Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 23:06
Behavioral task
behavioral1
Sample
7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe
Resource
win7-20240215-en
General
-
Target
7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe
-
Size
3.2MB
-
MD5
5e11b7a6246841f5c8dc76aa757e0613
-
SHA1
44125a86ecdd8fe8cb0261b4ce79b1fc4b61d639
-
SHA256
7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf
-
SHA512
2d8f81567cf50ec22fb577e01cdf123e2da0a13380691133a3f5e01fb989db37d3ff25fff12e5a3d8cd133d13e96c2bad14ae488ce2689e6fdb050fbb9252cf0
-
SSDEEP
49152:/C0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:/C0Fl8v/qXYrv5tG9uKJGAWl5N
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1640 schtasks.exe 1604 schtasks.exe 4468 schtasks.exe 1256 schtasks.exe 3192 schtasks.exe 1748 schtasks.exe 4104 schtasks.exe 1688 schtasks.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\f3b6ecef712a24 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 4060 schtasks.exe 3572 schtasks.exe 3992 schtasks.exe 2888 schtasks.exe File created C:\Program Files (x86)\Windows Portable Devices\ea9f0e6c9e2dcd 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2052 schtasks.exe 4812 schtasks.exe 3984 schtasks.exe 1416 schtasks.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\69ddcba757bf72 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 1192 schtasks.exe 4896 schtasks.exe 4060 schtasks.exe 3416 schtasks.exe File created C:\Program Files\Windows Portable Devices\5b884080fd4f94 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 3748 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 3688 schtasks.exe 3972 schtasks.exe 3880 schtasks.exe 3644 schtasks.exe 1176 schtasks.exe 4672 schtasks.exe 640 schtasks.exe 4940 schtasks.exe 4452 schtasks.exe 624 schtasks.exe 4896 schtasks.exe 5044 schtasks.exe 1908 schtasks.exe 836 schtasks.exe 544 schtasks.exe 4960 schtasks.exe 2928 schtasks.exe 4584 schtasks.exe 4116 schtasks.exe 3672 schtasks.exe 4992 schtasks.exe 1896 schtasks.exe 4940 schtasks.exe 1204 schtasks.exe 3988 schtasks.exe 3340 schtasks.exe 464 schtasks.exe 3576 schtasks.exe File created C:\Windows\IME\IMETC\DICTS\7a0fd90576e088 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2788 schtasks.exe 1412 schtasks.exe File created C:\Program Files (x86)\Google\CrashReports\9e8d7a4ca61bd9 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 3316 schtasks.exe File created C:\Program Files\7-Zip\Lang\55b276f4edf653 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 4028 schtasks.exe 1948 schtasks.exe 3052 schtasks.exe 3472 schtasks.exe -
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3576 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4820 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 516 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5076 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1192 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3672 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3988 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4896 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1080 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4804 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4028 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4636 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4768 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3400 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4672 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3572 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3192 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4996 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3748 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4252 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3984 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5044 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 680 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3840 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4104 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4992 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4060 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4000 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3992 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3572 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3192 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3880 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3644 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3892 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4248 3204 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 3204 schtasks.exe -
Processes:
7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe -
