Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/03/2024, 02:11
Behavioral task
behavioral1
Sample
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe
Resource
win10v2004-20240226-en
General
-
Target
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe
-
Size
3.2MB
-
MD5
1994f3ef2118aeecbb74e6c8976fd47b
-
SHA1
8f157fc5c2af51db24b66085f29d3c1240be36b2
-
SHA256
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
-
SHA512
48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a
-
SSDEEP
49152:a4iktlQ2cj9ScADsiz76m0JVqeUYfHuv4mDrsdWE2hnKQ9nO1zdhBFMGIEdY/0/w:aXktlQQsE49UguAiu2cp1zjLddZ9QY
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2572 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 2572 schtasks.exe 28 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe -
resource yara_rule behavioral1/memory/272-0-0x00000000002F0000-0x0000000000620000-memory.dmp dcrat behavioral1/files/0x0006000000016e48-43.dat dcrat behavioral1/files/0x000a000000016453-59.dat dcrat behavioral1/files/0x000a000000016453-60.dat dcrat behavioral1/memory/2100-62-0x0000000000E20000-0x0000000001150000-memory.dmp dcrat behavioral1/memory/2352-75-0x00000000010A0000-0x00000000013D0000-memory.dmp dcrat behavioral1/memory/2352-77-0x00000000004C0000-0x0000000000540000-memory.dmp dcrat behavioral1/files/0x00070000000192f8-81.dat dcrat behavioral1/memory/2580-90-0x0000000000370000-0x00000000006A0000-memory.dmp dcrat behavioral1/memory/2580-92-0x000000001B1E0000-0x000000001B260000-memory.dmp dcrat behavioral1/memory/2676-105-0x00000000003C0000-0x00000000006F0000-memory.dmp dcrat behavioral1/memory/2676-107-0x000000001B150000-0x000000001B1D0000-memory.dmp dcrat behavioral1/files/0x00070000000192f8-112.dat dcrat behavioral1/memory/704-121-0x00000000008B0000-0x0000000000BE0000-memory.dmp dcrat behavioral1/memory/704-123-0x000000001B2D0000-0x000000001B350000-memory.dmp dcrat behavioral1/files/0x00070000000192f8-128.dat dcrat behavioral1/memory/2512-137-0x0000000000910000-0x0000000000C40000-memory.dmp dcrat behavioral1/memory/2648-153-0x0000000000DE0000-0x0000000001110000-memory.dmp dcrat -
Detects executables packed with SmartAssembly 8 IoCs
resource yara_rule behavioral1/memory/272-7-0x0000000000670000-0x0000000000680000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/272-14-0x0000000000700000-0x000000000070A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/272-21-0x0000000000740000-0x000000000074C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/272-22-0x0000000000920000-0x000000000092C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/272-25-0x0000000000950000-0x000000000095C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/272-27-0x0000000000960000-0x000000000096A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/272-31-0x0000000002340000-0x000000000234C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/272-33-0x00000000023F0000-0x00000000023FA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Executes dropped EXE 9 IoCs
pid Process 2100 taskhost.exe 2352 taskhost.exe 2580 taskhost.exe 2676 taskhost.exe 704 taskhost.exe 2512 taskhost.exe 2648 taskhost.exe 2164 taskhost.exe 2976 taskhost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\winlogon.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\cc11b995f2a76d 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\Windows Portable Devices\taskhost.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\Windows Portable Devices\b75386f1303e64 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\Windows Defender\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\Windows Defender\4f0e8709060575 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\DVD Maker\fr-FR\Idle.