Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10410897f368...44.exe
windows7-x64
10410897f368...44.exe
windows10-2004-x64
1041234e0118...f5.exe
windows7-x64
1041234e0118...f5.exe
windows10-2004-x64
10412f4448e9...bb.exe
windows7-x64
10412f4448e9...bb.exe
windows10-2004-x64
10414a1d4000...6f.exe
windows7-x64
1414a1d4000...6f.exe
windows10-2004-x64
1414cb3c4ac...da.exe
windows7-x64
3414cb3c4ac...da.exe
windows10-2004-x64
3414f523f34...3b.exe
windows7-x64
10414f523f34...3b.exe
windows10-2004-x64
10415b778406...d0.exe
windows7-x64
10415b778406...d0.exe
windows10-2004-x64
104175909fcd...67.exe
windows7-x64
74175909fcd...67.exe
windows10-2004-x64
7417e4b0837...74.exe
windows7-x64
10417e4b0837...74.exe
windows10-2004-x64
104189a83a9b...b4.exe
windows7-x64
14189a83a9b...b4.exe
windows10-2004-x64
1041c0c0017e...70.exe
windows7-x64
1041c0c0017e...70.exe
windows10-2004-x64
1041dc6460e6...c8.exe
windows7-x64
1041dc6460e6...c8.exe
windows10-2004-x64
104202cc1a54...c1.exe
windows7-x64
104202cc1a54...c1.exe
windows10-2004-x64
104227543d6c...7e.exe
windows7-x64
104227543d6c...7e.exe
windows10-2004-x64
10424fdd0325...46.exe
windows7-x64
10424fdd0325...46.exe
windows10-2004-x64
104255dacb36...cd.exe
windows7-x64
104255dacb36...cd.exe
windows10-2004-x64
7Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 06:10
Behavioral task
behavioral1
Sample
410897f36809104096c8b600eb3a0444.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
410897f36809104096c8b600eb3a0444.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
41234e0118ba1cfc06b88d347f3a53f5.exe
Resource
win7-20250207-en
Behavioral task
behavioral4
Sample
41234e0118ba1cfc06b88d347f3a53f5.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
412f4448e99979a1ce810cdf392b6abb.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
412f4448e99979a1ce810cdf392b6abb.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
414a1d40006fffeb00666df68e3457f2db0ca7e9045535cc5de3c88c9e7fcc6f.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
414a1d40006fffeb00666df68e3457f2db0ca7e9045535cc5de3c88c9e7fcc6f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
414cb3c4ac2d42889d7c55565afc0f57d2a0e9f7a186b5d5d8e5118fd3f976da.exe
Resource
win7-20250207-en
Behavioral task
behavioral10
Sample
414cb3c4ac2d42889d7c55565afc0f57d2a0e9f7a186b5d5d8e5118fd3f976da.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
414f523f34e87006f31ca4b703886d3b.exe
Resource
win7-20250207-en
Behavioral task
behavioral12
Sample
414f523f34e87006f31ca4b703886d3b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
415b778406bbdc705f1962ded94e90d0.exe
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
415b778406bbdc705f1962ded94e90d0.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
4175909fcd35882461a1cfd784f7c967.exe
Resource
win7-20241023-en
Behavioral task
behavioral16
Sample
4175909fcd35882461a1cfd784f7c967.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
417e4b08378988e057831e5c3a74fd18014fc5fe2402e8aa3746e020a467ce74.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
417e4b08378988e057831e5c3a74fd18014fc5fe2402e8aa3746e020a467ce74.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
4189a83a9b95038e6e32f05b4c69f3b4.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
4189a83a9b95038e6e32f05b4c69f3b4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
41c0c0017e07c3984ced9121a820b070.exe
Resource
win7-20241023-en
Behavioral task
behavioral22
Sample
41c0c0017e07c3984ced9121a820b070.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
41dc6460e6f99bd865a3456e9c0348c8.exe
Resource
win7-20241023-en
Behavioral task
behavioral24
Sample
41dc6460e6f99bd865a3456e9c0348c8.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
4202cc1a54d458c6b3a7579733cc35c1.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
4202cc1a54d458c6b3a7579733cc35c1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
