a57ca30a0476b5bb0ee6f2c36847f10e2b45ca7d9b9524ced8fb3b446ddf209e

Analysis

max time kernel
524s
max time network
527s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18/03/2025, 01:19

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

crack.exe
Size

4.7MB
MD5

41929bd3f1565b43b664347be56859b1
SHA1

9674fe491ea7d210480712391512c3aa22c17ad0
SHA256

a57ca30a0476b5bb0ee6f2c36847f10e2b45ca7d9b9524ced8fb3b446ddf209e
SHA512

322fb52eeee96e430afc1706d2424a39a20b0e7d48aea6a3d4b0d66fa29e702344ef1b313434a5ef7c4f91dc68b97d70917a7b5d4351ec2a8818ac79ca05930d
SSDEEP

98304:kNdNLvODgjKiypj3IvuIU9b/zMS9HucDB8Lenvg3ie19Oou2sVYUb:k9LvOD9p0vuVbrr9HTqav09O8sa

Score

8^/10

execution persistence upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2608	powershell.exe
2008	powershell.exe
1812	powershell.exe
2432	powershell.exe
492	powershell.exe
2728	powershell.exe
2508	powershell.exe
1496	powershell.exe
2920	powershell.exe
3028	powershell.exe
2176	powershell.exe
1640	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2736	BootstrapperNew.exe
1396	Process not Found
2316	svchost.exe
2620	svchost.exe
1620	svchost.exe
1224	svchost.exe
2156	svchost.exe
1040	svchost.exe
1388	svchost.exe
2520	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2532	crack.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	Antimalware Service Executable - Copy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\OpenGL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OpenGL.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\OpenGL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OpenGL.exe"	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000120fd-6.dat	upx
behavioral1/memory/2944-9-0x0000000000A50000-0x0000000000B08000-memory.dmp	upx
behavioral1/files/0x00070000000193f7-11.dat	upx
behavioral1/memory/1624-21-0x0000000000F30000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/2520-104-0x0000000001080000-0x000000000112E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1536	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2484	schtasks.exe
1224	schtasks.exe
2892	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2944	Antimalware Service Executable - Copy.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2608	powershell.exe
2008	powershell.exe
1496	powershell.exe
1812	powershell.exe
3028	powershell.exe
2920	powershell.exe
2432	powershell.exe
2176	powershell.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
2316	svchost.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	Antimalware Service Executable - Copy.exe
Token: SeDebugPrivilege	1624	svchost.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2944	Antimalware Service Executable - Copy.exe
Token: SeDebugPrivilege	1624	svchost.exe
Token: SeDebugPrivilege	2316	svchost.exe
Token: SeDebugPrivilege	2620	svchost.exe
Token: SeDebugPrivilege	1620	svchost.exe
Token: SeDebugPrivilege	1224	svchost.exe
Token: SeDebugPrivilege	2156	svchost.exe
Token: SeDebugPrivilege	1040	svchost.exe
Token: SeDebugPrivilege	1388	svchost.exe
Token: SeDebugPrivilege	2520	svchost.exe
Token: SeDebugPrivilege	492	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2520	svchost.exe
Token: SeShutdownPrivilege	2928	shutdown.exe
Token: SeRemoteShutdownPrivilege	2928	shutdown.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2944	Antimalware Service Executable - Copy.exe
1624	svchost.exe
2520	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2944	2532	crack.exe	29
PID 2532 wrote to memory of 2944	2532	crack.exe	29
PID 2532 wrote to memory of 2944	2532	crack.exe	29
PID 2532 wrote to memory of 1624	2532	crack.exe	30
PID 2532 wrote to memory of 1624	2532	crack.exe	30
PID 2532 wrote to memory of 1624	2532	crack.exe	30
PID 2532 wrote to memory of 2736	2532	crack.exe	31
PID 2532 wrote to memory of 2736	2532	crack.exe	31
PID 2532 wrote to memory of 2736	2532	crack.exe	31
PID 2944 wrote to memory of 2608	2944	Antimalware Service Executable - Copy.exe	32
PID 2944 wrote to memory of 2608	2944	Antimalware Service Executable - Copy.exe	32
PID 2944 wrote to memory of 2608	2944	Antimalware Service Executable - Copy.exe	32
PID 1624 wrote to memory of 2008	1624	svchost.exe	34
PID 1624 wrote to memory of 2008	1624	svchost.exe	34
PID 1624 wrote to memory of 2008	1624	svchost.exe	34
PID 2944 wrote to memory of 1496	2944	Antimalware Service Executable - Copy.exe	36
PID 2944 wrote to memory of 1496	2944	Antimalware Service Executable - Copy.exe	36
PID 2944 wrote to memory of 1496	2944	Antimalware Service Executable - Copy.exe	36
PID 1624 wrote to memory of 1812	1624	svchost.exe	38
PID 1624 wrote to memory of 1812	1624	svchost.exe	38
PID 1624 wrote to memory of 1812	1624	svchost.exe	38
PID 2944 wrote to memory of 2920	2944	Antimalware Service Executable - Copy.exe	40
PID 2944 wrote to memory of 2920	2944	Antimalware Service Executable - Copy.exe	40
PID 2944 wrote to memory of 2920	2944	Antimalware Service Executable - Copy.exe	40
PID 1624 wrote to memory of 3028	1624	svchost.exe	41
