Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2024, 01:29
Behavioral task
behavioral1
Sample
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe
Resource
win10v2004-20240226-en
General
-
Target
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe
-
Size
3.2MB
-
MD5
1994f3ef2118aeecbb74e6c8976fd47b
-
SHA1
8f157fc5c2af51db24b66085f29d3c1240be36b2
-
SHA256
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
-
SHA512
48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a
-
SSDEEP
49152:a4iktlQ2cj9ScADsiz76m0JVqeUYfHuv4mDrsdWE2hnKQ9nO1zdhBFMGIEdY/0/w:aXktlQQsE49UguAiu2cp1zjLddZ9QY
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3188 3260 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 3260 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 3260 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 3260 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 3260 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 3260 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4168 3260 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4360 3260 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3800 3260 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8 3260 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3696 3260 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 3260 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 3260 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4060 3260 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 3260 schtasks.exe 97 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe -
resource yara_rule behavioral2/memory/220-0-0x0000000000D40000-0x0000000001070000-memory.dmp dcrat behavioral2/files/0x0007000000023368-44.dat dcrat behavioral2/files/0x0007000000023365-54.dat dcrat behavioral2/files/0x0007000000023365-55.dat dcrat behavioral2/files/0x0007000000023365-160.dat dcrat -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation explorer.exe -
Executes dropped EXE 12 IoCs
pid Process 2724 explorer.exe 4448 explorer.exe 1968 explorer.exe 4552 explorer.exe 4640 explorer.exe 2180 explorer.exe 3848 explorer.exe 2012 explorer.exe 4628 explorer.exe 1556 explorer.exe 2548 explorer.exe 316 explorer.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\Office16\dllhost.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\Microsoft Office\Office16\5940a34987c991 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\MsEdgeCrashpad\attachments\7a0fd90576e088 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2760 schtasks.exe 5060 schtasks.exe 8 schtasks.exe 3696 schtasks.exe 4060 schtasks.exe 4552 schtasks.exe 4712 schtasks.exe 556 schtasks.exe 4360 schtasks.exe 3460 schtasks.exe 3188 schtasks.exe 2396 schtasks.exe 1152 schtasks.exe 4168 schtasks.exe 3800 schtasks.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 220 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 220 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 220 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 220 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 220 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 220 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 220 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 220 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 220 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 220 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 2724 explorer.exe 4448 explorer.exe 4448 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 220 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Token: SeDebugPrivilege 2724 explorer.exe Token: SeDebugPrivilege 4448 explorer.exe Token: SeDebugPrivilege 1968 explorer.exe Token: SeDebugPrivilege 4552 explorer.exe Token: SeDebugPrivilege 4640 explorer.exe Token: SeDebugPrivilege 2180 explorer.exe Token: SeDebugPrivilege 3848 explorer.exe Token: SeDebugPrivilege 2012 explorer.exe Token: SeDebugPrivilege 4628 explorer.exe Token: SeDebugPrivilege 1556 explorer.exe