Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10d4f7e0c033...35.exe
windows7-x64
10d4f7e0c033...35.exe
windows10-2004-x64
10d57a15943a...b8.exe
windows7-x64
10d57a15943a...b8.exe
windows10-2004-x64
10d5b7e88e91...31.exe
windows7-x64
5d5b7e88e91...31.exe
windows10-2004-x64
5d5b9cbc990...bf.exe
windows7-x64
7d5b9cbc990...bf.exe
windows10-2004-x64
7d5bce0b9b1...56.exe
windows7-x64
10d5bce0b9b1...56.exe
windows10-2004-x64
10d5fc43e4e1...1f.exe
windows7-x64
1d5fc43e4e1...1f.exe
windows10-2004-x64
1d61876dded...d3.exe
windows7-x64
10d61876dded...d3.exe
windows10-2004-x64
10d61b23d4ac...e0.exe
windows7-x64
10d61b23d4ac...e0.exe
windows10-2004-x64
10d690267038...3a.exe
windows7-x64
8d690267038...3a.exe
windows10-2004-x64
8d6995ab53a...3c.exe
windows7-x64
10d6995ab53a...3c.exe
windows10-2004-x64
10d6a9816b0d...9f.exe
windows7-x64
1d6a9816b0d...9f.exe
windows10-2004-x64
1d6e2e28870...ca.exe
windows7-x64
10d6e2e28870...ca.exe
windows10-2004-x64
10d70550d5d4...cd.exe
windows7-x64
10d70550d5d4...cd.exe
windows10-2004-x64
10d72c4b8c14...db.exe
windows7-x64
7d72c4b8c14...db.exe
windows10-2004-x64
7d735d6b2f3...86.exe
windows7-x64
10d735d6b2f3...86.exe
windows10-2004-x64
10d7508b0790...b3.exe
windows7-x64
10d7508b0790...b3.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 06:17
Behavioral task
behavioral1
Sample
d4f7e0c033fa7006a593674e3052cc35.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
d4f7e0c033fa7006a593674e3052cc35.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
d57a15943ae8a9e653d5a6c6870271b8.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
d57a15943ae8a9e653d5a6c6870271b8.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral5
Sample
d5b7e88e919915c58afbaad1d7cb2531.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
d5b7e88e919915c58afbaad1d7cb2531.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
d5b9cbc990cc88135ff80a41945ea3c940b8726e286812fbf402dbf5f2f66bbf.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
d5b9cbc990cc88135ff80a41945ea3c940b8726e286812fbf402dbf5f2f66bbf.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
d5bce0b9b1bfbe56a03cf54d9beb1a2a2e485beccb72393148e209ae63fb8556.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
d5bce0b9b1bfbe56a03cf54d9beb1a2a2e485beccb72393148e209ae63fb8556.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
d5fc43e4e1fb229c3f946ac0417a0a630b0809b33a2f1bacc7b81f45006fbf1f.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
d5fc43e4e1fb229c3f946ac0417a0a630b0809b33a2f1bacc7b81f45006fbf1f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
d61876ddede62df51f22178f3f3810d3.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
d61876ddede62df51f22178f3f3810d3.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
d61b23d4acf185dc6322a40c7f0f56e0.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
d61b23d4acf185dc6322a40c7f0f56e0.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
d690267038d2a718d56558e839b2613a.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
d690267038d2a718d56558e839b2613a.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
d6a9816b0df03fee5229e490ff3bfa2a016c0eeb9658b09fd6538a34e469579f.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
d6a9816b0df03fee5229e490ff3bfa2a016c0eeb9658b09fd6538a34e469579f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
d6e2e288705c6ca37ed2968b4ff7e7ca.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
d6e2e288705c6ca37ed2968b4ff7e7ca.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