4227543d6caf9c96a1ecdceb233e7a0b225f1dcb7baf02087183829d55361f7e.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
4227543d6caf9c96a1ecdceb233e7a0b225f1dcb7baf02087183829d55361f7e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
424fdd032528ca656b1513d1ca79a17116a6770be9d2f05a4e203c95d0b4dd46.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
424fdd032528ca656b1513d1ca79a17116a6770be9d2f05a4e203c95d0b4dd46.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
4255dacb3601f46615055d9d23a538cd.exe
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
4255dacb3601f46615055d9d23a538cd.exe
Resource
win10v2004-20250314-en
General
-
Target
410897f36809104096c8b600eb3a0444.exe
-
Size
1.1MB
-
MD5
410897f36809104096c8b600eb3a0444
-
SHA1
18e8b8e65471f7f19b3612ba93a20bd6a702e7dc
-
SHA256
1cf0ed57e906c3779244c8b9c1f5482db0f92e67c2055dce9fa90dc8fbef65ed
-
SHA512
479e8b2a06d8861f8bb1ca9d5271149408853dcccb5c93a1e7a0d72e2a01af47131cd91d50e1edbd5bc2c0edcdfdf07f56c8f6c04fd3c12edc67389cd75664d0
-
SSDEEP
12288:qmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:qh4TbLUEhZL/GspeYhkc9Soh2SfwJ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\", \"C:\\Windows\\System32\\drmmgrtn\\sppsvc.exe\", \"C:\\Windows\\System32\\deskadp\\dllhost.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\", \"C:\\Windows\\System32\\drmmgrtn\\sppsvc.exe\", \"C:\\Windows\\System32\\deskadp\\dllhost.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\dwm.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\", \"C:\\Windows\\System32\\drmmgrtn\\sppsvc.exe\", \"C:\\Windows\\System32\\deskadp\\dllhost.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\dwm.exe\", \"C:\\Windows\\System32\\KBDRU1\\spoolsv.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\", \"C:\\Windows\\System32\\drmmgrtn\\sppsvc.exe\", \"C:\\Windows\\System32\\deskadp\\dllhost.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\dwm.exe\", \"C:\\Windows\\System32\\KBDRU1\\spoolsv.exe\", \"C:\\PerfLogs\\Admin\\wininit.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\", \"C:\\Windows\\System32\\drmmgrtn\\sppsvc.exe\", \"C:\\Windows\\System32\\deskadp\\dllhost.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\dwm.exe\", \"C:\\Windows\\System32\\KBDRU1\\spoolsv.exe\", \"C:\\PerfLogs\\Admin\\wininit.exe\", \"C:\\Windows\\System32\\spwinsat\\lsm.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\", \"C:\\Windows\\System32\\drmmgrtn\\sppsvc.exe\", \"C:\\Windows\\System32\\deskadp\\dllhost.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\dwm.exe\", \"C:\\Windows\\System32\\KBDRU1\\spoolsv.exe\", \"C:\\PerfLogs\\Admin\\wininit.exe\", \"C:\\Windows\\System32\\spwinsat\\lsm.exe\", \"C:\\Program Files\\Java\\wininit.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\", \"C:\\Windows\\System32\\drmmgrtn\\sppsvc.exe\"" 410897f36809104096c8b600eb3a0444.exe -
Process spawned unexpected child process 8 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2608 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2608 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1020 2608 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2608 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2608 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2608 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2608 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2608 schtasks.exe 31 -
UAC bypass 3 TTPs 33 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 410897f36809104096c8b600eb3a0444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 410897f36809104096c8b600eb3a0444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 410897f36809104096c8b600eb3a0444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2404 powershell.exe 1896 powershell.exe 1884 powershell.exe 2360 powershell.exe 112 powershell.exe 2376 powershell.exe 2344 powershell.exe 2036 powershell.exe 2196 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts 410897f36809104096c8b600eb3a0444.exe -
