Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24/03/2024, 14:48
Behavioral task
behavioral1
Sample
1994f3ef2118aeecbb74e6c8976fd47b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1994f3ef2118aeecbb74e6c8976fd47b.exe
Resource
win10v2004-20240226-en
General
-
Target
1994f3ef2118aeecbb74e6c8976fd47b.exe
-
Size
3.2MB
-
MD5
1994f3ef2118aeecbb74e6c8976fd47b
-
SHA1
8f157fc5c2af51db24b66085f29d3c1240be36b2
-
SHA256
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
-
SHA512
48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a
-
SSDEEP
49152:a4iktlQ2cj9ScADsiz76m0JVqeUYfHuv4mDrsdWE2hnKQ9nO1zdhBFMGIEdY/0/w:aXktlQQsE49UguAiu2cp1zjLddZ9QY
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3528 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4380 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4632 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5084 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4068 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 520 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3640 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3400 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3272 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3504 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3428 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3732 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4600 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3512 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3724 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4272 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 416 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4248 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3108 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 400 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4800 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3976 3644 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 3644 schtasks.exe 90 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe -
resource yara_rule behavioral2/memory/3720-0-0x0000000000910000-0x0000000000C40000-memory.dmp dcrat behavioral2/files/0x0007000000023213-44.dat dcrat behavioral2/files/0x0007000000023216-72.dat dcrat behavioral2/files/0x0007000000023216-73.dat dcrat behavioral2/files/0x000800000002323a-238.dat dcrat behavioral2/files/0x0007000000023216-276.dat dcrat -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation 1994f3ef2118aeecbb74e6c8976fd47b.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation sppsvc.exe -
Executes dropped EXE 15 IoCs
pid Process 836 sppsvc.exe 4296 sppsvc.exe 2748 sppsvc.exe 3272 sppsvc.exe 400 sppsvc.exe 3908 sppsvc.exe 2708 sppsvc.exe 4564 sppsvc.exe 2280 sppsvc.exe 2812 sppsvc.exe 4800 sppsvc.exe 3720 sppsvc.exe 2468 sppsvc.exe 452 sppsvc.exe 4248 sppsvc.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1994f3ef2118aeecbb74e6c8976fd47b.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\en-US\SppExtComObj.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files (x86)\Internet Explorer\en-US\e1ef82546f0b02 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files\7-Zip\Lang\RuntimeBroker.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files\7-Zip\Lang\9e8d7a4ca61bd9 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\9e8d7a4ca61bd9 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\0a1fd5f707cd16 1994f3ef2118aeecbb74e6c8976fd47b.