d70550d5d46716704be759d325b3a8f0047905a4f170abe251491f13b3a563cd.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
d70550d5d46716704be759d325b3a8f0047905a4f170abe251491f13b3a563cd.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
d735d6b2f34e9a7cd2604d3036ac8486.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
d735d6b2f34e9a7cd2604d3036ac8486.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
d7508b07903325957294ebdcb89bd5b3.exe
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
d7508b07903325957294ebdcb89bd5b3.exe
Resource
win10v2004-20250314-en
General
-
Target
d61876ddede62df51f22178f3f3810d3.exe
-
Size
1.1MB
-
MD5
d61876ddede62df51f22178f3f3810d3
-
SHA1
f61526c97f574e637c624293249c612894a3706e
-
SHA256
db703d6a45db327d773c77238bed0a9905bb2c2a049bd4467fc43ab0df12e735
-
SHA512
4b909d0c38361a5daa93b89c84182f48bb3f0352d72a40917700e0de83cd9ef7ae399487b50cb2bb44a1066aac91750b5aac44c2c681f20d4848f609800dbfa4
-
SSDEEP
12288:6mc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:6h4TbLUEhZL/GspeYhkc9Soh2SfwJ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\mfc120jpn\\lsass.exe\", \"C:\\Windows\\System32\\NlsData000f\\services.exe\", \"C:\\Windows\\System32\\resmon\\dllhost.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\mfc120jpn\\lsass.exe\", \"C:\\Windows\\System32\\NlsData000f\\services.exe\", \"C:\\Windows\\System32\\resmon\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\lsass.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\mfc120jpn\\lsass.exe\", \"C:\\Windows\\System32\\NlsData000f\\services.exe\", \"C:\\Windows\\System32\\resmon\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\visualvm\\visualvm\\update_tracking\\dllhost.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\mfc120jpn\\lsass.exe\", \"C:\\Windows\\System32\\NlsData000f\\services.exe\", \"C:\\Windows\\System32\\resmon\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\visualvm\\visualvm\\update_tracking\\dllhost.exe\", \"C:\\Windows\\System32\\wbem\\WMI_Tracing\\WmiPrvSE.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\mfc120jpn\\lsass.exe\", \"C:\\Windows\\System32\\NlsData000f\\services.exe\", \"C:\\Windows\\System32\\resmon\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\visualvm\\visualvm\\update_tracking\\dllhost.exe\", \"C:\\Windows\\System32\\wbem\\WMI_Tracing\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\wersvc\\sppsvc.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\mfc120jpn\\lsass.exe\", \"C:\\Windows\\System32\\NlsData000f\\services.exe\", \"C:\\Windows\\System32\\resmon\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\visualvm\\visualvm\\update_tracking\\dllhost.exe\", \"C:\\Windows\\System32\\wbem\\WMI_Tracing\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\wersvc\\sppsvc.exe\", \"C:\\Windows\\System32\\wbem\\WLanHC\\WmiPrvSE.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\mfc120jpn\\lsass.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\mfc120jpn\\lsass.exe\", \"C:\\Windows\\System32\\NlsData000f\\services.exe\"" d61876ddede62df51f22178f3f3810d3.exe -
Process spawned unexpected child process 8 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2768 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2768 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2768 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2768 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2768 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2768 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 2768 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2768 schtasks.exe 30 -
