Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
24/03/2024, 14:46
Behavioral task
behavioral1
Sample
1994f3ef2118aeecbb74e6c8976fd47b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1994f3ef2118aeecbb74e6c8976fd47b.exe
Resource
win10v2004-20240319-en
General
-
Target
1994f3ef2118aeecbb74e6c8976fd47b.exe
-
Size
3.2MB
-
MD5
1994f3ef2118aeecbb74e6c8976fd47b
-
SHA1
8f157fc5c2af51db24b66085f29d3c1240be36b2
-
SHA256
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
-
SHA512
48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a
-
SSDEEP
49152:a4iktlQ2cj9ScADsiz76m0JVqeUYfHuv4mDrsdWE2hnKQ9nO1zdhBFMGIEdY/0/w:aXktlQQsE49UguAiu2cp1zjLddZ9QY
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3224 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3980 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1284 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3968 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3256 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4696 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4420 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3960 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4272 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3932 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3736 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3168 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3836 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3304 556 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 556 schtasks.exe 96 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe -
resource yara_rule behavioral2/memory/3652-0-0x0000000000340000-0x0000000000670000-memory.dmp dcrat behavioral2/files/0x0007000000023374-44.dat dcrat behavioral2/files/0x000700000002336d-60.dat dcrat behavioral2/files/0x000700000002336d-61.dat dcrat behavioral2/files/0x000700000002336d-77.dat dcrat behavioral2/files/0x000700000002336d-92.dat dcrat behavioral2/files/0x000900000002338b-140.dat dcrat -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation 1994f3ef2118aeecbb74e6c8976fd47b.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation sihost.exe -
Executes dropped EXE 12 IoCs
pid Process 2824 sihost.exe 2340 sihost.exe 1600 sihost.exe 5100 sihost.exe 736 sihost.exe 1004 sihost.exe 800 sihost.exe 1816 sihost.exe 5032 sihost.exe 2524 sihost.exe 2600 sihost.exe 1332 sihost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1994f3ef2118aeecbb74e6c8976fd47b.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files (x86)\Windows Multimedia Platform\5b884080fd4f94 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files\dotnet\swidtag\unsecapp.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files\dotnet\swidtag\29c1c3cc0f7685 1994f3ef2118aeecbb74e6c8976fd47b.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\IME\sihost.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Windows\IME\66fc9ff0ee96c2 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Windows\rescache\_merged\1973483750\csrss.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Windows\DigitalLocker\en-US\WmiPrvSE.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Windows\DigitalLocker\en-US\24dbde2999530e 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\56085415360792 1994f3ef2118aeecbb74e6c8976fd47b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2444 schtasks.exe 4696 schtasks.exe 4420 schtasks.exe 3932 schtasks.exe 1248 schtasks.exe 1284 schtasks.exe 3256 schtasks.exe 3968 schtasks.exe 2656 schtasks.exe 3960 schtasks.exe 2680 schtasks.exe 4496 schtasks.exe 3304 schtasks.exe 3224 schtasks.exe 5100 schtasks.exe 2152 schtasks.exe 3836 schtasks.exe 1476 schtasks.exe 4272 schtasks.exe 3980 schtasks.exe 3736 schtasks.exe 3168 schtasks.exe 2052 schtasks.exe 2808 schtasks.