Executes dropped EXE 10 IoCs
pid Process 2380 csrss.exe 2840 csrss.exe 2044 csrss.exe 1904 csrss.exe 1900 csrss.exe 2952 csrss.exe 1144 csrss.exe 1688 csrss.exe 1644 csrss.exe 1408 csrss.exe -
Adds Run key to start application 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\drmmgrtn\\sppsvc.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\dwm.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\PerfLogs\\Admin\\wininit.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Java\\wininit.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\PerfLogs\\Admin\\wininit.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\drmmgrtn\\sppsvc.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\deskadp\\dllhost.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\dwm.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\KBDRU1\\spoolsv.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\spwinsat\\lsm.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\spwinsat\\lsm.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\deskadp\\dllhost.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\KBDRU1\\spoolsv.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Java\\wininit.exe\"" 410897f36809104096c8b600eb3a0444.exe -
Checks whether UAC is enabled 1 TTPs 22 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 410897f36809104096c8b600eb3a0444.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 410897f36809104096c8b600eb3a0444.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe -
Drops file in System32 directory 16 IoCs
description ioc Process File created C:\Windows\System32\deskadp\dllhost.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\System32\spwinsat\101b941d020240 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Windows\System32\deskadp\dllhost.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\System32\drmmgrtn\0a1fd5f707cd16 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\System32\KBDRU1\f3b6ecef712a24 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Windows\System32\drmmgrtn\RCXFDF0.tmp 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Windows\System32\spwinsat\RCX9F7.tmp 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Windows\System32\deskadp\RCX61.tmp 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Windows\System32\KBDRU1\RCX4E6.tmp 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Windows\System32\KBDRU1\spoolsv.exe 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Windows\System32\spwinsat\lsm.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\System32\drmmgrtn\sppsvc.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\System32\deskadp\5940a34987c991 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\System32\KBDRU1\spoolsv.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\System32\spwinsat\lsm.exe 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Windows\System32\drmmgrtn\sppsvc.exe 410897f36809104096c8b600eb3a0444.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\Java\RCXBFA.tmp 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Program Files\Java\wininit.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Program Files\Java\wininit.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Program Files\Java\56085415360792 410897f36809104096c8b600eb3a0444.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 560 schtasks.exe 1020 schtasks.exe 2980 schtasks.exe 2584 schtasks.exe 2140 schtasks.exe 2064 schtasks.exe 2888 schtasks.exe 2596 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 2768 410897f36809104096c8b600eb3a0444.exe 112 powershell.exe 2360 powershell.exe 1896 powershell.exe 2196 powershell.exe 1884 powershell.exe 2036 powershell.exe 2344 powershell.exe 2404 powershell.exe 2376 powershell.