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Panther\setup.exe\cc11b995f2a76d 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Windows\System\Speech\explorer.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Windows\Panther\setup.exe\winlogon.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 872 schtasks.exe 2544 schtasks.exe 2404 schtasks.exe 868 schtasks.exe 3400 schtasks.exe 3428 schtasks.exe 4600 schtasks.exe 3108 schtasks.exe 5068 schtasks.exe 1056 schtasks.exe 4068 schtasks.exe 3504 schtasks.exe 2576 schtasks.exe 3528 schtasks.exe 1888 schtasks.exe 520 schtasks.exe 2928 schtasks.exe 3732 schtasks.exe 3512 schtasks.exe 3724 schtasks.exe 1824 schtasks.exe 4388 schtasks.exe 5048 schtasks.exe 1496 schtasks.exe 2504 schtasks.exe 1320 schtasks.exe 5084 schtasks.exe 3640 schtasks.exe 3056 schtasks.exe 4800 schtasks.exe 4380 schtasks.exe 3272 schtasks.exe 4272 schtasks.exe 416 schtasks.exe 3976 schtasks.exe 1588 schtasks.exe 4632 schtasks.exe 404 schtasks.exe 4248 schtasks.exe 1600 schtasks.exe 400 schtasks.exe 2764 schtasks.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings 1994f3ef2118aeecbb74e6c8976fd47b.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings sppsvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3720 1994f3ef2118aeecbb74e6c8976fd47b.exe 3720 1994f3ef2118aeecbb74e6c8976fd47b.exe 3720 1994f3ef2118aeecbb74e6c8976fd47b.exe 3720 1994f3ef2118aeecbb74e6c8976fd47b.exe 3720 1994f3ef2118aeecbb74e6c8976fd47b.exe 3720 1994f3ef2118aeecbb74e6c8976fd47b.exe 3720 1994f3ef2118aeecbb74e6c8976fd47b.exe 3720 1994f3ef2118aeecbb74e6c8976fd47b.exe 3720 1994f3ef2118aeecbb74e6c8976fd47b.exe 3720 1994f3ef2118aeecbb74e6c8976fd47b.exe 3720 1994f3ef2118aeecbb74e6c8976fd47b.exe 3720 1994f3ef2118aeecbb74e6c8976fd47b.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 836 sppsvc.exe 4296 sppsvc.exe 4296 sppsvc.exe 4296 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 3720 1994f3ef2118aeecbb74e6c8976fd47b.exe Token: SeDebugPrivilege 836 sppsvc.exe Token: SeDebugPrivilege 4296 sppsvc.exe Token: SeDebugPrivilege 2748 sppsvc.exe Token: SeDebugPrivilege 3272 sppsvc.exe Token: SeDebugPrivilege 400 sppsvc.exe Token: SeDebugPrivilege 3908 sppsvc.exe Token: SeDebugPrivilege 2708 sppsvc.exe Token: SeDebugPrivilege 4564 sppsvc.exe Token: SeDebugPrivilege 2280 sppsvc.exe Token: SeDebugPrivilege 2812 sppsvc.exe Token: SeDebugPrivilege 4800 sppsvc.exe Token: SeDebugPrivilege 3720 sppsvc.exe Token: SeDebugPrivilege 2468 sppsvc.exe Token: SeDebugPrivilege 452 sppsvc.exe Token: SeDebugPrivilege 4248 sppsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3720 wrote to memory of 3888 3720 1994f3ef2118aeecbb74e6c8976fd47b.exe 133 PID 3720 wrote to memory of 3888 3720 1994f3ef2118aeecbb74e6c8976fd47b.exe 133 PID 3888 wrote to memory of 4324 3888 cmd.exe 135 PID 3888 wrote to memory of 4324 3888 cmd.exe 135 PID 3888 wrote to memory of 836 3888 cmd.exe 142 PID 3888 wrote to memory of 836 3888 cmd.exe 142 PID 836 wrote to memory of 4848 836 sppsvc.exe 143 PID 836 wrote to memory of 4848 836 sppsvc.exe 143 PID 836 wrote to memory of 2132 836 sppsvc.exe 144 PID 836 wrote to memory of 2132 836 sppsvc.exe 144 PID 4848 wrote to memory of 4296 4848 WScript.exe 147 PID 4848 wrote to memory of 4296 4848 WScript.exe 147 PID 4296 wrote to memory