UAC bypass 3 TTPs 42 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d61876ddede62df51f22178f3f3810d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d61876ddede62df51f22178f3f3810d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d61876ddede62df51f22178f3f3810d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2108 powershell.exe 1208 powershell.exe 1508 powershell.exe 2508 powershell.exe 2440 powershell.exe 2140 powershell.exe 2284 powershell.exe 1832 powershell.exe 2296 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts d61876ddede62df51f22178f3f3810d3.exe -
Executes dropped EXE 13 IoCs
pid Process 1720 dllhost.exe 2632 dllhost.exe 1572 dllhost.exe 1944 dllhost.exe 1700 dllhost.exe 1776 dllhost.exe 1552 dllhost.exe 588 dllhost.exe 1848 dllhost.exe 1468 dllhost.exe 1776 dllhost.exe 2188 dllhost.exe 1672 dllhost.exe -
Adds Run key to start application 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\NlsData000f\\services.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\lsass.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\lsass.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\WMI_Tracing\\WmiPrvSE.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\wersvc\\sppsvc.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\WMI_Tracing\\WmiPrvSE.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\WLanHC\\WmiPrvSE.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\NlsData000f\\services.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\resmon\\dllhost.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\wersvc\\sppsvc.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\mfc120jpn\\lsass.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\resmon\\dllhost.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\visualvm\\visualvm\\update_tracking\\dllhost.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\visualvm\\visualvm\\update_tracking\\dllhost.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\WLanHC\\WmiPrvSE.exe\"" d61876ddede62df51f22178f3f3810d3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\mfc120jpn\\lsass.exe\"" d61876ddede62df51f22178f3f3810d3.exe -
Checks whether UAC is enabled 1 TTPs 28 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d61876ddede62df51f22178f3f3810d3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d61876ddede62df51f22178f3f3810d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe -
Drops file in System32 directory 24 IoCs
description ioc Process File created C:\Windows\System32\wbem\WLanHC\24dbde2999530e d61876ddede62df51f22178f3f3810d3.exe File opened for modification C:\Windows\System32\mfc120jpn\RCXA008.tmp d61876ddede62df51f22178f3f3810d3.exe File opened for modification C:\Windows\System32\resmon\RCXA40F.tmp d61876ddede62df51f22178f3f3810d3.exe File opened for modification C:\Windows\System32\wbem\WMI_Tracing\WmiPrvSE.exe d61876ddede62df51f22178f3f3810d3.exe File opened for modification C:\Windows\System32\mfc120jpn\lsass.exe d61876ddede62df51f22178f3f3810d3.exe File created C:\Windows\System32\resmon\dllhost.exe d61876ddede62df51f22178f3f3810d3.exe File created C:\Windows\System32\wersvc\sppsvc.exe d61876ddede62df51f22178f3f3810d3.exe File created C:\Windows\System32\wersvc\0a1fd5f707cd16 d61876ddede62df51f22178f3f3810d3.exe File opened for modification C:\Windows\System32\wersvc\RCXAD85.tmp