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings sihost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3652 1994f3ef2118aeecbb74e6c8976fd47b.exe 3652 1994f3ef2118aeecbb74e6c8976fd47b.exe 3652 1994f3ef2118aeecbb74e6c8976fd47b.exe 3652 1994f3ef2118aeecbb74e6c8976fd47b.exe 3652 1994f3ef2118aeecbb74e6c8976fd47b.exe 3652 1994f3ef2118aeecbb74e6c8976fd47b.exe 3652 1994f3ef2118aeecbb74e6c8976fd47b.exe 3652 1994f3ef2118aeecbb74e6c8976fd47b.exe 3652 1994f3ef2118aeecbb74e6c8976fd47b.exe 3652 1994f3ef2118aeecbb74e6c8976fd47b.exe 3652 1994f3ef2118aeecbb74e6c8976fd47b.exe 3652 1994f3ef2118aeecbb74e6c8976fd47b.exe 3652 1994f3ef2118aeecbb74e6c8976fd47b.exe 3652 1994f3ef2118aeecbb74e6c8976fd47b.exe 3652 1994f3ef2118aeecbb74e6c8976fd47b.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2824 sihost.exe 2340 sihost.exe 2340 sihost.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 3652 1994f3ef2118aeecbb74e6c8976fd47b.exe Token: SeDebugPrivilege 2824 sihost.exe Token: SeDebugPrivilege 2340 sihost.exe Token: SeDebugPrivilege 1600 sihost.exe Token: SeDebugPrivilege 5100 sihost.exe Token: SeDebugPrivilege 736 sihost.exe Token: SeDebugPrivilege 1004 sihost.exe Token: SeDebugPrivilege 800 sihost.exe Token: SeDebugPrivilege 1816 sihost.exe Token: SeDebugPrivilege 5032 sihost.exe Token: SeDebugPrivilege 2524 sihost.exe Token: SeDebugPrivilege 2600 sihost.exe Token: SeDebugPrivilege 1332 sihost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3652 wrote to memory of 2824 3652 1994f3ef2118aeecbb74e6c8976fd47b.exe 121 PID 3652 wrote to memory of 2824 3652 1994f3ef2118aeecbb74e6c8976fd47b.exe 121 PID 2824 wrote to memory of 3016 2824 sihost.exe 124 PID 2824 wrote to memory of 3016 2824 sihost.exe 124 PID 2824 wrote to memory of 2384 2824 sihost.exe 125 PID 2824 wrote to memory of 2384 2824 sihost.exe 125 PID 3016 wrote to memory of 2340 3016 WScript.exe 126 PID 3016 wrote to memory of 2340 3016 WScript.exe 126 PID 2340 wrote to memory of 3304 2340 sihost.exe 127 PID 2340 wrote to memory of 3304 2340 sihost.exe 127 PID 2340 wrote to memory of 4544 2340 sihost.exe 128 PID 2340 wrote to memory of 4544 2340 sihost.exe 128 PID 3304 wrote to memory of 1600 3304 WScript.exe 130 PID 3304 wrote to memory of 1600 3304 WScript.exe 130 PID 1600 wrote to memory of 4668 1600 sihost.exe 131 PID 1600 wrote to memory of 4668 1600 sihost.exe 131 PID 1600 wrote to memory of 3248 1600 sihost.exe 132 PID 1600 wrote to memory of 3248 1600 sihost.exe 132 PID 4668 wrote to memory of 5100 4668 WScript.exe 133 PID 4668 wrote to memory of 5100 4668 WScript.exe 133 PID 5100 wrote to memory of 1180 5100 sihost.exe 136 PID 5100 wrote to memory of 1180 5100 sihost.exe 136 PID 5100 wrote to memory of 4960 5100 sihost.exe 137 PID 5100 wrote to memory of 4960 5100 sihost.exe 137 PID 1180 wrote to memory of 736 1180 WScript.exe 139 PID 1180 wrote to memory of 736 1180 WScript.exe 139 PID 736 wrote to memory of 3836 736 sihost.exe 140 PID 736 wrote to memory of 3836 736 sihost.exe 140 PID 736 wrote to memory of 3736 736 sihost.exe 141 PID 736 wrote to memory of 3736 736 sihost.exe 141 PID 3836 wrote to memory of 1004 3836 WScript.exe 142 PID 3836 wrote to memory of 1004 3836 WScript.exe 142 PID 1004 wrote to memory of 3956 1004 sihost.exe 143 PID 1004 wrote to memory of 3956 1004 sihost.exe 143 PID 1004 wrote to memory of 5000 1004 sihost.exe 144 PID 1004 wrote to memory of 5000 1004 sihost.exe 144 PID 3956 wrote to memory of 800 3956 WScript.exe 145 PID 3956 wrote to memory of 800 3956 WScript.exe 145 PID 800 wrote to memory of 4268 800 sihost.exe 146 PID 800 wrote to memory of 4268 800 sihost.exe 146 PID 800 wrote to memory of 2308 800 sihost.exe 147 PID 800 wrote to memory of 2308 800 sihost.exe 147 PID 4268 wrote to memory of 1816 