Processes:
resource yara_rule behavioral2/memory/2972-1-0x0000000000780000-0x0000000000ABC000-memory.dmp dcrat C:\Program Files\Microsoft Office\root\vfs\services.exe dcrat C:\Recovery\WindowsRE\RCX71DC.tmp dcrat C:\Program Files (x86)\Microsoft\Temp\wininit.exe dcrat C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe dcrat C:\Program Files\Windows Portable Devices\fontdrvhost.exe dcrat C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe dcrat -
Detects executables packed with SmartAssembly 8 IoCs
Processes:
resource yara_rule behavioral2/memory/2972-9-0x000000001BD30000-0x000000001BD40000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2972-13-0x000000001BDD0000-0x000000001BDDA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2972-22-0x000000001BEB0000-0x000000001BEBC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2972-21-0x000000001BEA0000-0x000000001BEAC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2972-24-0x000000001BED0000-0x000000001BEDC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2972-26-0x000000001C0E0000-0x000000001C0EA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2972-32-0x000000001C130000-0x000000001C13A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2972-30-0x000000001C110000-0x000000001C11C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2184 powershell.exe 2952 powershell.exe 952 powershell.exe 4632 powershell.exe 3756 powershell.exe 4104 powershell.exe 4916 powershell.exe 4836 powershell.exe 2472 powershell.exe 4616 powershell.exe 4660 powershell.exe 2264 powershell.exe 2708 powershell.exe 4116 powershell.exe 2928 powershell.exe 4260 powershell.exe 4328 powershell.exe 1748 powershell.exe 940 powershell.exe 4860 powershell.exe 2188 powershell.exe 3876 powershell.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe -
Executes dropped EXE 7 IoCs
Processes:
7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exepid process 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 4996 WmiPrvSE.exe 3284 WmiPrvSE.exe 3384 WmiPrvSE.exe 4380 WmiPrvSE.exe 4616 WmiPrvSE.exe 4884 WmiPrvSE.exe -
Processes:
7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe -
Drops file in Program Files directory 64 IoCs
Processes:
7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exedescription ioc process File opened for modification C:\Program Files\dotnet\host\fxr\8.0.2\RCX80C0.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files\VideoLAN\VLC\services.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files\Internet Explorer\unsecapp.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files\dotnet\host\fxr\8.0.2\fontdrvhost.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files (x86)\Microsoft\Temp\RCX82D5.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files (x86)\Windows Mail\66fc9ff0ee96c2 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files\Internet Explorer\29c1c3cc0f7685 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files\7-Zip\Lang\55b276f4edf653 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX8B09.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files (x86)\Microsoft\Temp\wininit.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files\Windows Multimedia Platform\dllhost.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files (x86)\Microsoft\Temp\RCX8353.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files (x86)\Microsoft\Temp\56085415360792 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files\7-Zip\Lang\RCX6DB3.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files\Windows Multimedia Platform\RCX7617.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files\Windows Portable Devices\RCX8FBF.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX92C0.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files\Microsoft Office\root\vfs\c5b4cb5e9653cc 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files\Windows Multimedia Platform\5940a34987c991 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files (x86)\Windows Portable Devices\ea9f0e6c9e2dcd 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files\VideoLAN\VLC\services.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files (x86)\Windows Mail\sihost.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files\VideoLAN\VLC\c5b4cb5e9653cc 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files\dotnet\host\fxr\8.0.2\5b884080fd4f94 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX8A8B.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files\Windows Portable Devices\fontdrvhost.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files\Windows NT\Accessories\en-US\TextInputHost.