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\VideoLAN\audiodg.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\VideoLAN\42af1c969fbb7b 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\DVD Maker\fr-FR\6ccacd8608530f 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\56085415360792 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Cursors\audiodg.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Windows\Cursors\42af1c969fbb7b 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2416 schtasks.exe 1996 schtasks.exe 2748 schtasks.exe 1076 schtasks.exe 2304 schtasks.exe 2812 schtasks.exe 2924 schtasks.exe 1004 schtasks.exe 1524 schtasks.exe 2044 schtasks.exe 1016 schtasks.exe 2756 schtasks.exe 2780 schtasks.exe 1448 schtasks.exe 2936 schtasks.exe 2400 schtasks.exe 2920 schtasks.exe 2584 schtasks.exe 2468 schtasks.exe 1708 schtasks.exe 2268 schtasks.exe 592 schtasks.exe 572 schtasks.exe 2600 schtasks.exe 1828 schtasks.exe 2500 schtasks.exe 2392 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 272 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 272 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 272 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 272 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 272 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 272 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 272 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 272 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 272 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 272 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 272 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 272 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 272 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe 2100 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 272 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Token: SeDebugPrivilege 2100 taskhost.exe Token: SeDebugPrivilege 2352 taskhost.exe Token: SeDebugPrivilege 2580 taskhost.exe Token: SeDebugPrivilege 2676 taskhost.exe Token: SeDebugPrivilege 704 taskhost.exe Token: SeDebugPrivilege 2512 taskhost.exe Token: SeDebugPrivilege 2648 taskhost.exe Token: SeDebugPrivilege 2164 taskhost.exe Token: SeDebugPrivilege 2976 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 272 wrote to memory of 1396 272 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 56 PID 272 wrote to memory of 1396 272 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 56 PID 272 wrote to memory of 1396 272 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 56 PID 1396 wrote to memory of 1556 1396 cmd.exe 58 PID 1396 wrote to memory of 1556 1396 cmd.exe 58 PID 1396 wrote to memory of 1556 1396 cmd.exe 58 PID 1396 wrote to memory of 2100 1396 cmd.exe 59 PID 1396 wrote to memory of 2100 1396 cmd.exe 59 PID 1396 wrote to memory of 2100 1396 cmd.exe 59 PID 2100 wrote to memory of 1760 2100 taskhost.exe 60 PID 2100 wrote to memory of 1760 2100 taskhost.exe 60 PID 2100 wrote to memory of 1760 2100 taskhost.exe 60 PID 2100 wrote to memory of 1536 2100 taskhost.exe 61 PID 2100 wrote to memory of 1536 2100 taskhost.exe 61 PID 2100 wrote to memory of 1536 2100 taskhost.exe 61 PID 1760 wrote to memory of 2352 1760 WScript.exe 62 PID 1760 wrote to memory of 2352 1760 WScript.exe 62 PID 1760 wrote to memory of 2352 1760 WScript.exe 62 PID 2352 wrote to memory of 2524 2352 taskhost.exe 65 PID 2352 wrote to memory of 2524 2352 taskhost.exe 65 PID 2352 wrote to memory of 2524 2352 taskhost.exe 65 PID 2352 wrote to memory of 1944 2352 taskhost.exe 66 PID 2352 wrote to memory of 1944 2352 taskhost.exe 66 PID 2352 wrote to memory of 1944 2352 taskhost.exe 66 PID 2524 wrote to memory of 