of 4800 4296 sppsvc.exe 148 PID 4296 wrote to memory of 4800 4296 sppsvc.exe 148 PID 4296 wrote to memory of 3976 4296 sppsvc.exe 149 PID 4296 wrote to memory of 3976 4296 sppsvc.exe 149 PID 4800 wrote to memory of 2748 4800 WScript.exe 150 PID 4800 wrote to memory of 2748 4800 WScript.exe 150 PID 2748 wrote to memory of 2424 2748 sppsvc.exe 152 PID 2748 wrote to memory of 2424 2748 sppsvc.exe 152 PID 2748 wrote to memory of 1724 2748 sppsvc.exe 153 PID 2748 wrote to memory of 1724 2748 sppsvc.exe 153 PID 2424 wrote to memory of 3272 2424 WScript.exe 154 PID 2424 wrote to memory of 3272 2424 WScript.exe 154 PID 3272 wrote to memory of 5104 3272 sppsvc.exe 156 PID 3272 wrote to memory of 5104 3272 sppsvc.exe 156 PID 3272 wrote to memory of 4352 3272 sppsvc.exe 157 PID 3272 wrote to memory of 4352 3272 sppsvc.exe 157 PID 5104 wrote to memory of 400 5104 WScript.exe 158 PID 5104 wrote to memory of 400 5104 WScript.exe 158 PID 400 wrote to memory of 4908 400 sppsvc.exe 159 PID 400 wrote to memory of 4908 400 sppsvc.exe 159 PID 400 wrote to memory of 3152 400 sppsvc.exe 160 PID 400 wrote to memory of 3152 400 sppsvc.exe 160 PID 4908 wrote to memory of 3908 4908 WScript.exe 161 PID 4908 wrote to memory of 3908 4908 WScript.exe 161 PID 3908 wrote to memory of 840 3908 sppsvc.exe 162 PID 3908 wrote to memory of 840 3908 sppsvc.exe 162 PID 3908 wrote to memory of 2284 3908 sppsvc.exe 163 PID 3908 wrote to memory of 2284 3908 sppsvc.exe 163 PID 840 wrote to memory of 2708 840 WScript.exe 165 PID 840 wrote to memory of 2708 840 WScript.exe 165 PID 2708 wrote to memory of 1944 2708 sppsvc.exe 166 PID 2708 wrote to memory of 1944 2708 sppsvc.exe 166 PID 2708 wrote to memory of 3512 2708 sppsvc.exe 167 PID 2708 wrote to memory of 3512 2708 sppsvc.exe 167 PID 1944 wrote to memory of 4564 1944 WScript.exe 168 PID 1944 wrote to memory of 4564 1944 WScript.exe 168 PID 4564 wrote to memory of 2564 4564 sppsvc.exe 169 PID 4564 wrote to memory of 2564 4564 sppsvc.exe 169 PID 4564 wrote to memory of 1900 4564 sppsvc.exe 170 PID 4564 wrote to memory of 1900 4564 sppsvc.exe 170 PID 2564 wrote to memory of 2280 2564 WScript.exe 171 PID 2564 wrote to memory of 2280 2564 WScript.exe 171 PID 2280 wrote to memory of 1056 2280 sppsvc.exe 172 PID 2280 wrote to memory of 1056 2280 sppsvc.exe 172 PID 2280 wrote to memory of 4168 2280 sppsvc.exe 173 PID 2280 wrote to memory of 4168 2280 sppsvc.exe 173 PID 1056 wrote to memory of 2812 1056 WScript.exe 174 PID 1056 wrote to memory of 2812 1056 WScript.exe 174 PID 2812 wrote to memory of 3164 2812 sppsvc.exe 175 PID 2812 wrote to memory of 3164 2812 sppsvc.exe 175 PID 2812 wrote to memory of 4024 2812 sppsvc.exe 176 PID 2812 wrote to memory of 4024 2812 sppsvc.exe 176 -
System policy modification 1 TTPs 48 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe"C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cQTyHbvxeI.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4324
-