Token: SeDebugPrivilege 2548 explorer.exe Token: SeDebugPrivilege 316 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 220 wrote to memory of 2724 220 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 115 PID 220 wrote to memory of 2724 220 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 115 PID 2724 wrote to memory of 4612 2724 explorer.exe 120 PID 2724 wrote to memory of 4612 2724 explorer.exe 120 PID 2724 wrote to memory of 4776 2724 explorer.exe 121 PID 2724 wrote to memory of 4776 2724 explorer.exe 121 PID 4612 wrote to memory of 4448 4612 WScript.exe 125 PID 4612 wrote to memory of 4448 4612 WScript.exe 125 PID 4448 wrote to memory of 4900 4448 explorer.exe 126 PID 4448 wrote to memory of 4900 4448 explorer.exe 126 PID 4448 wrote to memory of 3288 4448 explorer.exe 127 PID 4448 wrote to memory of 3288 4448 explorer.exe 127 PID 4900 wrote to memory of 1968 4900 WScript.exe 129 PID 4900 wrote to memory of 1968 4900 WScript.exe 129 PID 1968 wrote to memory of 4404 1968 explorer.exe 130 PID 1968 wrote to memory of 4404 1968 explorer.exe 130 PID 1968 wrote to memory of 3824 1968 explorer.exe 131 PID 1968 wrote to memory of 3824 1968 explorer.exe 131 PID 4404 wrote to memory of 4552 4404 WScript.exe 133 PID 4404 wrote to memory of 4552 4404 WScript.exe 133 PID 4552 wrote to memory of 1428 4552 explorer.exe 135 PID 4552 wrote to memory of 1428 4552 explorer.exe 135 PID 4552 wrote to memory of 3816 4552 explorer.exe 136 PID 4552 wrote to memory of 3816 4552 explorer.exe 136 PID 1428 wrote to memory of 4640 1428 WScript.exe 137 PID 1428 wrote to memory of 4640 1428 WScript.exe 137 PID 4640 wrote to memory of 4564 4640 explorer.exe 138 PID 4640 wrote to memory of 4564 4640 explorer.exe 138 PID 4640 wrote to memory of 4760 4640 explorer.exe 139 PID 4640 wrote to memory of 4760 4640 explorer.exe 139 PID 4564 wrote to memory of 2180 4564 WScript.exe 140 PID 4564 wrote to memory of 2180 4564 WScript.exe 140 PID 2180 wrote to memory of 3688 2180 explorer.exe 142 PID 2180 wrote to memory of 3688 2180 explorer.exe 142 PID 2180 wrote to memory of 5000 2180 explorer.exe 143 PID 2180 wrote to memory of 5000 2180 explorer.exe 143 PID 3688 wrote to memory of 3848 3688 WScript.exe 144 PID 3688 wrote to memory of 3848 3688 WScript.exe 144 PID 3848 wrote to memory of 5036 3848 explorer.exe 145 PID 3848 wrote to memory of 5036 3848 explorer.exe 145 PID 3848 wrote to memory of 896 3848 explorer.exe 146 PID 3848 wrote to memory of 896 3848 explorer.exe 146 PID 5036 wrote to memory of 2012 5036 WScript.exe 147 PID 5036 wrote to memory of 2012 5036 WScript.exe 147 PID 2012 wrote to memory of 724 2012 explorer.exe 148 PID 2012 wrote to memory of 724 2012 explorer.exe 148 PID 2012 wrote to memory of 4756 2012 explorer.exe 149 PID 2012 wrote to memory of 4756 2012 explorer.exe 149 PID 724 wrote to memory of 4628 724 WScript.exe 150 PID 724 wrote to memory of 4628 724 WScript.exe 150 PID 4628 wrote to memory of 3040 4628 explorer.exe 153 PID 4628 wrote to memory of 3040 4628 explorer.exe 153 PID 4628 wrote to memory of 4280 4628 explorer.exe 154 PID 4628 wrote to memory of 4280 4628 explorer.exe 154 PID 3040 wrote to memory of 1556 3040 WScript.exe 161 PID 3040 wrote to memory of 1556 3040 WScript.exe 161 PID 1556 wrote to memory of 3512 1556 explorer.exe 162 PID 1556 wrote to memory of 3512 1556 explorer.exe 162 PID 1556 wrote to memory of 1296 1556 explorer.exe 163 PID 1556 wrote to memory of 1296 1556 explorer.exe 163 PID 3512 wrote to memory of 2548 3512 WScript.exe 164 PID 3512 wrote to memory of 2548 3512 WScript.exe 164 PID 2548 wrote to memory of 2004 2548 explorer.exe 165 PID 2548 wrote to memory of 2004 2548 explorer.exe 165 -
System policy modification 1 TTPs 39 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe"C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:220 -