d61876ddede62df51f22178f3f3810d3.exe File opened for modification C:\Windows\System32\wersvc\sppsvc.exe d61876ddede62df51f22178f3f3810d3.exe File opened for modification C:\Windows\System32\wbem\WLanHC\WmiPrvSE.exe d61876ddede62df51f22178f3f3810d3.exe File created C:\Windows\System32\NlsData000f\services.exe d61876ddede62df51f22178f3f3810d3.exe File created C:\Windows\System32\wbem\WMI_Tracing\WmiPrvSE.exe d61876ddede62df51f22178f3f3810d3.exe File opened for modification C:\Windows\System32\NlsData000f\RCXA20B.tmp d61876ddede62df51f22178f3f3810d3.exe File opened for modification C:\Windows\System32\NlsData000f\services.exe d61876ddede62df51f22178f3f3810d3.exe File created C:\Windows\System32\mfc120jpn\6203df4a6bafc7 d61876ddede62df51f22178f3f3810d3.exe File created C:\Windows\System32\NlsData000f\c5b4cb5e9653cc d61876ddede62df51f22178f3f3810d3.exe File created C:\Windows\System32\resmon\5940a34987c991 d61876ddede62df51f22178f3f3810d3.exe File created C:\Windows\System32\wbem\WMI_Tracing\24dbde2999530e d61876ddede62df51f22178f3f3810d3.exe File opened for modification C:\Windows\System32\resmon\dllhost.exe d61876ddede62df51f22178f3f3810d3.exe File opened for modification C:\Windows\System32\wbem\WMI_Tracing\RCXAAF5.tmp d61876ddede62df51f22178f3f3810d3.exe File opened for modification C:\Windows\System32\wbem\WLanHC\RCXAF89.tmp d61876ddede62df51f22178f3f3810d3.exe File created C:\Windows\System32\mfc120jpn\lsass.exe d61876ddede62df51f22178f3f3810d3.exe File created C:\Windows\System32\wbem\WLanHC\WmiPrvSE.exe d61876ddede62df51f22178f3f3810d3.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe d61876ddede62df51f22178f3f3810d3.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\5940a34987c991 d61876ddede62df51f22178f3f3810d3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\RCXA884.tmp d61876ddede62df51f22178f3f3810d3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe d61876ddede62df51f22178f3f3810d3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2792 schtasks.exe 2664 schtasks.exe 2788 schtasks.exe 1852 schtasks.exe 2872 schtasks.exe 2916 schtasks.exe 2648 schtasks.exe 2756 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2532 d61876ddede62df51f22178f3f3810d3.exe 2440 powershell.exe 1508 powershell.exe 1832 powershell.exe 1208 powershell.exe 2140 powershell.exe 2284 powershell.exe 2508 powershell.exe 2296 powershell.exe 2108 powershell.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2532 d61876ddede62df51f22178f3f3810d3.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 1720 dllhost.exe Token: SeDebugPrivilege 1832 powershell.exe Token: SeDebugPrivilege 1208 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 2284 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 2632 dllhost.exe Token: SeDebugPrivilege 1572 dllhost.exe Token: SeDebugPrivilege 1944 dllhost.exe Token: SeDebugPrivilege 1700 dllhost.exe Token: SeDebugPrivilege 1776 dllhost.exe Token: SeDebugPrivilege 1552 dllhost.exe Token: SeDebugPrivilege 588 dllhost.exe Token: SeDebugPrivilege 1848 dllhost.exe Token: SeDebugPrivilege 1468 dllhost.exe Token: SeDebugPrivilege 1776 dllhost.exe Token: SeDebugPrivilege 2188 dllhost.exe Token: SeDebugPrivilege 1672 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2508 2532 d61876ddede62df51f22178f3f3810d3.exe 39 PID 2532 wrote to memory of 2508 2532 d61876ddede62df51f22178f3f3810d3.exe 39 PID 2532 wrote to memory of 2508 2532 d61876ddede62df51f22178f3f3810d3.exe 39 PID 2532 wrote to memory of 