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:836 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d82d5aa-45d5-4807-9916-e03525769b88.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4296 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12af547c-6d1d-47c9-bb37-707775950d4e.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2748 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69d89d7a-7d7f-45e6-9c7b-85406d85cfe3.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3272 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4855fbf4-6480-4449-ae11-cf91d642e9b3.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:400 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d626d0fb-1c2f-4ce0-9714-aa48bb8f43da.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3908 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f901b504-4e76-4400-b8dc-fd02a73cbbce.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2708 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16ed0cc2-d84e-450f-88db-c7c05a06e2b0.vbs"16⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4564 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ab1e69f-2f1f-401d-938e-f71bfd6a81cd.vbs"18⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2280 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5af0a6be-4f61-470c-9af3-d9e879f95f18.vbs"20⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2812 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd8c8fd3-70ad-491b-a007-d682790a8883.vbs"22⤵PID:3164
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4800 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d5fdedc-353f-4832-9fd6-594eaec6169c.vbs"24⤵PID:5116
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3720 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d16705fd-80b4-4001-9000-eaf5f70a146d.vbs"26⤵PID:4600
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2468 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d85c7a2e-b8f9-44c3-9be9-bb12676c3c7e.vbs"28⤵PID:2700
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:452 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\009483e7-25f6-445b-97f6-d52c08f7eae0.vbs"30⤵PID:1824
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"31⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4248
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f46d3ffb-f327-42d1-bcab-d066b0c99748.vbs"30⤵PID:2024
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2e18fdc-f38a-4263-966e-482f44ab5aae.vbs"28⤵PID:4192
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3511aee2-03e2-402d-8c2d-2d50e9aaad2f.vbs"26⤵PID:3140
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b32e7722-975d-443b-9f16-895a030b2aac.vbs"24⤵PID:212
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59cfbf42-15d8-4219-b6d8-dde0e5477e4f.vbs"22⤵PID:4024
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\511dbcf7-6261-4495-bcae-32f8c7d1e554.vbs"20⤵PID:4168
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0521a46e-267a-4466-9198-ae95eea5129a.vbs"18⤵PID:1900
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3d42e74-c59e-456b-bf90-a7abb4e658b9.vbs"16⤵PID:3512
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc0ba46b-331d-4c29-86ab-cba3c3f4220b.vbs"14⤵PID:2284
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\234610d0-3143-4929-b184-fbd4359ef01d.vbs"12⤵PID:3152
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cb50c54-c2bc-488d-81eb-530e537b80fa.vbs"10⤵PID:4352
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d2eda89-6efa-46e9-8ea6-ad91e7f02229.vbs"8⤵PID:1724
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aeef1934-9cbc-4e53-9f6e-47ab16da9127.vbs"6⤵PID:3976
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acc37e4a-4df7-4402-b741-43e6041569cd.vbs"4⤵PID:2132