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files\Windows Portable Devices\5b884080fd4f94 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files\Windows Multimedia Platform\dllhost.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files\Windows Portable Devices\fontdrvhost.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\services.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX7A60.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files (x86)\Google\CrashReports\RuntimeBroker.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files\dotnet\host\fxr\8.0.2\fontdrvhost.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\69ddcba757bf72 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files\7-Zip\Lang\RCX6DA2.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\RCX7401.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\RCX7412.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files\Internet Explorer\unsecapp.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files\Microsoft Office\root\vfs\services.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX7A61.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files\Windows NT\Accessories\en-US\TextInputHost.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\f3b6ecef712a24 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files (x86)\Microsoft\Temp\wininit.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files (x86)\Google\CrashReports\RCX85E5.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files\Windows Portable Devices\RCX903D.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files (x86)\Windows Mail\sihost.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files\Windows NT\Accessories\en-US\22eafd247d37c3 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files (x86)\Google\CrashReports\RuntimeBroker.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files (x86)\Google\CrashReports\9e8d7a4ca61bd9 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files\dotnet\host\fxr\8.0.2\RCX80B0.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files (x86)\Google\CrashReports\RCX8567.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX9242.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Program Files\Windows Multimedia Platform\RCX7627.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe -
Drops file in Windows directory 19 IoCs
Processes:
7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exedescription ioc process File created C:\Windows\CbsTemp\upfc.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Windows\Downloaded Program Files\backgroundTaskHost.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Windows\Speech_OneCore\spoolsv.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\pris\RuntimeBroker.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Windows\IME\IMETC\DICTS\7a0fd90576e088 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\pris\RuntimeBroker.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Windows\Speech_OneCore\f3b6ecef712a24 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Windows\Downloaded Program Files\eddb19405b7ce1 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Windows\Speech_OneCore\spoolsv.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Windows\IME\IMETC\DICTS\explorer.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Windows\CSC\spoolsv.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Windows\IME\IMETC\DICTS\explorer.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Windows\CbsTemp\ea1d8f6d871115 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\pris\9e8d7a4ca61bd9 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Windows\CbsTemp\upfc.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Windows\Downloaded Program Files\backgroundTaskHost.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File created C:\Windows\servicing\upfc.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Windows\IME\IMETC\DICTS\RCX783B.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe File opened for modification C:\Windows\IME\IMETC\DICTS\RCX784C.tmp 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4636 schtasks.exe 640 schtasks.exe 2560 schtasks.exe 4812 schtasks.exe 1412 schtasks.exe 4940 schtasks.exe 5044 schtasks.exe 780 schtasks.exe 4604 schtasks.exe 1896 schtasks.exe 1256 schtasks.exe 556 schtasks.exe 1080 schtasks.exe 3892 schtasks.exe 3052 schtasks.exe 1948 schtasks.exe 4820 schtasks.exe 3988 schtasks.exe 1840 schtasks.exe 4768 schtasks.exe 4060 schtasks.exe 1908 schtasks.exe 4252 schtasks.exe 1840 schtasks.exe 2432 schtasks.exe 4028 schtasks.exe 4896 schtasks.exe 1640 schtasks.exe 2016 schtasks.exe 4896 schtasks.exe 4000 schtasks.exe 516 schtasks.exe 3672 schtasks.exe 1204 schtasks.exe 4060 schtasks.exe 4468 schtasks.exe 836 schtasks.exe 4584 schtasks.exe 3192 schtasks.exe 2892 schtasks.exe 4576 schtasks.exe 1176 schtasks.exe 4996 schtasks.exe 3576 schtasks.exe 5076 schtasks.exe 4452 schtasks.exe 1528 schtasks.exe 2052 schtasks.exe 3840 schtasks.exe 3340 schtasks.exe 3316 schtasks.exe 1752 schtasks.exe 4248 schtasks.exe 4468 schtasks.exe 2788 schtasks.exe 680 schtasks.exe 4104 schtasks.exe 1896 schtasks.exe 3416 schtasks.exe 3472 schtasks.exe 4820 schtasks.exe 4992 schtasks.exe 3572 schtasks.exe 4940 schtasks.exe -