4268 WScript.exe 148 PID 4268 wrote to memory of 1816 4268 WScript.exe 148 PID 1816 wrote to memory of 4564 1816 sihost.exe 149 PID 1816 wrote to memory of 4564 1816 sihost.exe 149 PID 1816 wrote to memory of 1284 1816 sihost.exe 150 PID 1816 wrote to memory of 1284 1816 sihost.exe 150 PID 4564 wrote to memory of 5032 4564 WScript.exe 151 PID 4564 wrote to memory of 5032 4564 WScript.exe 151 PID 5032 wrote to memory of 2824 5032 sihost.exe 152 PID 5032 wrote to memory of 2824 5032 sihost.exe 152 PID 5032 wrote to memory of 4964 5032 sihost.exe 153 PID 5032 wrote to memory of 4964 5032 sihost.exe 153 PID 2824 wrote to memory of 2524 2824 WScript.exe 154 PID 2824 wrote to memory of 2524 2824 WScript.exe 154 PID 2524 wrote to memory of 948 2524 sihost.exe 155 PID 2524 wrote to memory of 948 2524 sihost.exe 155 PID 2524 wrote to memory of 2016 2524 sihost.exe 156 PID 2524 wrote to memory of 2016 2524 sihost.exe 156 PID 948 wrote to memory of 2600 948 WScript.exe 157 PID 948 wrote to memory of 2600 948 WScript.exe 157 PID 2600 wrote to memory of 4872 2600 sihost.exe 158 PID 2600 wrote to memory of 4872 2600 sihost.exe 158 -
System policy modification 1 TTPs 39 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe"C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3652 -
C:\Windows\IME\sihost.exe"C:\Windows\IME\sihost.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2824 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15234ff9-bbcb-4579-9fda-e93d30bb2914.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\IME\sihost.exeC:\Windows\IME\sihost.exe4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2340 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da48e0fc-f022-4033-b910-4729c7b9c20f.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\IME\sihost.exeC:\Windows\IME\sihost.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1600 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b70013c-6727-4b82-9265-3fa9548cc030.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\IME\sihost.exeC:\Windows\IME\sihost.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5100 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7567cb4-16d5-4dff-b4bb-bb84e6e28a7f.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\IME\sihost.exeC:\Windows\IME\sihost.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:736 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94e6685f-aa57-4d24-9a3a-e4862051ea63.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\IME\sihost.exeC:\Windows\IME\sihost.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1004 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3efcd243-0177-4d7d-89ed-122ed781660d.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\IME\sihost.exeC:\Windows\IME\sihost.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:800 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e47e9233-795b-4e17-9aac-54f6c06d962e.vbs"15⤵
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\IME\sihost.exeC:\Windows\IME\sihost.exe16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1816 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21442f3d-ae3b-4097-9039-dcde8eb658b0.vbs"17⤵
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\IME\sihost.exeC:\Windows\IME\sihost.exe18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5032 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9155a3a-ba96-4998-99c7-f3b012b76dbb.vbs"19⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\IME\sihost.exeC:\Windows\IME\sihost.exe20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2524 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc19abc5-01c1-4dcd-93fb-918855712286.vbs"21⤵
