B016BA80092F8D2B2278EDB2D28B0DEF151.bin.7C
Filesize7.3MB
MD5008fee28030689af683d23d2c838281f
SHA113ec20022014c756a065fe03b1ca2fd7e6728321
SHA256034c2b4ff126d271ef8e05c0f6bd81e8d2ddd14df6443f04fae40641ca4a3fbf
SHA5122904dfbfbd827b1b54a7c9dae9a594515694acce91964a33e38bfebb867e4858340735da8eea150941c1efd767339a96d2807272df3deaefe800ae7809b05120
-
C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-C8025B016BA80092F8D2B2278EDB2D28B0DEF151.bin.7E
Filesize12.1MB
MD57f0f698fbea8209d082d1547b765f132
SHA1d3cab0938c7a370134dc7cfffa2ad2189c14108a
SHA256aa0dafdc44187471b3b1fe0e8be74712fecbad1a4bc4917c33c53a546bf1364f
SHA512c98851fb32a8811bc0766cc377660c1fbbcbc1e18f304b3235cefb0afaf50f4b08c76dd208a6bb1f645e13febc9daa6ce1895eeb5f2d332c9bab0ac19d61f709
-
C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-C8025B016BA80092F8D2B2278EDB2D28B0DEF151.bin.80
Filesize20.0MB
MD534772a935f17d35bdc99a3962d002cc9
SHA1078a14c461e19033302be766787029abdd0833e0
SHA256359220aaf394dfec52c50dce7c1d1b42a7e1d010e174679d4319c947b39ad4bb
SHA512d8e0d9d2d26d8b087e4d8c9d98e67e98fe4f1f6371f16bd4ef93cf8ac9c5e30d3330cd6a3cbd5f214c94c1c8200e1560019458294c7d6ba88ad361f3134312c3
-
C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-C8025B016BA80092F8D2B2278EDB2D28B0DEF151.bin.83
Filesize1.9MB
MD5f1bea8e2e617ecc6a9b8b9e2ed45d22b
SHA177c6f19ce46d0e4d3a5ebdcd4684d34c51f7660d
SHA2563177e460d2e234def03216941cc2e262ec1ebd363f29de80ceed45be9992099a
SHA512fc4e24a6397e7c2b02f1ab595051fd0d7484406ae1465e8008c70d21f1424c848edc17899efc3e200a98105deeaa95fd1649f29fbc834d73391efd213cf1f41d
-
C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-C8025B016BA80092F8D2B2278EDB2D28B0DEF151.bin.87
Filesize2.2MB
MD5396e37ca76f750c6362bcd0bdd0b80cf
SHA192699ab36c5f7a0f6a88c9a9cd93a0b290aff57b
SHA256ee45ea18c56ac56b20b031d818c9cbc8cecc7a863291ffb2453cc20e465d603f
SHA51279e1421567a395acd738458e1d80d97a8ad1e1e3af86a173fa7816e0440c59441b79097dfbc9730d7e051b612f57c3fc3479005f0e9cedf5936cd751bc955423
-
C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-C8025B016BA80092F8D2B2278EDB2D28B0DEF151.bin.A0
Filesize10.1MB
MD59bb782de259d8c1fdcc10e131e11f8b1
SHA19384c27c4cf293d69f6fa210a5f2f47fcda31cc1
SHA256c7483ab929f369e20abb0f8fc9e408ff2c39c38b895b40587dc37596de9b5462
SHA5125ac2ae9e7e673fec870a10a78ebbe7f23b91196f956e43892f910e4bd34bf30e65570f64e57b4b99234a6227789cf823fd973caaa13b8c8a1b31419a97959f18
-
Filesize
212KB
MD51ced054bcc15efadcd725a46c0e3c2c6
SHA1de388b0be384719f32750aa99d27156b9423497e
SHA256565a4a6838fe69add6fa2856c86b792d52cf9e8b37ed2867883780dfa2b49d61