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe 2380 csrss.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2768 410897f36809104096c8b600eb3a0444.exe Token: SeDebugPrivilege 112 powershell.exe Token: SeDebugPrivilege 2360 powershell.exe Token: SeDebugPrivilege 1896 powershell.exe Token: SeDebugPrivilege 2196 powershell.exe Token: SeDebugPrivilege 2380 csrss.exe Token: SeDebugPrivilege 1884 powershell.exe Token: SeDebugPrivilege 2036 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 2840 csrss.exe Token: SeDebugPrivilege 2044 csrss.exe Token: SeDebugPrivilege 1904 csrss.exe Token: SeDebugPrivilege 1900 csrss.exe Token: SeDebugPrivilege 2952 csrss.exe Token: SeDebugPrivilege 1144 csrss.exe Token: SeDebugPrivilege 1688 csrss.exe Token: SeDebugPrivilege 1644 csrss.exe Token: SeDebugPrivilege 1408 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2768 wrote to memory of 112 2768 410897f36809104096c8b600eb3a0444.exe 40 PID 2768 wrote to memory of 112 2768 410897f36809104096c8b600eb3a0444.exe 40 PID 2768 wrote to memory of 112 2768 410897f36809104096c8b600eb3a0444.exe 40 PID 2768 wrote to memory of 2360 2768 410897f36809104096c8b600eb3a0444.exe 41 PID 2768 wrote to memory of 2360 2768 410897f36809104096c8b600eb3a0444.exe 41 PID 2768 wrote to memory of 2360 2768 410897f36809104096c8b600eb3a0444.exe 41 PID 2768 wrote to memory of 2196 2768 410897f36809104096c8b600eb3a0444.exe 43 PID 2768 wrote to memory of 2196 2768 410897f36809104096c8b600eb3a0444.exe 43 PID 2768 wrote to memory of 2196 2768 410897f36809104096c8b600eb3a0444.exe 43 PID 2768 wrote to memory of 2036 2768 410897f36809104096c8b600eb3a0444.exe 45 PID 2768 wrote to memory of 2036 2768 410897f36809104096c8b600eb3a0444.exe 45 PID 2768 wrote to memory of 2036 2768 410897f36809104096c8b600eb3a0444.exe 45 PID 2768 wrote to memory of 2344 2768 410897f36809104096c8b600eb3a0444.exe 47 PID 2768 wrote to memory of 2344 2768 410897f36809104096c8b600eb3a0444.exe 47 PID 2768 wrote to memory of 2344 2768 410897f36809104096c8b600eb3a0444.exe 47 PID 2768 wrote to memory of 1884 2768 410897f36809104096c8b600eb3a0444.exe 49 PID 2768 wrote to memory of 1884 2768 410897f36809104096c8b600eb3a0444.exe 49 PID 2768 wrote to memory of 1884 2768 410897f36809104096c8b600eb3a0444.exe 49 PID 2768 wrote to memory of 1896 2768 410897f36809104096c8b600eb3a0444.exe 50 PID 2768 wrote to memory of 1896 2768 410897f36809104096c8b600eb3a0444.exe 50 PID 2768 wrote to memory of 1896 2768 410897f36809104096c8b600eb3a0444.exe 50 PID 2768 wrote to memory of 2376 2768 410897f36809104096c8b600eb3a0444.exe 52 PID 2768 wrote to memory of 2376 2768 410897f36809104096c8b600eb3a0444.exe 52 PID 2768 wrote to memory of 2376 2768 410897f36809104096c8b600eb3a0444.exe 52 PID 2768 wrote to memory of 2404 2768 410897f36809104096c8b600eb3a0444.exe 53 PID 2768 wrote to memory of 2404 2768 410897f36809104096c8b600eb3a0444.exe 53 PID 2768 wrote to memory of 2404 2768 410897f36809104096c8b600eb3a0444.exe 53 PID 2768 wrote to memory of 2380 2768 410897f36809104096c8b600eb3a0444.exe 58 PID 2768 wrote to memory of 2380 2768 410897f36809104096c8b600eb3a0444.exe 58 PID 2768 wrote to memory of 2380 2768 410897f36809104096c8b600eb3a0444.exe 58 PID 2380 wrote to memory of 2968 2380 csrss.exe 59 PID 2380 wrote to memory of 2968 2380 csrss.exe 59 PID 2380 wrote to memory of 2968 2380 csrss.exe 59 PID 2380 wrote to memory of 2724 2380 csrss.exe 60 PID 2380 wrote to memory of 2724 2380 csrss.exe 60 PID 2380 wrote to memory of 2724 2380 csrss.exe 60 PID 2968 wrote to memory of 2840 2968 WScript.exe 61 PID 2968 wrote to memory of 2840 2968 WScript.exe 61 PID 2968 wrote to memory of 2840 2968 WScript.exe 61 PID 2840 wrote to memory of 2892 2840 csrss.exe 62 PID 2840 wrote to memory of 2892 2840 csrss.exe 62 PID 2840 wrote to memory of 2892 2840 csrss.exe 62 