Modifies registry class 8 IoCs
Processes:
WmiPrvSE.exe7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings WmiPrvSE.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exepowershell.exepowershell.exepowershell.exepid process 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe 4860 powershell.exe 4860 powershell.exe 2188 powershell.exe 2188 powershell.exe 4116 powershell.exe 4116 powershell.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exedescription pid process Token: SeDebugPrivilege 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Token: SeDebugPrivilege 4860 powershell.exe Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 4104 powershell.exe Token: SeDebugPrivilege 4116 powershell.exe Token: SeDebugPrivilege 952 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 4836 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 4916 powershell.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Token: SeDebugPrivilege 4632 powershell.exe Token: SeDebugPrivilege 940 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeDebugPrivilege 4660 powershell.exe Token: SeDebugPrivilege 4616 powershell.exe Token: SeDebugPrivilege 1748 powershell.exe Token: SeDebugPrivilege 4328 powershell.exe Token: SeDebugPrivilege 3876 powershell.exe Token: SeDebugPrivilege 4260 powershell.exe Token: SeDebugPrivilege 3756 powershell.exe Token: SeDebugPrivilege 4996 WmiPrvSE.exe Token: SeDebugPrivilege 3284 WmiPrvSE.exe Token: SeDebugPrivilege 3384 WmiPrvSE.exe Token: SeDebugPrivilege 4380 WmiPrvSE.exe Token: SeDebugPrivilege 4616 WmiPrvSE.exe Token: SeDebugPrivilege 4884 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.execmd.exe7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exeWmiPrvSE.exeWScript.exeWmiPrvSE.exeWScript.exedescription pid process target process PID 2972 wrote to memory of 2708 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 2708 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 4860 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 4860 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 2184 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 2184 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 2188 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 2188 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 2952 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 2952 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 952 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 952 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 4116 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 4116 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 4104 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 4104 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 4916 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 4916 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 4836 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 4836 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 2928 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 2928 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 2972 wrote to memory of 2792 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe cmd.exe PID 2972 wrote to memory of 2792 2972 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe cmd.exe PID 2792 wrote to memory of 2932 2792 cmd.exe w32tm.exe PID 2792 wrote to memory of 2932 2792 cmd.exe w32tm.exe PID 2792 wrote to memory of 1568 2792 cmd.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe PID 2792 wrote to memory of 1568 2792 cmd.exe 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe PID 1568 wrote to memory of 4632 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 4632 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 2472 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 2472 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 4616 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 4616 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 3876 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 3876 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 4260 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 4260 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 4328 