SHA5123534bf679c5856cd5c4bcfe4b3e447e03c31bb763e09b60bb4e77f1214e3006be0340f1077cb3c1ad8b1ac93f0f385d45e6646fece700c9425ca69ca5841e0cf
-
Filesize
213KB
MD5b34dc8d4d60a0669e88c69adbd72ec6a
SHA1241786ff49a99deeb65c77c5428299e4a2a0f48a
SHA256a5103bcc018e7e27592bf2b7bc000d8a80d823c19b0e10cab3a4c1730282664e
SHA512cef17644527ffac95314b8011b45ad6cbb9c2d749cec9860c5710340487bae586e99ed8b9a45b36a62e39c97b6bf8bf562aa680eb287e7cc67c4fe60425faf11
-
Filesize
592B
MD51b7a774c081242baffca05ead5447bd6
SHA19de065abe96da55e88a3045ab2c5e38983b88f6e
SHA25622ae8345d94ccea874a542196e82e235df49454a841e8c619b64144fe1207b07
SHA5122e76d603e17fd9bda083bb7edd794bea182b2bdb83b7cd84a3fde66d3cb2c2204373ee6e58725b02992c3b3c81511d76ee3d1b83cd34292586831cec560937ca
-
Filesize
19KB
MD59b9e1776fb518d69bac7602c35ced6bc
SHA1b92a1d0047d3e97c7ac7bdb38e3136c37c0ed891
SHA256a03fcde19d2f18919545b6c60732a1c264b89eded34739691076e5c0df902a6c
SHA512f7c7d3d83564f7d77c58246d459fa9275236600268bb364b308b6c3acf4b0fdde4e56b0eeceee614151333f0d2caba343e57b471ea6405f3a0373661c50fca88
-
Filesize
112B
MD5cc1956feca6f77955d50a06bc9eb8d75
SHA164037d5e48ae248ba26c81b28851ca1b0b7b49d1
SHA256a4140c5062c7b82047b57819c950c20469a8bc507dfe8ddff5c3b229520beca3
SHA512c12ec32767335f42dacea233c0a1d75ca7dcdbfb278ddae93a8061b849aee52eef445c27fed0fb78128ec4a2a5b04f20c097ca6dfaf0e054ee0d9d518d272f72
-
Filesize
37KB
MD5f156a4a8ffd8c440348d52ef8498231c
SHA14d2f5e731a0cc9155220b560eb6560f24b623032
SHA2567c3ca3161b9061c9b1ff70f401d9f02b2d01267bc76cbfcbc397a5aec60d4842
SHA51248f3c273f072a8c3c73a1b835ed320a6b8962c2f8b5037a3b6c1bea5431b17d9c03e8d771cc205bbc067975c78307f2306c55dbc4c72e0a7c15c6b17b3afa170
-
Filesize
1KB
MD59aaef4f98b99a8df1af5dfe6697cb4e3
SHA13ef6e08fb9e75370ddf3e42f2615ff5d01eb84a8
SHA2562b5788c060d774a23518e147bcb3a92b72ea0757b89f27e89665b6b1ac2c9c25
SHA5128a4baeba4a8858ec33fea16fbd122a4652e09df80c30cdeec276d7b5652567a85f3fbf2bb3b89a0d0dc98ac0e97bcda4174267c34ca4395a544faa5de606a7ed
-
Filesize
3KB
MD5b7586d1d62178875aafc7a763896ec46
SHA1f45918d69053ce2ee0cb6a580e121cc0ea562fb2
SHA256b94af4dddfd230fc979858e64c00881aff3e64827a9181f7e5b7da0be48183a6
SHA512c8cb4c3c9bd29b6c3645f38e5c06c9e2a66c928002f757d13da096325f32c3b7605e222377a337ccd9b6e9229216ef1f41f98750c48225b6e1e2ea0f58559629
-
Filesize
160B
MD558f8eb09a822c09fc11f5a42baae36f1
SHA19e7063eeee62c8588e0020bef3a116e9379966aa
SHA2566509c7fc4fa70391399831bbc3d66206d3f6f8f2bb20ffcac4e04844861d733a
SHA51253806780934bd86bb032ee4a515dfc0e8464a5ecc5f4c8c593304fcd969c1058d443bdec54e7ae21469adb942b16693cc9eaf997217adc69d3618ab0ec99dc1e
-
Filesize
233B
MD5cd4326a6fd01cd3ca77cfd8d0f53821b