2580 2524 WScript.exe 67 PID 2524 wrote to memory of 2580 2524 WScript.exe 67 PID 2524 wrote to memory of 2580 2524 WScript.exe 67 PID 2580 wrote to memory of 2932 2580 taskhost.exe 68 PID 2580 wrote to memory of 2932 2580 taskhost.exe 68 PID 2580 wrote to memory of 2932 2580 taskhost.exe 68 PID 2580 wrote to memory of 1812 2580 taskhost.exe 69 PID 2580 wrote to memory of 1812 2580 taskhost.exe 69 PID 2580 wrote to memory of 1812 2580 taskhost.exe 69 PID 2932 wrote to memory of 2676 2932 WScript.exe 70 PID 2932 wrote to memory of 2676 2932 WScript.exe 70 PID 2932 wrote to memory of 2676 2932 WScript.exe 70 PID 2676 wrote to memory of 1396 2676 taskhost.exe 71 PID 2676 wrote to memory of 1396 2676 taskhost.exe 71 PID 2676 wrote to memory of 1396 2676 taskhost.exe 71 PID 2676 wrote to memory of 1364 2676 taskhost.exe 72 PID 2676 wrote to memory of 1364 2676 taskhost.exe 72 PID 2676 wrote to memory of 1364 2676 taskhost.exe 72 PID 1396 wrote to memory of 704 1396 WScript.exe 73 PID 1396 wrote to memory of 704 1396 WScript.exe 73 PID 1396 wrote to memory of 704 1396 WScript.exe 73 PID 704 wrote to memory of 1648 704 taskhost.exe 74 PID 704 wrote to memory of 1648 704 taskhost.exe 74 PID 704 wrote to memory of 1648 704 taskhost.exe 74 PID 704 wrote to memory of 2832 704 taskhost.exe 75 PID 704 wrote to memory of 2832 704 taskhost.exe 75 PID 704 wrote to memory of 2832 704 taskhost.exe 75 PID 1648 wrote to memory of 2512 1648 WScript.exe 76 PID 1648 wrote to memory of 2512 1648 WScript.exe 76 PID 1648 wrote to memory of 2512 1648 WScript.exe 76 PID 2512 wrote to memory of 2632 2512 taskhost.exe 77 PID 2512 wrote to memory of 2632 2512 taskhost.exe 77 PID 2512 wrote to memory of 2632 2512 taskhost.exe 77 PID 2512 wrote to memory of 2128 2512 taskhost.exe 78 PID 2512 wrote to memory of 2128 2512 taskhost.exe 78 PID 2512 wrote to memory of 2128 2512 taskhost.exe 78 PID 2632 wrote to memory of 2648 2632 WScript.exe 79 PID 2632 wrote to memory of 2648 2632 WScript.exe 79 PID 2632 wrote to memory of 2648 2632 WScript.exe 79 PID 2648 wrote to memory of 2508 2648 taskhost.exe 80 -
System policy modification 1 TTPs 27 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe"C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:272 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HEWX68JQRQ.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1556
-
-
C:\Program Files\Windows Portable Devices\taskhost.exe"C:\Program Files\Windows Portable Devices\taskhost.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2100 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b1faba7-8be4-4277-bda7-c7af6e7267fe.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Program Files\Windows Portable Devices\taskhost.exe"C:\Program Files\Windows Portable Devices\taskhost.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2352 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efab0641-dc63-4a40-a90c-20f9b55c12f0.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Program Files\Windows Portable Devices\taskhost.exe"C:\Program Files\Windows Portable Devices\taskhost.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2580 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38f4b424-09d2-47e5-8131-39468d9594c5.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Program Files\Windows Portable Devices\taskhost.exe"C:\Program Files\Windows Portable Devices\taskhost.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2676 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c91e2168-0cc0-4dc7-af5d-60e006404385.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Program Files\Windows Portable Devices\taskhost.exe"C:\Program Files\Windows Portable Devices\taskhost.