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\IME\sihost.exeC:\Windows\IME\sihost.exe22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2600 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e04fe46-58ee-46b5-b9dd-f868daf08af9.vbs"23⤵PID:4872
-
C:\Windows\IME\sihost.exeC:\Windows\IME\sihost.exe24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1332
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75124d03-8375-4cca-a474-3121e6e88ef1.vbs"23⤵PID:1660
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\447d858a-acb8-4a4f-828f-f01f7363e6c2.vbs"21⤵PID:2016
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a5418e9-65dc-492f-b816-a8551bc8866c.vbs"19⤵PID:4964
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a29f429e-4d42-4939-9ce2-86d93ef89156.vbs"17⤵PID:1284
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67a842c9-65c9-44a9-9e03-63f55a2d2296.vbs"15⤵PID:2308
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c13d4804-f98e-4837-85df-14e90c84afc0.vbs"13⤵PID:5000
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c64d213-d109-470c-b1a5-f4ebaec1a296.vbs"11⤵PID:3736
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcac7a25-e525-42fb-87d0-bad48b43bcb8.vbs"9⤵PID:4960
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48235334-98bc-48cc-b170-61e59946c04a.vbs"7⤵PID:3248
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc2caa68-021d-4fb2-bc92-19db02bbde9b.vbs"5⤵PID:4544
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b013b4bb-b03a-4ba4-ac08-5670cf4f0c95.vbs"3⤵PID:2384
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\IME\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\en-US\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\swidtag\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\swidtag\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1404 --field-trial-handle=2288,i,11069632825633797559,14829202121434726371,262144 --variations-seed-version /prefetch:81⤵PID:1292
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD51994f3ef2118aeecbb74e6c8976fd47b
SHA18f157fc5c2af51db24b66085f29d3c1240be36b2
SHA2565d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
SHA51248837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a
-
Filesize
1KB
MD5caa9da90d9bfc2c0fbadbf7eb57d1aae
SHA1b0237d1cdb8c7fdb6f89e72475dbfb639c025ed7
SHA256b5c2348671b5ad62cc02ded41adcf1855341bd6d20706bf45d9d68e4cddd4bbd
SHA512da20485cf87f6e9b95141dea062188b5a2299ff1e1a7f83446afac0d8b70a2d18d02b60b232b2c9e6af5071906dd08f41cf4637379165c1823a9fa9b82d155d8
-
Filesize
701B
MD5c197d86851a27e80e79fa26f2a8cd389
SHA174f84aeac26093634d4cc98c8889ca31fa11dc1b
SHA2560d5316e6762e27563d8efac7420bf6cce53db522899c1d0affeb328904f5bb21
SHA5122ee24e8465f7e267061aa2889604a9554fec7e6e4edd6e32fbd4edb4fa2b482087f3580c11857c707fe2a69242e3a2483f7de3469cde649f8147c57d6b6ecf63
-
Filesize
701B
MD51be80a536ae16237e66690e5ef8dd013
SHA15c7cd5fc2ac83592b41d985ad5a0c01049115458
SHA256a1a70a21d8e636ef1a39a3b29a1528a3d49f39a89921e34b62ca2770decd0c9f
SHA512f1a928a7576ffa67f1340736366eb8b5f17d6501bf3aecb6656bf5f3ddca7c5d14ba452f99d3124d06b6a46fcc428ad076e05fe5c2b776d1f5a6fe64cff04600
-
Filesize
701B
MD5bd108ac39a6242efc9fb010349bec6fd
SHA13bac999a0d5f9cf64edc63a09cc73ba6e70ab759
SHA256645e20c335b9932fd3a6545f29949dbd153a8117bba54e4951ec128fd8ca2127
SHA512c4886037f151a89dc0f01cf690677076d5f0d50f3113e70efb7d6b96afadd18acad02274d09d414899bc5c1033e5127458625ffeccecc4e0d6e3216e11008afe
-
Filesize
701B
MD5932dd01f505d029a58bd9ad1b5702500
SHA1413833da9a3a209cd00166525ed4b8679ae47114
SHA25680933d16c707bc8b93bd7ec4bec57ba1b3bd53195b992acc93a0b95ec4a4b43a
SHA512de00c156fea8e8152120f22a978c1053f95b55d5a5ca88f97ea65732b9cbc0081b10c59fca50f6664d01aa689fc2d69983488091241405d326e1954afb3a9abb
-
Filesize
2.6MB
MD5b0d37d80f38c5a9b2c6bbd82cbe9b02f
SHA1023ea65c16cbdb86648c06b257473f267b9dced4
SHA256d2c34cafaecb5326c0d7128a5f2ccf3fe8694675579aa5b81caef4549d591952