SHA1a1030414d1f8e5d5a6e89d5a309921b8920856f9
SHA2561c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c
SHA51229ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67
-
Filesize
2KB
MD5ae3a623ac0bdc4ad4db895b2e5d99760
SHA194be442725b2b79abbd3ce8a61e1aab4490ede57
SHA25655a55a204d348b3c5533fc9a6338b618cfba4e74960baa259f2dcb6f2e267b86
SHA5121cc812b0900b41acf12d7ebb6de089a4cf4713d4817f3130e868f5f9dea847593f3f0f46761ff8a37a63124b5e688a9f1c5a91cc58bc6414630161063a5ee1ed
-
Filesize
3KB
MD5b7424c4485d8231b66cdf9bd90e98b53
SHA15380dcf464d054fba169aa97a2e0c6f7292f3aff
SHA25626542b7159ced8169dcda9b63f1c45460bea93e3a59fb519738f2b93442347cc
SHA512c92c7403ddd97db5be396bdb0122c0a845a956eadcff979539829d6f784e6dc04dfb6a280bc3fc308edbf47d3be5039da2a14bf2175aa113f8302239c7ce2282
-
Filesize
4KB
MD518a75ba49fbcd9f01ea45661f45e6df7
SHA15ce4414d7361fef15bcdb20dc45bff86f402a44c
SHA256c1ff0d575f3f105fb74c39d67887e7e2c0438875ccecc8dceaae2cbb87b3d971
SHA51219265f9d631ab4f0445fc91d988025eaa059fc5f900fee0a64a78e639a6411d70bbc399a51c876d4232c0fe085c6d76d51ab94779ff15b5856ae42cc88d965cb
-
Filesize
5KB
MD56b33e0e18422e0ad7f6f0eafbfcce836
SHA1b4a8bc93fa7a5a9d5b7bd90b4c00f3799d534240
SHA25637ecd765c9622157bf422e1f36c5650b86fda3d34b36a38676e75845be537752
SHA512ce5bbb87f29d0271398262b5465347d3ac16c6157a3d1d37c7ffcff0e9ff483394e1e8ef46f6a4536325acbb53c99a2a60bd5c4cf2308b955db47ce5773259f5
-
Filesize
37KB
MD51f8c95b97229e09286b8a531f690c661
SHA1b15b21c4912267b41861fb351f192849cca68a12
SHA256557a903f0f2177e3e62b1a534dee554cf2eff3dd3991bc2310f064bf9c7d2152
SHA5120f0e5b85b6ef73ecebcd70ca90ce54c019eec1ea99966c469f357dd3393d0067f591b3690fe0b7922d7ba4aa25ebefd76a092d28c3377e6035720f8630a1a186
-
Filesize
37KB
MD53bc9acd9c4b8384fb7ce6c08db87df6d
SHA1936c93e3a01d5ae30d05711a97bbf3dfa5e0921f
SHA256a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79
SHA512f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
14KB
MD59d5a0ef18cc4bb492930582064c5330f
SHA12ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8
SHA2568f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3
SHA5121dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4
-
Filesize
12KB
MD5efe44d9f6e4426a05e39f99ad407d3e7
SHA1637c531222ee6a56780a7fdcd2b5078467b6e036
SHA2565ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366
SHA5128014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63
-
Filesize
7KB
MD5ecffd3e81c5f2e3c62bcdc122442b5f2
SHA1d41567acbbb0107361c6ee1715fe41b416663f40
SHA2569874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5
SHA5127f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76