2440 2532 d61876ddede62df51f22178f3f3810d3.exe 40 PID 2532 wrote to memory of 2440 2532 d61876ddede62df51f22178f3f3810d3.exe 40 PID 2532 wrote to memory of 2440 2532 d61876ddede62df51f22178f3f3810d3.exe 40 PID 2532 wrote to memory of 1832 2532 d61876ddede62df51f22178f3f3810d3.exe 42 PID 2532 wrote to memory of 1832 2532 d61876ddede62df51f22178f3f3810d3.exe 42 PID 2532 wrote to memory of 1832 2532 d61876ddede62df51f22178f3f3810d3.exe 42 PID 2532 wrote to memory of 1508 2532 d61876ddede62df51f22178f3f3810d3.exe 44 PID 2532 wrote to memory of 1508 2532 d61876ddede62df51f22178f3f3810d3.exe 44 PID 2532 wrote to memory of 1508 2532 d61876ddede62df51f22178f3f3810d3.exe 44 PID 2532 wrote to memory of 1208 2532 d61876ddede62df51f22178f3f3810d3.exe 46 PID 2532 wrote to memory of 1208 2532 d61876ddede62df51f22178f3f3810d3.exe 46 PID 2532 wrote to memory of 1208 2532 d61876ddede62df51f22178f3f3810d3.exe 46 PID 2532 wrote to memory of 2284 2532 d61876ddede62df51f22178f3f3810d3.exe 47 PID 2532 wrote to memory of 2284 2532 d61876ddede62df51f22178f3f3810d3.exe 47 PID 2532 wrote to memory of 2284 2532 d61876ddede62df51f22178f3f3810d3.exe 47 PID 2532 wrote to memory of 2108 2532 d61876ddede62df51f22178f3f3810d3.exe 48 PID 2532 wrote to memory of 2108 2532 d61876ddede62df51f22178f3f3810d3.exe 48 PID 2532 wrote to memory of 2108 2532 d61876ddede62df51f22178f3f3810d3.exe 48 PID 2532 wrote to memory of 2296 2532 d61876ddede62df51f22178f3f3810d3.exe 49 PID 2532 wrote to memory of 2296 2532 d61876ddede62df51f22178f3f3810d3.exe 49 PID 2532 wrote to memory of 2296 2532 d61876ddede62df51f22178f3f3810d3.exe 49 PID 2532 wrote to memory of 2140 2532 d61876ddede62df51f22178f3f3810d3.exe 50 PID 2532 wrote to memory of 2140 2532 d61876ddede62df51f22178f3f3810d3.exe 50 PID 2532 wrote to memory of 2140 2532 d61876ddede62df51f22178f3f3810d3.exe 50 PID 2532 wrote to memory of 1720 2532 d61876ddede62df51f22178f3f3810d3.exe 57 PID 2532 wrote to memory of 1720 2532 d61876ddede62df51f22178f3f3810d3.exe 57 PID 2532 wrote to memory of 1720 2532 d61876ddede62df51f22178f3f3810d3.exe 57 PID 1720 wrote to memory of 2816 1720 dllhost.exe 58 PID 1720 wrote to memory of 2816 1720 dllhost.exe 58 PID 1720 wrote to memory of 2816 1720 dllhost.exe 58 PID 1720 wrote to memory of 2812 1720 dllhost.exe 59 PID 1720 wrote to memory of 2812 1720 dllhost.exe 59 PID 1720 wrote to memory of 2812 1720 dllhost.exe 59 PID 2816 wrote to memory of 2632 2816 WScript.exe 61 PID 2816 wrote to memory of 2632 2816 WScript.exe 61 PID 2816 wrote to memory of 2632 2816 WScript.exe 61 PID 2632 wrote to memory of 2312 2632 dllhost.exe 62 PID 2632 wrote to memory of 2312 2632 dllhost.exe 62 PID 2632 wrote to memory of 2312 2632 dllhost.exe 62 PID 2632 wrote to memory of 1892 2632 dllhost.exe 63 PID 2632 wrote to memory of 1892 2632 dllhost.exe 63 PID 2632 wrote to memory of 1892 2632 dllhost.exe 63 PID 2312 wrote to memory of 1572 2312 WScript.exe 64 PID 2312 wrote to memory of 1572 2312 WScript.exe 64 PID 2312 wrote to memory of 1572 2312 WScript.exe 64 PID 1572 wrote to memory of 936 1572 dllhost.exe 65 PID 1572 wrote to memory of 936 1572 dllhost.exe 65 PID 1572 wrote to memory of 936 1572 dllhost.exe 65 PID 1572 wrote to memory of 1544 1572 dllhost.exe 66 PID 1572 wrote to memory of 1544 1572 dllhost.exe 66 PID 1572 wrote to memory of 1544 1572 dllhost.exe 66 PID 936 wrote to memory of 1944 936 WScript.exe 67 PID 936 wrote to memory of 1944 936 WScript.exe 67 PID 936 wrote to memory of 1944 936 WScript.exe 67 PID 1944 wrote to memory of 2520 1944 dllhost.exe 68 PID 1944 wrote to memory of 2520 1944 dllhost.exe 68 PID 1944 wrote to memory of 2520 1944 dllhost.exe 68 PID 1944 wrote to memory of 2508 1944 dllhost.exe 69 PID 1944 wrote to memory of 2508 1944 dllhost.exe 69 PID 1944 wrote to memory of 2508 1944 dllhost.exe 69 PID 2520 wrote to memory of 1700 2520 WScript.exe 70 -