PID 1624 wrote to memory of 3028	1624	svchost.exe	41
PID 1624 wrote to memory of 3028	1624	svchost.exe	41
PID 2944 wrote to memory of 2432	2944	Antimalware Service Executable - Copy.exe	44
PID 2944 wrote to memory of 2432	2944	Antimalware Service Executable - Copy.exe	44
PID 2944 wrote to memory of 2432	2944	Antimalware Service Executable - Copy.exe	44
PID 1624 wrote to memory of 2176	1624	svchost.exe	46
PID 1624 wrote to memory of 2176	1624	svchost.exe	46
PID 1624 wrote to memory of 2176	1624	svchost.exe	46
PID 2944 wrote to memory of 2484	2944	Antimalware Service Executable - Copy.exe	48
PID 2944 wrote to memory of 2484	2944	Antimalware Service Executable - Copy.exe	48
PID 2944 wrote to memory of 2484	2944	Antimalware Service Executable - Copy.exe	48
PID 1624 wrote to memory of 1224	1624	svchost.exe	51
PID 1624 wrote to memory of 1224	1624	svchost.exe	51
PID 1624 wrote to memory of 1224	1624	svchost.exe	51
PID 1564 wrote to memory of 2316	1564	taskeng.exe	54
PID 1564 wrote to memory of 2316	1564	taskeng.exe	54
PID 1564 wrote to memory of 2316	1564	taskeng.exe	54
PID 1564 wrote to memory of 2620	1564	taskeng.exe	55
PID 1564 wrote to memory of 2620	1564	taskeng.exe	55
PID 1564 wrote to memory of 2620	1564	taskeng.exe	55
PID 1564 wrote to memory of 1620	1564	taskeng.exe	56
PID 1564 wrote to memory of 1620	1564	taskeng.exe	56
PID 1564 wrote to memory of 1620	1564	taskeng.exe	56
PID 1564 wrote to memory of 1224	1564	taskeng.exe	57
PID 1564 wrote to memory of 1224	1564	taskeng.exe	57
PID 1564 wrote to memory of 1224	1564	taskeng.exe	57
PID 1564 wrote to memory of 2156	1564	taskeng.exe	58
PID 1564 wrote to memory of 2156	1564	taskeng.exe	58
PID 1564 wrote to memory of 2156	1564	taskeng.exe	58
PID 1564 wrote to memory of 1040	1564	taskeng.exe	59
PID 1564 wrote to memory of 1040	1564	taskeng.exe	59
PID 1564 wrote to memory of 1040	1564	taskeng.exe	59
PID 1564 wrote to memory of 1388	1564	taskeng.exe	60
PID 1564 wrote to memory of 1388	1564	taskeng.exe	60
PID 1564 wrote to memory of 1388	1564	taskeng.exe	60
PID 1624 wrote to memory of 2176	1624	svchost.exe	62
PID 1624 wrote to memory of 2176	1624	svchost.exe	62
PID 1624 wrote to memory of 2176	1624	svchost.exe	62
PID 1624 wrote to memory of 1884	1624	svchost.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\crack.exe
"C:\Users\Admin\AppData\Local\Temp\crack.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Antimalware Service Executable - Copy.exe
  "C:\Users\Admin\AppData\Local\Antimalware Service Executable - Copy.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Antimalware Service Executable - Copy.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Antimalware Service Executable - Copy.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2484
- C:\Users\Admin\AppData\Local\svchost.exe
  "C:\Users\Admin\AppData\Local\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OpenGL.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OpenGL.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OpenGL" /tr "C:\Users\Admin\AppData\Local\Temp\OpenGL.exe'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1224
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "OpenGL"
    3⤵
    PID:2176
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpCF41.tmp.bat""
    3⤵
    PID:1884
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1536
- C:\Users\Admin\AppData\Local\BootstrapperNew.exe
  "C:\Users\Admin\AppData\Local\BootstrapperNew.exe"
  2⤵
  - Executes dropped EXE
  PID:2736

C:\Windows\system32\taskeng.exe
taskeng.exe {0A3870A4-629D-42D4-8248-6A0CD9A600BE} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Users\Admin\AppData\Local\svchost.exe
  C:\Users\Admin\AppData\Local\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Users\Admin\AppData\Local\svchost.exe
  C:\Users\Admin\AppData\Local\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Users\Admin\AppData\Local\svchost.exe
  C:\Users\Admin\AppData\Local\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Users\Admin\AppData\Local\svchost.exe
  C:\Users\Admin\AppData\Local\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Users\Admin\AppData\Local\svchost.exe
  C:\Users\Admin\AppData\Local\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Users\Admin\AppData\Local\svchost.exe
  C:\Users\Admin\AppData\Local\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Users\Admin\AppData\Local\svchost.exe
  C:\Users\Admin\AppData\Local\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Users\Admin\AppData\Local\svchost.exe
  C:\Users\Admin\AppData\Local\svchost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OpenGL.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OpenGL.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OpenGL" /tr "C:\Users\Admin\AppData\Local\Temp\OpenGL.exe'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2892
- - C:\Windows\system32\shutdown.exe
    shutdown.exe /f /s /t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2928