C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2724 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\339f9d5f-f6a4-4f42-8559-f1ea24250232.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4448 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d510248-a41e-4bb2-b5b7-b76302271e8d.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1968 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85365485-5253-4562-b972-d2a6de079218.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4552 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d89f672f-5a1b-4482-8275-8aba1f2e72e2.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4640 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\738b0bf3-a914-40dc-8550-4986da63bddd.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2180 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4edb2e65-9b9a-4d8b-a673-806279fdd0c8.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3848 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6e04c06-b76e-42fc-83fa-497a26093f8a.vbs"15⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2012 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58ad5d7c-2af7-48c4-9dd0-4c5bb829862e.vbs"17⤵
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4628 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a72cc85c-0abe-4f4d-8c85-79446a68ecd5.vbs"19⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1556 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e4199ec-a79e-4f5b-a4b8-fdf1a4b33a34.vbs"21⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2548 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a322cf6f-4c1f-4a4f-b011-ed9dad23e7a8.vbs"23⤵PID:2004
-
C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:316
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ff327be-a2a8-4dcc-877a-88c62dbfaea6.vbs"23⤵PID:1992
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8def966-3481-450e-94be-32b2152bcded.vbs"21⤵PID:1296
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf11b467-07b6-48e0-9d9c-a8614f6c5caf.vbs"19⤵PID:4280
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de7852ce-0f03-48d6-a3ff-15ab4d554082.vbs"17⤵PID:4756
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24e91c49-a480-44d0-a0e9-2d79d34addf4.vbs"15⤵PID:896
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50a992fa-6291-473b-8925-fb712b0b9492.vbs"13⤵PID:5000
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\472e5f38-9817-4e96-b458-e2d23b4e9114.vbs"11⤵PID:4760
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3c4b957-caac-4530-91a1-3ca756222cca.vbs"9⤵PID:3816
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\912fc13c-640e-4048-8cc3-9e889ed04172.vbs"7⤵PID:3824
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0a0b4c6-fa98-4677-94a9-b3fe7429a77b.vbs"5⤵PID:3288
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6677cf2-0df6-4088-bddd-876847e7fa1c.vbs"3⤵PID:4776
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3828 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:81⤵PID:3168
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD52907c703bb86b3fafda19fb7bbbf7e04
SHA1874518e030dc491d5c99fedf786ac417caa9332d
SHA256489584557d708a90ebe304d26c23a104a5ecf83d76dcc2a8698d1d54644704e0
SHA51289309070a934c1e50764baeb783eb33225f852f9cb940ae9dcc89da3059d31df3324a9d63cc3d060e112691e7616df3fb6ffc4f3bd7b1ea32da67e5ad945388f
-
Filesize
960KB
MD5fc95f901144b526106036caf9f1d1ded
SHA12ea1694dfd32b9cee3ef3adfe9516d4cc3a3c187
SHA256bba41fcf986afd98eb026246769343704af4bea6628c48920458d93b7fd8d1b3
SHA512d5595d34c0f3935c99d4db44fe9757ff6e08505fd3c684732490249471282ba89ce2038dde4226fb4b99af28f1da63601f950e8a75a1564329979097c272dfcf
-
Filesize
192KB
MD551887e615227c67008bfadab603bebf5
SHA126f39c55361caa7aff7b9a8112f306857d49fa51
SHA2568e42f7cf0078439c565313701c38826df01a0295dc46557002800fc22aed30ab
SHA512439f67faea116c8e238727bea288415373dba52e36d32ab84f299c0a5aea4592a493bcc2a69338fe6c87e83cfb4658a9721816d8db01435d4bc48c9a6e423bd9
-
Filesize
3.2MB
MD51994f3ef2118aeecbb74e6c8976fd47b
SHA18f157fc5c2af51db24b66085f29d3c1240be36b2
SHA2565d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