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\odt\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\setup.exe\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\setup.exe\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD51994f3ef2118aeecbb74e6c8976fd47b
SHA18f157fc5c2af51db24b66085f29d3c1240be36b2
SHA2565d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
SHA51248837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a
-
Filesize
768KB
MD5028958f59e67b43c84615a52817d8977
SHA12fd828295bb4dba9f860dc7f3e814c19e9f2a0ac
SHA256f3b7cac5543a7ede99252839adaf7ed67782c2e5fa4230f270d79178dca3e43a
SHA512bda4d5620242f4122477e6e9fec6f53149e8a389e8acb4de81cdb36692c3ac9c6b54015d601e2794ebccd7cfaa11f3e417b567945220af0cefad993a9ba7e6b1
-
Filesize
499KB
MD586d7e50391e4806fe5609633525e071e
SHA1edd3ceada10bdcde88c56746c8ec435f85e46658
SHA256863057243124f2dcf1a8366886e41226e2b747f9eddbcdd5578f445f41b18aea
SHA5129c54d91fe4df3fa9d6bd71170f2a5620b7f8c678a40cc35598b1334657c481961255822518b3bbd5cf84d2135c0225686991825cbcf19bc2c599a6c04d92ac4c
-
Filesize
1.1MB
MD50016eafec1d4cb57bb7c1a1feaf1a8d3
SHA1ee49434cab7bcb04a084386d07b2637201a14193
SHA256eac7503539af33b83e0bce8a54d10c2f46d3e2bc190aad4d5914b26f3bc1c392
SHA512621930cbd2bf8c218717e699a34bc81179d2a4a0f3c6731fa65a8f747cd910d296746046570bc583cc991162e17a76a3eb58485c962139d73dbed108f4572a51
-
Filesize
1KB
MD5caa9da90d9bfc2c0fbadbf7eb57d1aae
SHA1b0237d1cdb8c7fdb6f89e72475dbfb639c025ed7
SHA256b5c2348671b5ad62cc02ded41adcf1855341bd6d20706bf45d9d68e4cddd4bbd
SHA512da20485cf87f6e9b95141dea062188b5a2299ff1e1a7f83446afac0d8b70a2d18d02b60b232b2c9e6af5071906dd08f41cf4637379165c1823a9fa9b82d155d8
-
Filesize
732B
MD58ad4abd699e6a798f3b29220f25ca555
SHA1fb5fadea7b6c353e5f9436cb3e51482cc6993ebb
SHA256d993ee5e38de9b2a8d31008ee67ccdf3e331da8e166a1513e37034ed56d48fe5
SHA5129a219fb5afa8ba7f999603f03130a66a0c22e93c97745fe41f4f1453644c5da5febf2514a3280e4857f8eeedb3e524da0eb2c7e18f68c8805daee041370bcc07
-
Filesize
733B
MD56958c61f6851698e8099cd0d3550e3de
SHA10ca86563a21078dc365aabda909b8cb3a19f5f52
SHA256bc352647a4880304bcef4cbb562916b09852abcffea1aeb34e9b83b6d5f4fcc1
SHA51202089be90e6b8c2fc199fa31fae3ef5d16c2b5a483ec4a519977cf3519642e74d0102f347975cbdc753417cfc7040fdacf3ce7606f8f31f3acc9df42c4e4c54f
-
Filesize
733B
MD568b89f0c229262f5b9b89844bd825ec3
SHA18147826601e70814e96e66a25c5cd238e9e26c4e
SHA256f0cda4907e54d66f078573cf7e881c2b83bd5fedf4165e9601baaff2c3b97b1c
SHA51286f5e100ae5c66e027eefccef754addd0c875a01f59d48d1eaa79adaca00d726907bf554d08654a63966256ca0ca743e1f99b719d67230b1aede59f389306848
-
Filesize
733B
MD53de88506bb7cec272ec7d6ce6e3343ad
SHA10461b3ce904089f0e61d0fd483d97a6f92def10b
SHA256e7f0f0028d222ec2f3b1950904780104794d48d9527a721f07aab350929481dc
SHA5127a19d1a6255db9f82082db10ed152477a82b22fc217c0eeb29f389f47a81fb3d6b714e0042562db9e018acba39b4cdfb1e3ba708923a47f239bb22d022e7bef3
-
Filesize
733B
MD5032300f58a786600b434da92591dcf31
SHA1a309714b9f17898e7e7d64f0b9f4b1a3803b98c8
SHA2561cd332109c45eb557f6a9c1fef1339b29848a8b960eeb4f60d0cfbccf5639682
SHA512fd603835b2a0175456f9ae1b1053e3cb04befad12434c473c424c10555c9c09f5ba43bf2ce3c83e4fe1d7bc9b13c7b1043ae9a8a4a6933dec0df98b0884fde92
-
Filesize
733B
MD5e14f9f0df9bc185250e91f59453d7817
SHA1bee851bc19586acad00caa30082f28d1db1a4e1a
SHA25669914e2cd0c232c2e0da6ea10796164dd8bd45833864dd26319cd196d5e7bdc8
SHA51266c9b82c0842008bb30c42a49f0e87886e2a60ff7bdf8577b2e54fc8c14ae2630533810331779a32036d4ffe20b766a981f9eb070a5091250cf27af606ef3771