System policy modification 1 TTPs 42 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d61876ddede62df51f22178f3f3810d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d61876ddede62df51f22178f3f3810d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d61876ddede62df51f22178f3f3810d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d61876ddede62df51f22178f3f3810d3.exe"C:\Users\Admin\AppData\Local\Temp\d61876ddede62df51f22178f3f3810d3.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2532 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d61876ddede62df51f22178f3f3810d3.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\mfc120jpn\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\NlsData000f\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\resmon\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\WMI_Tracing\WmiPrvSE.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wersvc\sppsvc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\WLanHC\WmiPrvSE.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1720 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\186a8516-6c26-4e1d-85af-845a5e0e190f.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2632 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0982b4c3-5d74-48e5-ab8e-d7f9d617c85c.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1572 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed81e929-295f-4a59-9517-f8b891695ec4.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1944 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4763c670-509a-44da-a6e0-f650474005f7.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1700 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1e0f221-8341-4e42-af90-fb64c62298de.vbs"11⤵PID:352
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1776 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aacd1031-9a06-4626-941b-1ce79e7a8b7a.vbs"13⤵PID:1236
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1552 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ada2c84-8c51-4680-a685-ae95ff596fee.vbs"15⤵PID:772
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:588 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67e4b713-efad-4bd8-b3eb-c76602ef37ed.vbs"17⤵PID:1624
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1848 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e57a5bc-b054-44fc-ae95-69c8efe67a84.vbs"19⤵PID:688
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1468 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af6b1300-46e5-4f16-9f35-e6d935f8ee14.vbs"21⤵PID:1412
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1776 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\346031c6-027a-418a-a528-f4003c68b6c7.vbs"23⤵PID:2960
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2188 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac1e0d29-6b66-496c-8cd1-73b4cd3f31f4.vbs"25⤵PID:2260
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe"26⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1672 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59d74d95-4c7c-4f15-85d8-1976b4c465e6.vbs"27⤵PID:1532