PID 2840 wrote to memory of 2964 2840 csrss.exe 63 PID 2840 wrote to memory of 2964 2840 csrss.exe 63 PID 2840 wrote to memory of 2964 2840 csrss.exe 63 PID 2892 wrote to memory of 2044 2892 WScript.exe 64 PID 2892 wrote to memory of 2044 2892 WScript.exe 64 PID 2892 wrote to memory of 2044 2892 WScript.exe 64 PID 2044 wrote to memory of 1944 2044 csrss.exe 65 PID 2044 wrote to memory of 1944 2044 csrss.exe 65 PID 2044 wrote to memory of 1944 2044 csrss.exe 65 PID 2044 wrote to memory of 1856 2044 csrss.exe 66 PID 2044 wrote to memory of 1856 2044 csrss.exe 66 PID 2044 wrote to memory of 1856 2044 csrss.exe 66 PID 1944 wrote to memory of 1904 1944 WScript.exe 67 PID 1944 wrote to memory of 1904 1944 WScript.exe 67 PID 1944 wrote to memory of 1904 1944 WScript.exe 67 PID 1904 wrote to memory of 1740 1904 csrss.exe 68 PID 1904 wrote to memory of 1740 1904 csrss.exe 68 PID 1904 wrote to memory of 1740 1904 csrss.exe 68 PID 1904 wrote to memory of 932 1904 csrss.exe 69 PID 1904 wrote to memory of 932 1904 csrss.exe 69 PID 1904 wrote to memory of 932 1904 csrss.exe 69 PID 1740 wrote to memory of 1900 1740 WScript.exe 70 -
System policy modification 1 TTPs 33 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 410897f36809104096c8b600eb3a0444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 410897f36809104096c8b600eb3a0444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 410897f36809104096c8b600eb3a0444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\410897f36809104096c8b600eb3a0444.exe"C:\Users\Admin\AppData\Local\Temp\410897f36809104096c8b600eb3a0444.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2768 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\410897f36809104096c8b600eb3a0444.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\RAC\StateData\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\drmmgrtn\sppsvc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\deskadp\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\KBDRU1\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\spwinsat\lsm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\ProgramData\Microsoft\RAC\StateData\csrss.exe"C:\ProgramData\Microsoft\RAC\StateData\csrss.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2380 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9253b4b8-1ca5-4c7a-9afb-648981831a17.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\ProgramData\Microsoft\RAC\StateData\csrss.exeC:\ProgramData\Microsoft\RAC\StateData\csrss.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2840 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b69256e0-90a5-4e84-b5f3-cdabaec8c42a.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\ProgramData\Microsoft\RAC\StateData\csrss.exeC:\ProgramData\Microsoft\RAC\StateData\csrss.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2044 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d5eaf92-9afb-44aa-913c-a7f75cc7bdc3.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\ProgramData\Microsoft\RAC\StateData\csrss.exeC:\ProgramData\Microsoft\RAC\StateData\csrss.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1904 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e405fdf-68e1-44d3-83c2-644e0c1c5a17.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\ProgramData\Microsoft\RAC\StateData\csrss.exeC:\ProgramData\Microsoft\RAC\StateData\csrss.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1900 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe662d53-a071-4167-919d-3407ac706be7.vbs"11⤵PID:2336
-
C:\ProgramData\Microsoft\RAC\StateData\csrss.exeC:\ProgramData\Microsoft\RAC\StateData\csrss.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2952 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d2f4080-2966-41b8-9219-6366dd43ac56.vbs"13⤵PID:544
-