-
Filesize
733B
MD5e066873c029dcc396bda6878d4c89b13
SHA173b33123530ff05397590b7b9f78e1a834f6c4dc
SHA256bd955b17bb71ebabfd0a103d99c02aed6f0c67c0b9fb27bb66266ca888635ce3
SHA512583d60cae6177a3bbb26b4feec194eec30d066c5818fa9be697231a37a3065671f160b29f7b3d5d0641dededf521df0ef89826fe4c8b236eb86580ed3b8cc868
-
Filesize
733B
MD557dcdc9d61d7b636af4c1f8967726b22
SHA1eecf3265b448ec7a8cfcb68f45bc96e7f367f7b9
SHA256e9850007590b93e6a726e4bf015deaf7de2596c37ad9710bf8c6f290f9886262
SHA5121e95a4f8b6d64fbc3655e0d4bfb22eeec7d86dc330050bc6f2985b3d8e7e4a86cd4a859dcb4e8e8a93adba48d66c4e4f973d0653e3f54ca744c11576d1c128ef
-
Filesize
732B
MD55e4850cb05206a2df1723d896baa8833
SHA1f95848994124d4a12cd717eba12c36d998cd1595
SHA25641ec6997ca8b2b749ed0c49294351f77570dd96c7327e5aeb1581a4fb26a0937
SHA512cf028b6f186112a74b84bbe63c65bdef6f304a6be43794723a0fe9bcde186ed0a4a198e852a12b7c8397133d9394ebeecd69d79f9ec9283053ddadd807f1ed42
-
Filesize
1.3MB
MD55ebd26f7b539d06ee26e4335bdad1bac
SHA1f8013bd49ea6c345395c56f4c373e39fe5b1d2eb
SHA2567314a4df55312d5b2952c66fdc0ba36c2f5b1dbb3ad88f1dd2ba283c8400696b
SHA512c343fb3b8c82967042a407d684cdb5968d80446e96d1fdfe9c4e33ca727a26281a2e7cae05a997f4983ecf61e3aec41252b544ef827592d556c4a5ffe76e8e73
-
Filesize
509B
MD5bd2810464d4f16be36c4b29dbccbf59d
SHA191f8241bf8b21e959b23c5deac9fffa35a5c38a0
SHA256d392ee756d3d81c0419cebff8302f7dec199efe7f179976755852193bea1e232
SHA5129f135dc93d9d54451ba965773beb2c2c075cbbf45341d1604a6e3ef1aaa3f9b056df78d091c6d2ad8237284d8685e073e1a95462670cff9b1519a7bd3df3f955
-
Filesize
222B
MD5802e033163d69821a99513883b5658b0
SHA1e5e824f6ceabcb0fcf6e7fdf4d5832e8a1248c85
SHA25655c0b7b1df58cdb684173782052cf3b87f4493626ef576b43995727ccd91b5f3
SHA512b290bf94712c1f0e980cded735dc3e24e6bdd7612d0bac0b3097a21f462f82ab0af83cd371567ccf33455408d3ba1946e5d4077489ce6ad60a39eeec8a69d846
-
Filesize
733B
MD5f58676873042c719ebaf8b09a8ed9bc5
SHA116d338bf9877a5a50cea1ab6f2be274d436e64eb
SHA256b935a5adc967d708ee1206fb2b5e2a06f1e1adf89ee588bc04205c9ddb6f279a
SHA5127aa7e17686d7dd027a0090e88e6c6bf271752ffac049aec46bd9b77cbb1de78f5b128aab60e7e3b2da379ee07cecf51e8461d0f2266e17e356a45991d742e241
-
Filesize
732B
MD56d012f2e58754e56d6e11ffd6625dee6
SHA122f43c246fde423f5aed8017348bfd453a0db060
SHA2566c25775d402472f1029994dc1bd787d1553c379e04b6c5481b9fce3dc87d2c6d
SHA512c7698ed47485b422042db109d7dbcecf123dab0734ce082185378d0c0b2dd9b0d194d0af4d3d3fb7ed2b9eb82afe9cbb4747328d9c6a99aaf2dec416d19a0d86
-
Filesize
733B
MD57a2b247056bedb213065666fc44b2bc4
SHA143f6bd5f51fb09b0e1b7141c82cd9a751c31378a
SHA2563391a068ee113ffd25899758604b4ffe9ada35c80732984a31176085c3b86664
SHA51268fbacfda257908caa98d4c20517d6f7aed5fdd40778fc70807be6521f72d1be3cc740cb887806131c7ce1f21ff0f54d340a8ecab25e340eaaa0a92a35eb1ca1
-
Filesize
733B
MD57bb9115e32e0d7e73740edae13322668
SHA1cb6a86aa37b59184832a853bf7e88535bd2f3dfc
SHA256d8a5b6dfda1e73a663ea4d68d015c636338533b4a8c55098933c24118b92224c
SHA512903a97f22fbcdc2d231105199c521d005fc2ab84e33a26bb56ead8b5966f63741f3ef3f8a516d1ea4aa018f900c5b7243256984435f3def4404904916da9a8d3
-
Filesize
733B
MD582cace29aa6ac72793ea438659b0549a
SHA1430b58d7e7a547af99ac4c719d2a0e08817a44fe
SHA2561ca4adac2d55d14fb84777d9b7cf64827263b5dedd0be41b5a64a606ca9fdf1a
SHA512e517d625a07a63147f7fa107e5144bed9c0b16be09c8a520757db9940373b08285ca51dd8f3e10d29707fce635375d9c92501377687fb01a0f810d3f93fe4ca6