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ba8def2-e467-4e94-afc8-705a11e638ea.vbs"27⤵PID:2104
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a138936-7664-46c6-9da9-e498abf80373.vbs"25⤵PID:596
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac801247-6051-43f8-9876-b1f122c9743b.vbs"23⤵PID:2864
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58e62ad7-3eef-40db-8e28-b0c25b961347.vbs"21⤵PID:2368
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb9a1e70-bb1a-47ec-9122-8226e5e14ce4.vbs"19⤵PID:1584
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\874cf613-cd4e-4538-ab49-bae31e97b065.vbs"17⤵PID:540
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02b455ca-13eb-45df-9977-944f48e3d75e.vbs"15⤵PID:2980
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df50b368-dfe5-4888-8dbf-0239b7816302.vbs"13⤵PID:2012
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ff6c817-821e-4b88-8046-6747c48a85b7.vbs"11⤵PID:2096
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7570d4f1-62b6-425e-905c-be602cef4208.vbs"9⤵PID:2508
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78974068-d760-4738-b033-b5cda20b7129.vbs"7⤵PID:1544
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c79ed120-725b-46ff-943a-f127d9506bf7.vbs"5⤵PID:1892
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d6c0ce7-78ac-4845-9bb2-a314423b3a30.vbs"3⤵PID:2812
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\mfc120jpn\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\NlsData000f\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\resmon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WMI_Tracing\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\wersvc\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WLanHC\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5d61876ddede62df51f22178f3f3810d3
SHA1f61526c97f574e637c624293249c612894a3706e
SHA256db703d6a45db327d773c77238bed0a9905bb2c2a049bd4467fc43ab0df12e735
SHA5124b909d0c38361a5daa93b89c84182f48bb3f0352d72a40917700e0de83cd9ef7ae399487b50cb2bb44a1066aac91750b5aac44c2c681f20d4848f609800dbfa4
-
Filesize
1.1MB
MD55e7d9155653217e088c1ea4cb1d2d74f
SHA11d49e44bd06a9e63d2062e02c699e93a6df015d8
SHA25686b40b4fe680c19f8edaee20b4fbc6f6f66bf2b44a0afad932748871f30b53fc
SHA51216961faad8665e0d331a2817dd64b08fcc2acdf25027b11a60e22642f0c76ef3fb6523e75a3213db3a64e274dd10065deb86aad95a939a14465d996a8af2e564
-
Filesize
759B
MD54f25fe58b9689e34c4c5e1747139ceea
SHA1f2a8fd4b9590c588e693daa652a6584eccc5f484
SHA25655c4583cc05db7e726977ba2d8a28b57e2baf06193cc3d56b5da5367b5bc51d2
SHA512d5ad4576176bedb333dd28146d94593c24e033379ecaf115b964ee4debda9c4cecd11a204c295aceebb5b38e6fd3bf66dc5325a7e0ba533992ce1ba92beff202
-
Filesize
759B
MD5e0fa8aa724b91082d918baa641bf372c
SHA1de59410f02c624e20548e8dd33df8cad451fc4ee
SHA256d8489a6e5845e8c7f0c083131c39c38e533f3d039b97879bc4b21112b8e033fe
SHA5124537c60361d511defeb310808721a7fceebf8a720b6153bcee438b212d09fd6e44ba0dd03d728ab384c9d89a6a74a282f770db9153313bbd16083221bc5dfd12
-
Filesize
759B
MD56c534cac1d74ef35de66e0db75ca7c2c
SHA167886520d3d24bfee644a77f81042533929cf850
SHA256ce84d5fddcc7007922c3f3168d332fff66d1cdfbcc3c902d2d5d70955a660967
SHA512068a4a2182484273984f800a7a2d1f3d80d292187e73e81c28a4dc9905dac6f23bc1725a76da13f61eed6901d46ccc5fa9e5b95a24e6ce537a6b6e7a4aa179db
-
Filesize
759B
MD5b9bf8d89099615edc9add747c7dd1823
SHA19ae6d3dfd9ebe32f1b2450abb9eeafed6e18c273
SHA256a5f2bd811b9e4fdd4eaac77d91e7db5f07b621d452a9d667baae88b4c2e670bb