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 4328 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 1748 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 1748 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 4660 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 4660 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 940 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 940 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 3756 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 3756 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 2264 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 2264 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe powershell.exe PID 1568 wrote to memory of 4996 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe WmiPrvSE.exe PID 1568 wrote to memory of 4996 1568 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe WmiPrvSE.exe PID 4996 wrote to memory of 3504 4996 WmiPrvSE.exe WScript.exe PID 4996 wrote to memory of 3504 4996 WmiPrvSE.exe WScript.exe PID 4996 wrote to memory of 4672 4996 WmiPrvSE.exe WScript.exe PID 4996 wrote to memory of 4672 4996 WmiPrvSE.exe WScript.exe PID 3504 wrote to memory of 3284 3504 WScript.exe WmiPrvSE.exe PID 3504 wrote to memory of 3284 3504 WScript.exe WmiPrvSE.exe PID 3284 wrote to memory of 4444 3284 WmiPrvSE.exe WScript.exe PID 3284 wrote to memory of 4444 3284 WmiPrvSE.exe WScript.exe PID 3284 wrote to memory of 3208 3284 WmiPrvSE.exe WScript.exe PID 3284 wrote to memory of 3208 3284 WmiPrvSE.exe WScript.exe PID 4444 wrote to memory of 3384 4444 WScript.exe WmiPrvSE.exe PID 4444 wrote to memory of 3384 4444 WScript.exe WmiPrvSE.exe -
System policy modification 1 TTPs 24 IoCs
Processes:
WmiPrvSE.exeWmiPrvSE.exe7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe"C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe"1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2972 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nv7qRJ8Umn.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2932
-
-
C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe"C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1568 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Recovery\WindowsRE\WmiPrvSE.exe"C:\Recovery\WindowsRE\WmiPrvSE.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4996 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb341735-5d96-4d33-ab8c-b6d223bd93cb.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Recovery\WindowsRE\WmiPrvSE.exeC:\Recovery\WindowsRE\WmiPrvSE.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3284 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a5bd386-a884-4ebb-b4d8-df69af331891.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Recovery\WindowsRE\WmiPrvSE.exeC:\Recovery\WindowsRE\WmiPrvSE.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3384 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\369aa7c6-d159-4a5c-8ec3-bebb4e8f5ad5.vbs"9⤵PID:4420
-
C:\Recovery\WindowsRE\WmiPrvSE.exeC:\Recovery\WindowsRE\WmiPrvSE.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4380 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc4eb19f-47ee-44e7-a069-3e810a6b1ed7.vbs"11⤵PID:2556
-
C:\Recovery\WindowsRE\WmiPrvSE.exeC:\Recovery\WindowsRE\WmiPrvSE.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4616 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8206dc9e-1ffd-45dc-9f06-025e1abb8a80.vbs"13⤵PID:1484
-
C:\Recovery\WindowsRE\WmiPrvSE.exeC:\Recovery\WindowsRE\WmiPrvSE.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4884 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d30e4198-ba8a-4d3d-a7f6-146746088d34.vbs"15⤵PID:3288
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1531b260-323f-493d-8b6e-eeca1202d024.vbs"15⤵PID:4956
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dfc49b9-65ab-4af0-9156-8f3f64566363.vbs"13⤵PID:336
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c87b482-e98b-41f3-b9e8-dc20fef1b46f.vbs"11⤵PID:208
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ba33123-3150-4cac-be7b-54c0a19d2d7c.vbs"9⤵PID:2508
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a32cbac8-972a-4df0-b639-b1890d7fc4c6.vbs"7⤵PID:3208
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cf99b23-3a8d-4f62-acb9-bd7ea0235e47.vbs"5⤵PID:4672
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\root\vfs\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\vfs\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\root\vfs\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\IMETC\DICTS\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\IME\IMETC\DICTS\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\IMETC\DICTS\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