SHA51248837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a
-
Filesize
1KB
MD5caa9da90d9bfc2c0fbadbf7eb57d1aae
SHA1b0237d1cdb8c7fdb6f89e72475dbfb639c025ed7
SHA256b5c2348671b5ad62cc02ded41adcf1855341bd6d20706bf45d9d68e4cddd4bbd
SHA512da20485cf87f6e9b95141dea062188b5a2299ff1e1a7f83446afac0d8b70a2d18d02b60b232b2c9e6af5071906dd08f41cf4637379165c1823a9fa9b82d155d8
-
Filesize
732B
MD5e282c0f2a04085f2bad54c24750a2d97
SHA11cf817fb84e1044deccf3d50526f45c17fe11b6f
SHA256bb1f7c08c6f4f99a64b3157a56652fc65a9c6faecd61fc58970a5d91bbe9102a
SHA512f1171b588bb9e2e8f5864990fea11d84e2a49d4e00880bc90c9f6fd08c5bed44539b5bb0072c2be1248542bdfdab65733d7476ae3028472a5bd21839f84df2d9
-
Filesize
732B
MD58a866a17e828de3ede4dd7a8a1e73704
SHA117b5e532ce974909556e9567b9b5156202fd326a
SHA256ac6817e548db0c4a3ab2cbbf1ca0d6bf78b96213fc9930a6dfcadcf287a8ec68
SHA512944edf20b86fc870bff7f7410efb2cd760fd3a35ca6503ed9e8d2c7cf2b383f179fbfebdd26e51c8a9c6bf3f7012543ff5cb5f1d7b4c88be1900b24f11700658
-
Filesize
732B
MD57d8222659db338d9e9096a3cfb832f98
SHA1fd8459eaafe4158ab3fa1c4a7f8ed98ec244cc95
SHA256fbc32a15a9e17b9a0f6aaf7fabe1b686ecc6f4e00e7c64d998ba55b92294962a
SHA5123da3d0579b995564131dd735bc9f33d51bd69bdd2e3494dc42118eb1f9949c359047d4a38971e5007d1bf3eb58d5f784ff91e42f76658a6031b00f73a42e959b
-
Filesize
732B
MD5c036bfd9fe177608db12bab20f4d2410
SHA1b1d8075c52a8fc5fc5f1af6a762a2866e8dfacd4
SHA25665527983dea4e831bb68f1f56fabdf2031fd4e9b5807dacb8127c0b34aa15714
SHA5128209014c72b310fb8fa8e242b76055796133cfc39237654b525193ae2c64a549bffbc8a1d7b8b14aed8957eeaf3b93b3e5429532e9b6b37866760378ed1878e5
-
Filesize
732B
MD54231cf3e140654456d8b6ee6fdd090bf
SHA1d3aec9fabc6eab2f5ee31561c90523533067c39f
SHA256706d98581967680945c12fbde31b48e0157eb52d531b78aabf67553ee90f047a
SHA5129d25c4ea75288aea26e9654ace6552b5e185f29d22dedc120d9f6848e5f1e7b3932bb490456e5532d42ea34927b32b3ee5b6ff2538b694d17f3a8cbd26bc3361
-
Filesize
732B
MD5b6d9454e7f091a945c19dbcbc16b62d5
SHA1999554d1ae791cd98e125bb0d2e2631a358c9fed
SHA2569b6a3b13c9245ad7b26d72b7ecd3a2476268062d1c5798e1ff3ed3cb1f251d45
SHA51262989f14ea1412261d46c462374bee396e7b9d6d41506f093c3a03def8b95f493d4a8c203188460328e481bf9e7b8228569e964cd07b32b2994156f7a1f8acda
-
Filesize
732B
MD55e3b6f2f57c17bd009f69aa6b0101bf2
SHA1428895342ef1f243ed987d37820de0df393661bb
SHA256902202307e20a340db0811b2b7be4b596dc52d2e40ed9db752aec79d9ac64f1c
SHA512dc7199fac8c9e2c77bcbe164291f89aa78ea23f1d029346a53818390f6e03d765809ceb74ac91d2d73f6c1b4dee587df1f38e60c415c7cee7f1026e30a0a530f
-
Filesize
732B
MD5ea07f93461180f9734570276a0ee3537
SHA18d8ef60b240ea31f020f9a710575435d8d7f9f88
SHA256b84b9bf436aa044853d3a6421eb41297dc7879a26c5fad7d4727e834392ebde8
SHA512e21f07682680beff6bb38e7fd76ccd1f5c703d74c400d87e3f032b28510759af1be009cb115e0938d70e4cdb5780f4a3bf6b9c5b17e030103fa320762d269ba1
-
Filesize
732B
MD56f71273b1acb978eba1cb1e8593973d2
SHA10b9c3ac80cca3dbe326c9914ba61b1f5a602d4e5
SHA256a2b0ea5ac1375e8dfaf798b654e56aef001a538a183b682be226c5e42b90da94
SHA5126923caa2ea7f313b35e4656fd424a5ce84726a97690cebcd889822153ae24602f65bcc12b0c207de9a0db7ca60305ead9f4b1214e5d43931352bf1c34cce7d2f
-
Filesize
732B
MD580eeeed543136ea02f92f70b249366d8
SHA10ff8eec60c17b9ad6b8cabc8f9a647c64a3f05c7
SHA256ab07e5dec14590655a195449a838be56e31c3b625b41c976ba725ddb95c0d5e7
SHA5123696aec26ac96c069420b67300746587dce13c9492cb0206d14d3b7644c0815e373a43b4968536ff507d18a281f69bc1b498cdfd64e0662fa759322ce1aea1de
-
Filesize
508B
MD514393366a3dae5945096a73aabb9df98
SHA181d81525ffafa9171108156657c07fecb67fa68c
SHA256f33e16e31fda08b4c56633d2643e969ab3d3ec4e36f15011d8ab297eedf1e54b
SHA512cc8a24a793dc8541099dbced8f2087f386286e25f208be19848cb2d4d6e2dd9372b0528015fdd8c82765201241cafe3e6078372978b4648c85ac48a606f79c6a
-
Filesize
732B
MD5ec3c6bacdbb8744a6167449761ca4be0
SHA1876eb67b3eaa14c1d032610ea6c868adea942954
SHA25646abbc503ea8b11348891ed5384352c87d657a314f6a36788432cbfab2867dec
SHA512fe8a39c85de06ba9a13605233291fac94c15d2b659c9d8df91f51265ad811403bd44d91cc59c456c1bad1bec2be1fcad305769f7e87a9e2bb5e658ecb0515cd4