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:704 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40ef7bf1-6515-4952-8dfa-f5d30cf1649a.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Program Files\Windows Portable Devices\taskhost.exe"C:\Program Files\Windows Portable Devices\taskhost.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2512 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaeb500c-8888-46c1-82eb-d8d5c6e8ee87.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Program Files\Windows Portable Devices\taskhost.exe"C:\Program Files\Windows Portable Devices\taskhost.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2648 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffd9dfd1-3b58-49ca-957d-9d6dc7f1fe84.vbs"16⤵PID:2508
-
C:\Program Files\Windows Portable Devices\taskhost.exe"C:\Program Files\Windows Portable Devices\taskhost.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2164 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efa11173-157f-433e-903c-af59ae7aee42.vbs"18⤵PID:1576
-
C:\Program Files\Windows Portable Devices\taskhost.exe"C:\Program Files\Windows Portable Devices\taskhost.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56ff67d3-f552-4cca-838e-4318b56d7eba.vbs"18⤵PID:2296
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55554c62-aa26-4d14-a2b1-ce3cb4fd9776.vbs"16⤵PID:1044
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9779ddd3-160f-4355-9928-fe0a1de73e50.vbs"14⤵PID:2128
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a792473-89f2-4026-b7b9-c3c24021a1ae.vbs"12⤵PID:2832
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66470262-aa26-4459-aa35-caee02d96a17.vbs"10⤵PID:1364
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07d82ff2-5c02-411a-b215-7a2e81012cb5.vbs"8⤵PID:1812
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e7cc682-13ad-47d4-a834-2fce43e65dbb.vbs"6⤵PID:1944
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2257f5aa-a96d-4391-bd92-6f2cae19b328.vbs"4⤵PID:1536
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Cursors\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\1cc83c02-d10e-11ee-94d5-decc1f73fbe3\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1cc83c02-d10e-11ee-94d5-decc1f73fbe3\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\1cc83c02-d10e-11ee-94d5-decc1f73fbe3\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c5" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c5" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\fr-FR\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\fr-FR\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\fr-FR\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD520c10eec8ec6fc259112b6002003b733
SHA16d29de2fc60ab7327514893ac4f1be7ae77cdac1
SHA256efd499d86b400fcf862f1d23b778b0c2d4de52f0b831a5cee06a997a99d3ddc1
SHA5127d52d8c26780d8872ef1ac95166ddd26a6444a3fea971a54f6eb7bd7473dbe4fc61ac0b1122bbbfb651b023de45fde23fb6eb3da62735264537ffdaf7a8b3482
-
Filesize
128KB
MD5780855762200dc776393db6145c78e16
SHA1cd93f05b6da2c6550d00e59b28763247be9b2f0b
SHA256be464e525ae2df977512e103bb15dc83a5242885927ab734fc0198f2aa24f333
SHA512ed15a14758e6ac45654982f240282e4323c1a6de9ca1b0dc832a6bf49b6b904642f246d481fea2e7f57b77b24b542d707661df1dfbaf4d9a0d74a54782faed68
-
Filesize
3.2MB
MD51994f3ef2118aeecbb74e6c8976fd47b
SHA18f157fc5c2af51db24b66085f29d3c1240be36b2
SHA2565d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
SHA51248837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a
-
Filesize
506B
MD5fb30d99b99c17309a9ed1ec45db00be5
SHA1c11a379197cdf8c1c478e2ee59854a14cac24322
SHA2568d2d7a915d2c725e8a5f7cabb5e5c8c484279ed53d16baef15c210751bf581ab