PID:3400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Start Menu\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Start Menu\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
PID:3572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Temp\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Temp\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\CrashReports\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\CrashReports\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\upfc.exe'" /f1⤵
- Creates scheduled task(s)
PID:4820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\CbsTemp\upfc.exe'" /rl HIGHEST /f1⤵PID:3576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:3316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Creates scheduled task(s)
PID:4584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\unsecapp.exe'" /f1⤵
- Creates scheduled task(s)
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:4812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:4960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Creates scheduled task(s)
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:4896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Windows\Downloaded Program Files\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\en-US\TextInputHost.exe'" /f1⤵PID:564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:4452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\services.exe'" /f1⤵
- DcRat
- Creates scheduled task(s)
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\services.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:1176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵PID:220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:3472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:4060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\pris\RuntimeBroker.exe'" /f1⤵PID:3912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\pris\RuntimeBroker.exe'" /rl HIGHEST /f1⤵PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\pris\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:3688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /f1⤵PID:5088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:3416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f1⤵
- DcRat
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:4576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:4116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:3340
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5ea589dd962c0fdfc5673cbd692b651a9
SHA110486fc4ba15a2f19885460b59637ef414d24268
SHA256ccac0a4093173688e2edc42b3e595f6efff2c3ef90997d83a075ef997122d06b
SHA512d55d202a69d5ca5d180e03ba3ac7f05fae2c33dea4c63651bfd38450383fa97c561ff45409b043f33353cfd76f4369a381629e84cc430ee221e194255a4c6e28
-
Filesize
3.2MB
MD5a49e54ff4969e187c9f7df3273ef5133
SHA1c9bca88e336755f4798dd89dd7a3d065ef809db2
SHA2562f81451b388925850509e151438a7731a7b43697829c3b98546d8b848a9bf5df
SHA512ba332dd609ed1b4d83a2b393834738ffe7caad92b6caf62bee9d445d3b8d4b58c98c2c8c516fd273dccc6eb83a35e566b752f2fa3018f9218f1313e052403b32
-
Filesize
3.2MB
MD58f834de5a0bd2a92772a793196fe5b7b
SHA1bbd3c585b570230bf63b76dca4055f4d39d3b8f6
SHA256140b35144993dfe6e3c5f3680b1e73b8ed08e04b88d5a4635f8151ac51e4b33f
SHA512ac70020ea6796ecbc4e0fae5274c6a6a51652f4d84f6184183fb7592f00a31d1072f570db6b144b4d1e6fd649f321ca4d6c95f93151d3d3ba258947eceb44730
-
Filesize
3.2MB
MD55e11b7a6246841f5c8dc76aa757e0613
SHA144125a86ecdd8fe8cb0261b4ce79b1fc4b61d639
SHA2567eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf
SHA5122d8f81567cf50ec22fb577e01cdf123e2da0a13380691133a3f5e01fb989db37d3ff25fff12e5a3d8cd133d13e96c2bad14ae488ce2689e6fdb050fbb9252cf0
-
Filesize
3.2MB
MD57de4e29fa1f4e942cee665a0c96b2b8d
SHA1736546a2709bb364d0993270f2d15e034fa2f918
SHA256b0688114a8d3176c1cf49a296be40168d4ab052cadc78837c6f690272d61df78
SHA5124c71491b23e9570efb8edb2463fbf2b07c59f3a80414c8a14d7bc7dd9815a88091ea8a010d16d909361916d687b1a3f55055046075f674cb1964a1ca48e58920
-
Filesize
3.2MB
MD558accecfb6a25549f0b0627bc341c725
SHA16fe2f6dd7c1b51be04c9f28ef4ba3907a387c52f
SHA2564fe757caa0631d0e77a6ed32414aee4816064dc0d6ab7c151f2305611e56d359
SHA51288c691d0455d3a945bcb1184a6842413564ce919b32b3c8bcf8a9a269193ecd13dddab05aaecd2d038df5d1efe2090022450be1a5d99ff8797c67b3edcd5f21a
-
Filesize
871B
MD56e219a3081fc2cc16ccdcf3679030ead
SHA1e4c9d1a4be420b7f50deb20bacf2c8fe377afb15
SHA256a34c231bc0045018eb8aea8540ae59b796a2ba85754e33b3ad4bf314b10d3345
SHA512a1f7c85de1d241f2d5a311f4e506eb43e4ac12a476b207a3c4e92b2ec4b21063cd1a8efe0c411a2fb3b2d00b0b0bd1bc33c5eef112a1399ee08c806c2926895c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe.log
Filesize1KB
MD5655010c15ea0ca05a6e5ddcd84986b98
SHA1120bf7e516aeed462c07625fbfcdab5124ad05d3