SHA51220a1f3962e256fffbcb3333b446c958621ab2015918ba04e40c20a8d0136b57af2c3fb61bd81cd533f68f9cf519efe7ef80f7afa7bb93febcd4fac1f0cae2711
-
Filesize
759B
MD574d058d18365c99b3f472aaa78d7dbf7
SHA184c1c2d11401fbcbbc6a74098b754982d45b5304
SHA2562e73163b51a4bd5497cda78d94b04130cc267bd309e35c0f616a223775c731aa
SHA5122340e1f8e0dd1aea6751be055fbe93748ade849a34b94d38ef03f1acaec5add14afb7a8d4318baa32bcaafa6f662a58afae5a5db14ff007752554fbde8455a42
-
Filesize
759B
MD529afd4c120bf39cf4f4e4155be37f23a
SHA1033df58676897290fe9860c2bd85444baffe69b8
SHA256e477ca9eda2ecb84b043e5ec412cee12b4b43cb893c19cd14b57892af636b843
SHA512545a032dd8363bf1744cd5585bafca2055f1e7e65b173f4257c369f80dd19d99b2cbc6f24e0058a5b00bfa0803f365b9b4ec68ede6d5256a9037c195eb700c0c
-
Filesize
758B
MD57123a044b494d008ffcd9e7ef4ce635d
SHA1429cd16e6802f894252958531023a523b022504e
SHA256fee2d39586a6f64442775361851d5ab353ec791ef7aa13af6c332b7472288a0e
SHA512033bc3f2943b47843d299af9b5589ff363e8853d5debc13bf85ef950dd7a6a4d624750c6f6e0eee5abf42468e20f1b14fcb96954cc4f2ec24da52caad8c5a2e0
-
Filesize
535B
MD55b16c2f6193dfa200874e94242147719
SHA1b655cd33c1d1211b63637ebeb87c37bf463a1dfc
SHA25680f5fc53c57211f3d21bd90529d3d08e397d30b46a4a44d8b58cd19bc994cba4
SHA51283149c7357b59c7fc69a182e84c79a9c3627d7a04ae76db6a4a430c5efb1faf498845b67a17bf54428f03f162deb1639de002df68e082d6442b4aedfcebcd9f1
-
Filesize
759B
MD5c9aee55d20d937d575296f0ab7064c25
SHA152aab92cf5d02dd2eae033b6d81c32c7ff7a3714
SHA256c74f473f393a14e7064a6fd440093571bb7116b7f078fe12041db07db70b5d28
SHA512923970519ef4ff8b030f3d1dfd82b200b7faf1332958c1f58eefbca032ba4b0808c5dc7bcecb028a4beaa84c111cdd39b98caa995eab573ad24aa2b10fcf71f0
-
Filesize
759B
MD50934cc64be0e42fcefd8d459defd6862
SHA17bdf0d2fd160cba0de01f619eba532153cce1d39
SHA25678a4160360169feceb46eb2eca4f547d3968f21071006b156f5c0c8649fe88d3
SHA5122e119fe263678ba149c5619abdf57ca1db1fba8950be39216f5a9cab8863703d935cf47fe8994cc0852bca44f414cdaeb66d3656c0f39d15ac67f4044b7dd7fb
-
Filesize
759B
MD5e1973c1365ebac0795ecf8687fb830dc
SHA1da788a93884ef3eae6926c79fde9ae231f7e512b
SHA2566dea276fd0ebd31b6601a5ec744ea4af5a96c39fa3c4f4106c9651cc02180442
SHA512013fede2ab853f28c5f56b7f25c3347d42e3cdaa2f4d60861b043746f25904f97813bf0ab2662f06cedefdf895268e5e7118b69ef366a89e9336de12ab425ce8
-
Filesize
759B
MD5e6143e5e4353d716ffa3ff504e2c656c
SHA1fcc9bedc1852a394442d6b6fb39f47b8d1d142ef
SHA2566d403cec8fbd7041b8d2c59e8ebeeca30e3aa65580b549ca9c2a6b49a2f3ef62
SHA51296d57232b2ed7356ccb87c770c336a096d6b02a1e9ffcb3d9614f36342eba4652cfdd49c31b518fcca185cdaf625003a956339d6632b4f458fd2b5b18cacadbd
-
Filesize
759B
MD5b852ff56e035a4660a2e91f368b8eb6b
SHA134c0f707e68ad6a67327675b466e36ff3bf44864
SHA256297c10c9027ebe8f0cd2d9a3522ca09fc1fb22bf63ee6626c8048c25e3b56553
SHA512beb0fb559c9bd6f381e6da9f39975d3ae896da199493a1b929784d9de2d93d43690eef272ce53f02c9ca47732a4c2b096087a7e02e75fc0f2c13b8ea44ccff97
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5e07d1b06afdcf205fc634a289c90600e
SHA1fafb02abb4d2185828acd9d09943b4a8eed1a8b9
SHA25600643be82ddd9347f605e45c0002b8e46bb500863f66c019b6ce853c42c5b0e0
SHA5127b54fb74243443ca47eb44afce7ca7c08999b91a4048e383aa75132d1efb6901d6f37a237377cd4000beaef614a426bcbfeee272aa1a60cf0c05a6656ea5dc6c
-
Filesize
1.1MB
MD576d88d8e1ec164414c73ee6736ad2983
SHA1df48a388c22962eee1df31ead079625fd529fc1b
SHA2563ce7e6a7c65f1976abaa30f011cf75aa893707dd721fa6f00cac802a77173b7f
SHA512c791d4e0c79c4eef76df7687c758897bdd8c2184e4b390053f431a88f54fa849f96128bbaeb5fc0329e449b0578aeffd046687f2e6e4d1d271311ae19a0e1eb2