C:\ProgramData\Microsoft\RAC\StateData\csrss.exeC:\ProgramData\Microsoft\RAC\StateData\csrss.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1144 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df638cc7-5181-46ca-a918-ab814257e1f9.vbs"15⤵PID:2692
-
C:\ProgramData\Microsoft\RAC\StateData\csrss.exeC:\ProgramData\Microsoft\RAC\StateData\csrss.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1688 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7ec10a5-c912-45e4-a5f8-19a54012fcd8.vbs"17⤵PID:2524
-
C:\ProgramData\Microsoft\RAC\StateData\csrss.exeC:\ProgramData\Microsoft\RAC\StateData\csrss.exe18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1644 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cef8c89f-554c-48f5-8f45-25ef969fe64e.vbs"19⤵PID:1864
-
C:\ProgramData\Microsoft\RAC\StateData\csrss.exeC:\ProgramData\Microsoft\RAC\StateData\csrss.exe20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1408 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5267b4f1-9a63-40e0-b6df-3b1c7793a3ac.vbs"21⤵PID:2340
-
C:\ProgramData\Microsoft\RAC\StateData\csrss.exeC:\ProgramData\Microsoft\RAC\StateData\csrss.exe22⤵PID:2900
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b52a0662-41cc-4938-9d8a-8db8e1751584.vbs"23⤵PID:1432
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\362248b2-a08f-489c-b376-b799b06b1bf9.vbs"23⤵PID:952
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc07fbf0-77f3-4fb6-97aa-47eab1df1fda.vbs"21⤵PID:2776
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\999e5310-0d36-42a7-9486-d72ac5c12ef6.vbs"19⤵PID:2096
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54250279-c1ae-4e85-99de-6be5bdea8658.vbs"17⤵PID:892
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7712ddd-f945-425a-929f-79306658635e.vbs"15⤵PID:2892
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22ae0656-df84-4b2e-b1bd-abde506abf70.vbs"13⤵PID:2924
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49194993-5993-40ae-8f95-b1a3331f2c53.vbs"11⤵PID:2344
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a8b6113-aa01-4470-bca7-d86d1ab02b07.vbs"9⤵PID:932
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69b553f2-7c6b-498f-ba9c-2febecef1543.vbs"7⤵PID:1856
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f6fdcaa-9665-4e60-acf5-7257c53e0599.vbs"5⤵PID:2964
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c1a2115-b8b5-4a33-954b-25b9a13f157c.vbs"3⤵PID:2724
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\RAC\StateData\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\drmmgrtn\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\deskadp\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\KBDRU1\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\PerfLogs\Admin\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\spwinsat\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Java\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
500B
MD5b3bde2f236a95c43d3f3440426468fe0
SHA118e6b9ff05341499b053950a0cb319458c2a3095
SHA2566b8ac886fb23ca6c3b90d3392ce5024a53b94f5db93d6257d19fb859e2950b97
SHA5124ae07358aed32f4cce722ec1aca95910f9fcc0808f0e8d1869bd5e4056d0a8f4780dde373a8db270b2556902a22aa2b2c926ad6ff03791be892f74164297de48
-
Filesize
724B
MD51aa7812acf36c9c8afde030cd2bee94d
SHA141eaf5acbb88360b06cb325264060b83d0ef3c0d
SHA256e446b9690c29935cd471f77a1141e9a29f375162bd966eeecbce85195ee2e04f
SHA51243a59183f586292b925f097a243764dad6c4a69c247ce69cfbdd70870689b2c6eb2327fb342d6a19e23e814e23fc2daa6266c00f3b6912cf828d4cfe1c7c6be4
-
Filesize
724B
MD5f54cb1fb1a7b6c2c6d4f91f75369950a
SHA176206c5daea826c44c6271b51b12244dec97efe3
SHA2569c6e48a48f5a4ee115319f57211cadba7f9fc17f81999ab63091533ad01e7237
SHA51279247db5a5a8a936c83761cccc3eb03721b62207fa24653b9222f591851d22d1dbf313f34ec618422e454e7a718777d5dae25c592b2ef8be14eeea86ea32dd61
-
Filesize
724B
MD56d0d5f914dd9267c4c4cf170be5f9f4b
SHA14baead23d7b35bf64dbc457125a0e82832eb6a39