SHA2562b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14
SHA512e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
855B
MD51a33f0958be3b70e2e0d5697fcbb02ec
SHA1e385747e50578f9af695e61a29ed17ee6b3669cc
SHA25610b105180c5434a302a2b0ece421343304adb161fbc112f3bd58106ce0079786
SHA51221def95e7c36a3ad7eb73864a6ff8c431713c6ba4f8a6acd450e1f33a12511293c571eb8a8f7bcac41a0af4550b8e49c9dd51d1c6df0516290011d6636e51733
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5caae66b2d6030f85188e48e4ea3a9fa6
SHA1108425bd97144fa0f92ff7b2109fec293d14a461
SHA256a6c642eaf80247e9682be60ab5ae9ece4d042af56013d164d8047b6fd1aefa1d
SHA512189119a2390e51a49ea0fb8ad1427279cc2bf85f220f3212957c50b33387623b42ab7736fb5a717757b5c4b99c570e7ed2e5e6a578424aafb5c126cdf129ea15
-
Filesize
944B
MD5c65338524586fc00cf00e679a7d4a1f4
SHA162abf26bfb979dcbf7c7649cf8a681c2a8c7c9ae
SHA256faa246e6b356f55ad8b18cea908dbf9035f67feaa06f8259d934306e13e88bf6
SHA512c6721362afa4998c60ff60225a7b7571aaf1dbc8cb624ad7557b365a37df26e629763fa052dc31904b3175587e940d7e0630362620870c2c7351960a14c29310
-
Filesize
944B
MD5118d5649311b514db219f613211e13a9
SHA1485cc05e7072d26bf8226062ba1c578d7b30e1c4
SHA2564fff6897c69cc3e8b9ae3da4d3c221ecbf329a4112d85cb346a4d413b70581dd
SHA512b458d6703bde28f5d870542c852ad5990592a7a186eb7b4da83b475a94e2d2cdb1105b27d86414708dc613aad902937601d76cedad8304832c4d59ac1c088db4
-
Filesize
944B
MD50f6a77860cd9c5289dd6e45bbc36a982
SHA1750d55b0d394bc5716fc3e3204975b029d3dc43b
SHA256a8388051b43fdc7a50ee51047ef4076c4b6502a6e53befe8131efcb71aa700a4
SHA512e4e4473383243a71d7bebffb8bf4bf449201e1aee752426044e81bdc12c3aaf284ce003a859b0ac96d5fd75063376485dc5b5ac0caad189577bf394f104cdd06
-
Filesize
944B
MD547b7b79f57b7b1e83eeac152887ff212
SHA12bff47a7face28f57a8db2fa25079a469ff6e0ce
SHA256cc70fa88d22f3c6b2d548a66e0a46fca5dfefea966cb22ebb0866cb0c5b09104
SHA512ba4d5b90cfcf75f3abbb3e629d17f3c6b73f175743d7040f29289aca1086ad066c96e20ad97d5153b02b59cdf075e60250cf3002df0a09bb4e9d96e735f82aec
-
Filesize
944B
MD5f034c2130e582c647bfb45a3a835cbdd
SHA130b4ddd9ba0ac86a237688b6e5750744ed7e2526
SHA256c20cda0a4034398dfcbf1bbfea3a2ede33ed18ab57906c4f08e02a40382e1081
SHA5123a20ea802ae8261f15497173050f76693a15270340c76e27daf3e4959816ecd37aa8cedb2d47141d5f0d17a2cc6c59722d06d156b2e715cfbaa1c6e51fb30269
-
Filesize
710B
MD5c30b5addb034f6ab8697b4d2f56902b3
SHA1b5d5b0953de9633bbe0e11e90e89a472078a0bd8
SHA256bdee47b68156f38f245bd39b714eb041028af6ee41e7e7a0fb374b9ce9cf4c60
SHA512cd065a6675b5560a8a4678699d59a784360bd88c94687045807d648392717cba81a96949c78cb579b07d34de2441763d3d3750d3593ae4476d896eb3346a29ac
-
Filesize
486B
MD5a82b8c617fcbba6f352d66e062b6baee
SHA1fef8d514c144e273e6e34290b17fbae2df4df59a
SHA256215ef6c17ce61bf8a5feb3c2af183bec8e2625d9410a77d75d6fe177cb7ce07d
SHA512522bd0dfac25e2955e57dcac425904c7b32b8645152c796ec7b9250bd17a1f86f47a45397b3bff0dac86ace8e7b176a3249730217bb2ac553a92fd9a62b138a3
-
Filesize
710B
MD5716784af61d845eb8ad50be99c5b20b9
SHA1c9e97c8ca1aa413d28d34f3547b2fc23ceb8414b
SHA25678ef101b956586c963821e5720860d2c4635fdf9e8fe927a3061f8e03265030c
SHA512f6d038ec2515cf8a8087385a9537012bd121c70aaff1cbb4d29934b1db8da11b3611e68199f29809f6287ec79e7a260ea90a7a14a7304a1fe71036d99d07ce86
-
Filesize
710B
MD570d5231586208ad7ca40ef3eb3515a54
SHA1e1a000b2c09cf0bc43f74d88a0112582b43942ee
SHA2562ff26a7c6fc194f1b6464b2681b5ce44fea5a4601914db0a7fb6d07948d4ba6c
SHA512c83bf87cced0a32862076780e9fde92345fb58ee1fb1b54c73b71d34264710eb3cbaf0fa358115e3a47987d368ee730c826de9af03dfbf2f9e3aeed4e8a42c08
-
Filesize
267B
MD5dcac32fb7b217e552c9431972d164cd2
SHA1611c94e116b689008e59dff72782938ec479f125
SHA2566acf85bd3bd2513cd56a2a38c1d6c89952c2c0c5d0134f4f9dc044e2bcc686f1
SHA51227e32ec29cc1bc0e021064731c5c43f2fa4cab412e690861846259f98fa326f083ff8602d97a5d1fe8f2790d72f8b1e984a61bc19fc0e3d3fdc62c6cefdcd89d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
710B
MD5dbe925ab3cf35eebddb88019bf095e45
SHA13673ebf05271ca8e4cbaeb9855e8c34c7771a877
SHA2563a5ca6ac13730848d10940a4cf46c43c114b616c1996cea2497325957c7d6259
SHA512829da44c222775018975145941a0c15f1bf5b4d446a6d52f3982740c1cd412fce5558aeb0052bbba24956c59f6704ba9f7cdc87c4c55e113a4cb116f16df4c1b
-
Filesize
710B
MD56a2c4d72156b66e78de598fb588c20f4
SHA168191e0b35e7c9c9c4dfbe59272737be1b4adeaf
SHA2563abe41e784fe3c6393fc21a59b332cd18007a81f6f68e5d3f29fad683ad0ab72
SHA5124d627fb0d9ac4f28b5c53b6e4ecc51ba2c5e4ebc9807381968862ac86c141f9cf5da9bb29f1ba57030f3ddb9ef65a62b2970a9abce0b8225e3a5c9c6149e3c00
-
Filesize
710B
MD513e5e085bc50296776015071b35b95a8
SHA1907eaf173b2c191b9eacc56bc3db19846640f4b8
SHA2565ab0cfe587fa0956165874f4812d38f0365a07a92fc2d2219142c903b4f2857c
SHA5129bd65a34fd6055c7c1bd1104bc9a457196cac1c6d266f9731e82993fbdf8dba8a2c3b96c4bb70e3fef824528a5bb4fd651db2643f88385f49698898a0f43648b