SHA512f151bd0db69a63b2b6a7d9ab2bac2a13b96508240b7c2e3db9a9773ed24eede1d9d62c33355db3d282d56bbe2aac9fdb8396226ded09d92f3fb8818f446a8929
-
Filesize
701B
MD57b0d75ad5be2ae9635155b3d693acb02
SHA1f1114fbad4e3333bea3b6054eece870391141332
SHA256b1680b8abac818b72e8ac595f812290b9699464118984ccdbfa62f155c3b1a8c
SHA5128ab2175a32f50320c722577e5a9f33f912d4baa6545a73bc26c1ffb4e3f7478f6a24df15a06a032fe3a001ca08f92adab0cc4db0bbee86346d1c431000b41e6f
-
Filesize
700B
MD5e848b08fb6632d8ab39cd172d89ddafd
SHA148f5fc9c617dac5c9440cb4a0793284cfc3598c7
SHA256348fbde7951db51755b40c388eb69d0f4d299fde542009fdb674ab7874e63002
SHA5126f9ab508685569c1a9bc54d9f9601b5008db2d7a98cac3b1e55bc5f41f9343e89a5a70d48e8b007005fba1ec895f8326b5e85fe20522422437f6b2d6afec045e
-
Filesize
477B
MD5ae69c49a9e4ff35f66476085d64fe9e8
SHA171dc96965de06ce02c5de133589e43e318f98c87
SHA25699d31f720a1169c989bd8b553ee4340b6e7186775d2698dfd4af200b69b11aea
SHA5122f7cbe5201fa3f524155ab5513a26e3135b73562ff5d70e39ed27c459b50ed7d39225c26c41f79b0934c29ba2ab352b5c6981c058d33353f5f20269c1b4a0279
-
Filesize
701B
MD59aa99fa17b336b4e99388fde3a93c1a1
SHA1169503477daecc8aeccd1f7f466e50539603a6e8
SHA256c755cd395df9622480553e93ace749ce01287cad92d9fa8714e9827df5ed35eb
SHA51257fd634b84c150d637b87f0447db6530600287db61dbdabb5464244ba9aba05b50ff586e7212033c592227411c9c123e20a3e2585d19ca69a5b1bd2738b40cdc
-
Filesize
701B
MD5e4b3252bfc8a732ba543e0316a2b48f6
SHA14b26183a81e3215db513a21ccc8ea1463422cb2a
SHA25606cabbdde4774fa04fc6d2620dfc43c75a3cf2191a597d6dda706e485dd6b314
SHA512ec01ef6b2a09f359db463f46bc98cc7f1ca0521936d72e5d98b0d16c5eebeeb67d461930504d007d8a9da61aa56c3b4ddecd53e6b20680c1b062b4e0f82a6f62
-
Filesize
701B
MD5758fbc3773cd47b587e18ffe8c5c97c0
SHA10be7cd3bad942a91be07bc9c2e6c3a2d54cca6cb
SHA256af79947f9e91e78051b4983e74fd6163474995c8abb1965f05ada57f87ce7fc2
SHA5125d74f41bdd9b472ea9414cf4475c8f984e5578b676967561c128b59eb3bb4e6b0cca5a006e06df5979afc367ab4cb4171d972ab9b703fce2d31325fdd94647b2
-
Filesize
701B
MD5c620990b01cfffcd2b1c5440fd42a88c
SHA1dacb204296f1e3dd7cbdd5813f7596a8718eacb3
SHA2562e31b33e3b28ed7a3d49a92301b3a8f9868970c8bb6ac1b9be8a1101ded3c287
SHA5126fe3bc58bcaef072b51c9959fc161e7832ec5839bf6b80b3bc4cd7512d15643574c357fb84f66522278d1093d8dc19bacc5139f5e6b447b8802d02a9244f06ac
-
Filesize
700B
MD5887014ce5b8fc69f95c890e9b277e6bd
SHA1fcec44c84571ebf765f190280f32ec070c7d0e14
SHA256619ef7b684ef1e825512678c6f5abb9c2a067d6912d6d4d3582ec24d3dc2abe1
SHA512b6323b809ac900663dab28fe799ae188d9cc27b02cf37bfbc3acb4f8379bc48decd4a492ae777ff50b0147853a1a067cbd07e73d1c9dcbe29fb4b365d95da31d
-
Filesize
832KB
MD56ec7dd5d1c82cd6031c2579b6282699e
SHA10546c098d69dc312606ab273cbc5dcb928f65453
SHA2561b0c172d0db46827b918934f88c34e74fa0ffcb79ebead3ea03e26d8f7186580
SHA512d7050d15ca7c1164bd3a3f61296ea78af19332aa332ea799361da02f35701739234043571a5e5a902f1badbab605e2ca8a7b111c9135d01d5b2aaf5d95aad945
-
Filesize
1024KB
MD58b2ca5725b53c924f814806bccc73a34
SHA1f1dacc8df8f52f2fcab15c5c80bcc686c9b08db2
SHA256e8c2d275a9e46065c470b273039bcca11bc691ed2319d5553237deadfe009370
SHA512e7f68e0ba90431a07ce952c5199242376eb2424f9b0c396359ed3f9b176b21eb32ea6a7ecfa5ba9a713c03dda0aff0f1f275482f68c7921a4f2d3d3991567318
-
Filesize
2.0MB
MD5c27c96535b0354240030124f1b323e48
SHA1beab51e8d4cd917cb446153f9526a23267e01bac
SHA2569e4b1d0e68b6ab5e47a7c4a354aed06b8b10d5194f85a7d3c52051e7e65f14ae
SHA51269072761f6e9cfbfaee03fc7dc62b28087a761b2b278a104a4b8118616725d41bae54449bf89bcb0848847d249f5c466f6bb8cdddb08d9564f93605cac1a8291
-
Filesize
1.6MB
MD582d45dfd4a00c69ce48efc368d274c6f
SHA1f7688e639d5f71cc62a602879eb70436f8db095f
SHA2564a962da9ab8a3e14da476b61239458cb9e134f50812753a6e5992277c6575da4
SHA5121f2254768fae9c3b46f0ad3ab214f9afb7314de640dc1266faf84ca4242683f3e111a288b9eacff06775b07fe236621b1bf4021d24f2089f220e6eaf8ea4389b