SHA2568efa6478e26e2b1f4a29eb8b28be4f136f01bb4f40125ca6129e1bcb9f82fbee
SHA512c9c86167fb3f6718a4eda03a0637bd74f9d04fb04ab64cfd68b1033bbf04e367b40109086bb73f049c1aec1fc486c374736b22549109de6c43093739c9bd69b7
-
Filesize
724B
MD57b3af5e27d8edc7119c3bf6e94062e76
SHA18a5127c7625e4d3d22af56c987530a41830cbf49
SHA2561bbc87fb9e198fd34c3c1013231a7cbd1e91094194b8b4db0a71facc7d0656f3
SHA512633ae25e41017369493fc79928bf72500a3258788c70f4f1df252a9aaadb0fa7e41e4792525e6426686c5f65f9596739bfd0f755a7d243cca64ab0e7f51aa262
-
Filesize
724B
MD5d5075fd616e942cd80c19da8b59671fd
SHA148a0ac59afa57f6f6f5d3d42f15b2f8e0c8fa6ca
SHA2569da30509d807cb792b8534f246014847cfc2a476b24b6c4a445f8ecbfeebee3f
SHA5123598f5846bbe0b3492ade39a8f557b8abb70924c7ecc17e968f8c4fc8432300523bb6e04edcecaf5c84df7e370068ab3150c7ba8f7bbb5890007d1afa6038234
-
Filesize
724B
MD5ba739d0e39b027b03f66edffe3f7eccf
SHA11af72fc955f7ce6b80558b025833056f878a4e47
SHA256006818a51e2efaf8c401775cb88f94d5d9c792dafee02e79bb80843791cf284b
SHA5124ac3a160bb798200e19423820d259d6a0492d82d097639411b4d32adfff40ecf7e7ae23e4a88008db675d03b38a19c0422e0889d7649a7205a80b057e10e6877
-
Filesize
724B
MD59aeafafc3a6900c86360e58929d65ffe
SHA1c87f09f172aeb2476ae440e11ad0f36789ed5aac
SHA256f7c9e57fafbd39f9fe5d680d981d8cae735f81aca50c2ba5d8306f7e27ff0af6
SHA512e19f8027ae05c23f1dec3460bc288c5a9063766f124eaf6adcd3692f6b79be416d905a97af6706b2c19ca3f7aec1ef443829f415e4e396f04c682fb20a659167
-
Filesize
724B
MD57a0ff747e165f578e35ea406ea32cc5b
SHA16ca17a597572fd2c7ca8f0758a7263af09a57915
SHA256eae0ce43e5f6db933bc79722a5170369224e71ca219d9e69a2cecfcb15c11375
SHA51247ba4d72e4ef11a96097457e5363d63dd38963a410910afe0e713a40254dadf3414e30858eac86051e516070bd4f7ca256b4ed4d245f72f562f85c455285fe7a
-
Filesize
724B
MD501c8e5d4b85559a9e645fd486eb3cc89
SHA1b4e8ae29dd742758f50fd0a33e385f0c53435793
SHA25698431320096d69f1112418028b23972bf924149ef95043775fd6ee062c8ca9fa
SHA512783282e4033bcaebaf1a6536e725e332faae198cf28b8fafa4f1af1c6429cb9f325357b4b534765d74ac0b544a27daa8e2ee7829d67093d0f36ba621fb57980d
-
Filesize
724B
MD5401db17f0de95b2e1ede466ccfae3683
SHA1ef3ae7e482fd491c73817f5fd9e38f19fee4ecdb
SHA2560c74f96c3c09e3f92ae75a4bfea2cfafbd0be23fe2303aabfa537975421f10bc
SHA5127da33229c463668203a486cd97a636a64cb5655f77b87ca738cb70503103c85cdb9125f420cae7f5052c7a853c13bea848770ba40916d6c76b9dece4c969f454
-
Filesize
724B
MD5d2a0e02f2febd588f99ae6eb889b9a55
SHA13db603e24c71a6aa7c7ae1c207d3601205025126
SHA2566eea268409f2a3f071beb0893d93fad6c807c2d8b6d56fcdae32131080f2563c
SHA51221ee6299dc0d24ec3d50e140ddca37b18bea1e4224d20a4dc69f4ce327c806edcca743d5db4b157dd6ea8f560979ef5dcc4692d68a87f346fef676fefe9e42da
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD538c1d4a93e1aca57ee2e0ecac256f030
SHA1444803522fcec745c562cbe1912b890221d72537
SHA256d4cc3f14591227009bd66a8e5b402176910c3f5e1a7fc466cdbc80ecfb512873
SHA51209ca68717e3091a0d4119adc0d63056d15232fd62300a56af48e0b28389b16524d39a0ffbbb04fc035a9ee6a3630d10bba23bfe0da6aa50282a5cff6fc7652e3
-
Filesize
1.1MB
MD5410897f36809104096c8b600eb3a0444
SHA118e8b8e65471f7f19b3612ba93a20bd6a702e7dc
SHA2561cf0ed57e906c3779244c8b9c1f5482db0f92e67c2055dce9fa90dc8fbef65ed
SHA512479e8b2a06d8861f8bb1ca9d5271149408853dcccb5c93a1e7a0d72e2a01af47131cd91d50e1edbd5bc2c0edcdfdf07f56c8f6c04fd3c12edc67389cd75664d0
-
Filesize
1.1MB
MD56b4bcca86b5052c522f3dc034facca49
SHA1d6443dad83df9b4cafd42f0d34efd25da67df056
SHA256149cfc7ba71926c0afdf03fe088119d6d7ac719d5f98c4495e8b7f63ed417b9e
SHA512256b88c1fdb95dd67779131bf5364a0fc4d5bce539654d990e0cf9b2a69739e654c7bb93744fa5110cfc38580f40e19c2eeb590d1fc40f08872b3413e46f7bd7
-
Filesize
1.1MB
MD5605ce8a18c3bb46319c671e4b48472af
SHA126a5331a8fd86fa4b7413e98ab0080b57bad0d2a
SHA256c12da91c17d7868cc267a86d9e6fae1169af21ada2448a07413ac6e2678e580d
SHA5126519301c05ec06d7d0265480877960c965bce7980fc9e0654293e0a9796f7b87652b6485a8fc73794ab10f7b5ebd0fd20ade641f9d6723d7572c98c3cc14ae8b