SHA5126197d9f31db104c994bfc5b58ad2c7a08bc88fe4538f7bcbf3afe8db9413d15d15ff2965eca260c9f2773c1812184c4a61d13429cfafae3ebec45acb2e858c45
-
Filesize
730B
MD562c7cf704c4f77b7d9d715fe50451d90
SHA150741e588742808d38e7c5c0e1b77dc498fc6df9
SHA256b30e6303e2570c51c87817962fa0486d6d1eab543dc528d3abc5e8a30401c765
SHA51220957d863391a678882a4bda2dbc5ede684851d68b56f8331b3ebc8e9abd6919260156f2e2fa35cd58dd567f4c025c9ba4e03b113ba46c683966cb227501d040
-
Filesize
729B
MD5b2e21634779ae86b5362d1d1f710f45a
SHA1a149a922ccfc2bf8ef5399ccc24e2618a133beac
SHA256e3ff4db766744048a1737e0ff4bd83e45be893f3f67c9017396d8631528d819a
SHA5124619d7daa0165a235cc82a444020888539faddca031a2e3ef915b0ccb264744a8062369d7d88fe49a17f1aab27fc386f4e2722476b09ebb5d8b6acd0bc438556
-
Filesize
730B
MD5515f8ce95f4c3088b0d0f65355cf1bdf
SHA1b3181078e20ce4bf67cd19a9f111deebd5d6601d
SHA25604635cf477a09a8395eb6f77dfb3f19a9b43f59b897f2b02bc3167a5a7d10ab1
SHA51290b558fa5579a6b2623efd7d61bcf64e9d0a0b5c1196330b93d0fc7658a76f9363c172f474ddb140f4f2e3b9e7fbc8dc5b67ff8f3f839040f711ba409705509c
-
Filesize
219B
MD50e4d081b13e82284dafa3cac305d972c
SHA18bfd416385dfb5e4561c89b2236c2204676086e1
SHA256f3d018f48fb147ecbdb27f74d697c467554c2b23830efeaed0e1d704bc86ca40
SHA51242b1d5914f4eff37a7647f632965af3e9747e7bcd234ba819edfe38fb05e0e006f15d6cf62f544dc27d20246781edb158dbcda431a339e8afcd5255415e79ba2
-
Filesize
730B
MD5451303066e69071b439a46272896df64
SHA1636506ff2e321ad39816c92f03ab051746ec7c92
SHA256c3b0171832d03e856292792aa2c18f6d69ce08f2f22db374fe32072ab3d638fd
SHA51205b8867a5be603a69636464295bfc1db40cd3fdb12d2e64d329f441ca08a0474ab1e1bd7cf8539e1a53ee04d1637ebb06f266763d8e08d7617d902a8d27f52ba
-
Filesize
1.1MB
MD53c73747ca7887309c86648b400adc4ef
SHA14051eb58f3edba6fb06d55bb80b64347523c9d69
SHA256cc5481f1ab3982bb92d3a44c72aa48c68b58b7b69ae8e2ba8b6f0cd4d296655c
SHA512549414730d6827f4bdb71175f9fb93f0d610c1cfdadd1b43e5dedbf2dc0fe7e47f14c467624afc26944703ddb4c905f60762fcfd0d4901d5afa24304a23f1029
-
Filesize
2.3MB
MD52eed9706ea6c42a65f386e3d8f08e8a9
SHA1f1c436097c969a2c1bb2f4e583a665447076973b
SHA256a45a7a7ec30f021cab59d26e68fdd056f851ba7f0d85c3052d4524471a2d9343
SHA5123c37cd9905a2c74fd31b69183d05504cbf7510fc50425eb1ac7c5a760fb3c206e36dd7ea313fa3929b397222bdbb075db05e72be61ae8c88953c2d87314fdfef
-
Filesize
1.8MB
MD51990cab86254f561c848a92d01f8dd5d
SHA1efed23a1f8d4a5add3b86d42c6ff5373e466503f
SHA256ca4bc3845e09ca9574045bb19a043d023d98098f167deb0d9e316cc5160250aa
SHA512697ed01abb07afc3628f0ff12bc80e46d7bf793e0a3c2883e638c31b4e5d7398a841feafb1be5435aa6fb00d5d480cb3ea0f7eb2c72727212bb4ade2982ee3c2
-
Filesize
730B
MD59c740d7919e02505ca9b3930f5da9bdf
SHA10de7f72ab95f3823e9cfa4f6dc4ef5332380eae8
SHA256f0554d873f3d369eeb9242fc93046cd239244b66ed6896d7e6167ce76623ca42
SHA512bec3431cc155ea4103cf47eb90e14fcf3ca446d535d3ad5943d78614a80e89ed5f21c40fc80efc8ff80b2fdd3ba683931dc8b9a27f2c45b2d0602861bf70e099
-
Filesize
730B
MD5192bbfbf13aa0ff6dac51d0929fe5851
SHA133d5359ecf2f78eb29bc7cd110b849b9b0b1ca9a
SHA256e73e68679668df2ba782aea763b6a6a24cf64f95bfb1def52cceff6b789fd73f
SHA51279b577d2f827eaba709e340f5485261b06acfe8bb0ed87d1a83d8d71c7f0ebf00a00cd9ff89044df7614aa55c4795eadb5127725e8f98d3bd2db35d2a880c444
-
Filesize
730B
MD583d36f5c51d9aa7957ac6d208f3e204a
SHA15b08c22b2a6d917dc1d8a97206b18c97102ef11a
SHA2564d5b345a43eec5e97cfc54641ec2702299d13ab210511fc30b8aa946fdf22367
SHA51289e008453f3c44ba79705d138f8fad004e7238893e27acdfa843961b5e13b7cda4bfd58dd9cd7791c68faa6d3386387642cb1def5494eefea865eb1e77e0c939
-
Filesize
730B
MD5e05540d911e4648a67988d018db2c704
SHA1a37d9abbd9a430c593e669e3319aaea94f8582d8
SHA2567ecc6751db1920e869aa916c8bbe0b7b7e444c3307022971acd5128bceead0da
SHA512800de6bf8164dac3bab6b1d2f622ab042077c82a6cd16f74470bb7579415726f34e7148308435e044924d579874144bafaa30d6a4c4e2a83db27fda52b67de1f