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2924

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Antimalware Service Executable - Copy.exe

Filesize
680KB

MD5
a454cd81429157b1192708c6d76e2fb8

SHA1
72d9ff61caf4a11ac9e4a989cb8b1d0b582e4b67

SHA256
6fff9132b72d3444ce787c82e58263c1ea9a89ed44eaec58b6a32ddcd2f7f10e

SHA512
157573110f40996b9f773ef86e99c5b0036c5e60e13e9b979b7010166c0da508731e1948091cf6abce4425a0cba25de5087931c324a16c9f4ad5c2d5ca764411

Download Submit
C:\Users\Admin\AppData\Local\BootstrapperNew.exe

Filesize
3.4MB

MD5
07b2ed9af56f55a999156738b17848df

SHA1
960e507c0ef860080b573c4e11a76328c8831d08

SHA256
73427b83bd00a8745e5182d2cdb3727e654ae9af5e42befc45903027f6606597

SHA512
3a982d1130b41e6c01943eee7fa546c3da95360afdad03bff434b9211201c80f22bd8bf79d065180010bc0659ee1e71febbfd750320d95811ee26a54ee1b34c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCF41.tmp.bat

Filesize
154B

MD5
71612f59c482017e8cb5cb871e1e0021

SHA1
8dbe09128609e51e5f12c7df00a03d7ee5ff7f51

SHA256
3356acd0edcabbb9783b30985f668f69598ee9fb5290dbd616a7b2797b8025da

SHA512
ce1ad4ff2b39be90b187c98cd309fdcbba65170149d2b9e36263a21ef05fd36678ab9bc35a1e51510bf34ba9c59e952210ee978ffc59c59cfb22a6b08c7faa79

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
642KB

MD5
eb0c18b934ee6c88078ee0df405af385

SHA1
9e15637a264492b900ed1f866fdfdd36b4d58c66

SHA256
fbc221358c5bc2ed769f47cf6456562265a004337fb34b81f654d80001c1c671

SHA512
950b22c241adef6624075aa0a16fc73459f906c06049bd126fc662fff046f27e6e7a8578f7ba3169d76b2080e6e70d81b3b777a4c885034a76f65a384e65dc9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RZ88CZSXI1VRI20MWMNH.temp

Filesize
7KB

MD5
a21d7d570465a44a477e88344763ae1e

SHA1
f84e5b3fea5dc5d30179d7d14979153b309fa86a

SHA256
6b16d9d3568c2e9faf0ef1a16dfbc8ef1fb549a23c754cb532efcad68e1a4fd7

SHA512
6ca3136b59abf31fe2b8240e891c75d97efd3a85167f2e75bea47ce7d5eec1955674276ac41870f8fea3da2d4f5f2ae3f72c8963b6de6e0b391377b29aa842a4

Download Submit
memory/492-110-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/1496-59-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/1496-60-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/1624-21-0x0000000000F30000-0x0000000000FDE000-memory.dmp

Filesize
696KB

Download
memory/1624-22-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/2520-104-0x0000000001080000-0x000000000112E000-memory.dmp

Filesize
696KB

Download
memory/2520-130-0x000000001A6D0000-0x000000001A6DC000-memory.dmp

Filesize
48KB

Download
memory/2532-0-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

Filesize
4KB

Download
memory/2532-1-0x00000000001D0000-0x0000000000690000-memory.dmp

Filesize
4.8MB

Download
memory/2608-42-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2608-41-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2728-116-0x0000000001C20000-0x0000000001C28000-memory.dmp

Filesize
32KB

Download
memory/2736-32-0x00000000027A0000-0x00000000027B6000-memory.dmp

Filesize
88KB

Download
memory/2736-25-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/2736-34-0x0000000002730000-0x000000000273A000-memory.dmp

Filesize
40KB

Download
memory/2736-35-0x00000000027C0000-0x00000000027C8000-memory.dmp

Filesize
32KB

Download
memory/2736-31-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2736-30-0x0000000002750000-0x0000000002776000-memory.dmp

Filesize
152KB

Download
memory/2736-29-0x0000000002740000-0x000000000274A000-memory.dmp

Filesize
40KB

Download
memory/2736-28-0x000000001E530000-0x000000001E630000-memory.dmp

Filesize
1024KB

Download
memory/2736-26-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/2736-33-0x0000000002780000-0x000000000278A000-memory.dmp

Filesize
40KB

Download
memory/2736-19-0x0000000000820000-0x0000000000B90000-memory.dmp

Filesize
3.4MB

Download
memory/2736-86-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/2944-85-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2944-24-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2944-23-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2944-20-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/2944-84-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2944-9-0x0000000000A50000-0x0000000000B08000-memory.dmp

Filesize
736KB

Download
memory/2944-131-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads