Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-05-2024 23:01
Behavioral task
behavioral1
Sample
7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe
Resource
win10v2004-20240508-en
General
-
Target
7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe
-
Size
1.2MB
-
MD5
7b05cf7f9e8162f55d50f10f711df29a
-
SHA1
6c077351d11f6069067d69b6ece6d0989e972c99
-
SHA256
7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47
-
SHA512
275b2d3680a92510c0a72c5e369c5c2ca57be94b71e4c668a8be9874b85bf084a6d065973cfce685580ed123adfba95373338c0b2009be86399afcd4c7c1a0d8
-
SSDEEP
24576:VR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:bJaDKf4p4UD1v
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 288 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2668 schtasks.exe -
Processes:
lsass.exelsass.exelsass.exelsass.exe7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe -
Processes:
resource yara_rule behavioral1/memory/2204-1-0x0000000001060000-0x000000000119A000-memory.dmp dcrat C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe dcrat C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe dcrat behavioral1/memory/928-125-0x0000000000EF0000-0x000000000102A000-memory.dmp dcrat behavioral1/memory/2804-137-0x0000000000F90000-0x00000000010CA000-memory.dmp dcrat behavioral1/memory/1760-160-0x0000000001210000-0x000000000134A000-memory.dmp dcrat behavioral1/memory/2148-172-0x0000000001240000-0x000000000137A000-memory.dmp dcrat behavioral1/memory/2976-195-0x00000000013D0000-0x000000000150A000-memory.dmp dcrat behavioral1/memory/2884-240-0x0000000000130000-0x000000000026A000-memory.dmp dcrat behavioral1/memory/692-252-0x0000000000870000-0x00000000009AA000-memory.dmp dcrat behavioral1/memory/1688-264-0x0000000001140000-0x000000000127A000-memory.dmp dcrat -
Detects executables containing bas64 encoded gzip files 11 IoCs
Processes:
resource yara_rule behavioral1/memory/2204-1-0x0000000001060000-0x000000000119A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File behavioral1/memory/928-125-0x0000000000EF0000-0x000000000102A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File behavioral1/memory/2804-137-0x0000000000F90000-0x00000000010CA000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File behavioral1/memory/1760-160-0x0000000001210000-0x000000000134A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File behavioral1/memory/2148-172-0x0000000001240000-0x000000000137A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File behavioral1/memory/2976-195-0x00000000013D0000-0x000000000150A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File behavioral1/memory/2884-240-0x0000000000130000-0x000000000026A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File behavioral1/memory/692-252-0x0000000000870000-0x00000000009AA000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File behavioral1/memory/1688-264-0x0000000001140000-0x000000000127A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File -
Detects executables packed with SmartAssembly 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2204-5-0x0000000000460000-0x0000000000470000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2204-8-0x00000000005B0000-0x00000000005BA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2204-10-0x00000000005E0000-0x00000000005EC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2204-13-0x0000000000610000-0x000000000061C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2204-15-0x0000000000630000-0x000000000063A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2204-17-0x0000000000AF0000-0x0000000000AFC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2204-19-0x0000000000B10000-0x0000000000B1A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Executes dropped EXE 15 IoCs
Processes:
lsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exepid process 928 lsass.exe 2804 lsass.exe 2852 lsass.exe 1760 lsass.exe 2148 lsass.exe 1712 lsass.exe 2976 lsass.exe 1664 lsass.exe 1648 lsass.exe 2348 lsass.exe 2884 lsass.exe 692 lsass.exe 1688 lsass.exe 2660 lsass.exe 2632 lsass.exe -
Processes:
lsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe -
Drops file in Program Files directory 4 IoCs
Processes:
7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exedescription ioc process File created C:\Program Files\7-Zip\Lang\taskhost.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Program Files\7-Zip\Lang\taskhost.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File created C:\Program Files\7-Zip\Lang\b75386f1303e64 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Program Files\7-Zip\Lang\RCX283A.tmp 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe -
Drops file in Windows directory 4 IoCs
Processes:
7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exedescription ioc process File created C:\Windows\SoftwareDistribution\DataStore\Logs\dllhost.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File created C:\Windows\SoftwareDistribution\DataStore\Logs\5940a34987c991 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\RCX3C20.tmp 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\dllhost.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2528 schtasks.exe 2472 schtasks.exe 2688 schtasks.exe 2020 schtasks.exe 1520 schtasks.exe 316 schtasks.exe 1676 schtasks.exe 2932 schtasks.exe 2980 schtasks.exe 1272 schtasks.exe 1760 schtasks.exe 1688 schtasks.exe 1524 schtasks.exe 288 schtasks.exe 2716 schtasks.exe 2260 schtasks.exe 776 schtasks.exe 2808 schtasks.exe 2888 schtasks.exe 2028 schtasks.exe 1184 schtasks.exe 2264 schtasks.exe 2088 schtasks.exe 2636 schtasks.exe 2860 schtasks.exe 2800 schtasks.exe 1648 schtasks.exe 1612 schtasks.exe 836 schtasks.exe 1616 schtasks.exe 2872 schtasks.exe 3036 schtasks.exe 2836 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exelsass.exepid process 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe 928 lsass.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exedescription pid process Token: SeDebugPrivilege 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Token: SeDebugPrivilege 928 lsass.exe Token: SeDebugPrivilege 2804 lsass.exe Token: SeDebugPrivilege 2852 lsass.exe Token: SeDebugPrivilege 1760 lsass.exe Token: SeDebugPrivilege 2148 lsass.exe Token: SeDebugPrivilege 1712 lsass.exe Token: SeDebugPrivilege 2976 lsass.exe Token: SeDebugPrivilege 1664 lsass.exe Token: SeDebugPrivilege 1648 lsass.exe Token: SeDebugPrivilege 2348 lsass.exe Token: SeDebugPrivilege 2884 lsass.exe Token: SeDebugPrivilege 692 lsass.exe Token: SeDebugPrivilege 1688 lsass.exe Token: SeDebugPrivilege 2660 lsass.exe Token: SeDebugPrivilege 2632 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exelsass.exeWScript.exelsass.exeWScript.exelsass.exeWScript.exelsass.exeWScript.exelsass.exeWScript.exelsass.exeWScript.exelsass.exeWScript.exedescription pid process target process PID 2204 wrote to memory of 928 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe lsass.exe PID 2204 wrote to memory of 928 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe lsass.exe PID 2204 wrote to memory of 928 2204 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe lsass.exe PID 928 wrote to memory of 1568 928 lsass.exe WScript.exe PID 928 wrote to memory of 1568 928 lsass.exe WScript.exe PID 928 wrote to memory of 1568 928 lsass.exe WScript.exe PID 928 wrote to memory of 3048 928 lsass.exe WScript.exe PID 928 wrote to memory of 3048 928 lsass.exe WScript.exe PID 928 wrote to memory of 3048 928 lsass.exe WScript.exe PID 1568 wrote to memory of 2804 1568 WScript.exe lsass.exe PID 1568 wrote to memory of 2804 1568 WScript.exe lsass.exe PID 1568 wrote to memory of 2804 1568 WScript.exe lsass.exe PID 2804 wrote to memory of 1664 2804 lsass.exe WScript.exe PID 2804 wrote to memory of 1664 2804 lsass.exe WScript.exe PID 2804 wrote to memory of 1664 2804 lsass.exe WScript.exe PID 2804 wrote to memory of 552 2804 lsass.exe WScript.exe PID 2804 wrote to memory of 552 2804 lsass.exe WScript.exe PID 2804 wrote to memory of 552 2804 lsass.exe WScript.exe PID 1664 wrote to memory of 2852 1664 WScript.exe lsass.exe PID 1664 wrote to memory of 2852 1664 WScript.exe lsass.exe PID 1664 wrote to memory of 2852 1664 WScript.exe lsass.exe PID 2852 wrote to memory of 2696 2852 lsass.exe WScript.exe PID 2852 wrote to memory of 2696 2852 lsass.exe WScript.exe PID 2852 wrote to memory of 2696 2852 lsass.exe WScript.exe PID 2852 wrote to memory of 2836 2852 lsass.exe WScript.exe PID 2852 wrote to memory of 2836 2852 lsass.exe WScript.exe PID 2852 wrote to memory of 2836 2852 lsass.exe WScript.exe PID 2696 wrote to memory of 1760 2696 WScript.exe lsass.exe PID 2696 wrote to memory of 1760 2696 WScript.exe lsass.exe PID 2696 wrote to memory of 1760 2696 WScript.exe lsass.exe PID 1760 wrote to memory of 1632 1760 lsass.exe WScript.exe PID 1760 wrote to memory of 1632 1760 lsass.exe WScript.exe PID 1760 wrote to memory of 1632 1760 lsass.exe WScript.exe PID 1760 wrote to memory of 628 1760 lsass.exe WScript.exe PID 1760 wrote to memory of 628 1760 lsass.exe WScript.exe PID 1760 wrote to memory of 628 1760 lsass.exe WScript.exe PID 1632 wrote to memory of 2148 1632 WScript.exe lsass.exe PID 1632 wrote to memory of 2148 1632 WScript.exe lsass.exe PID 1632 wrote to memory of 2148 1632 WScript.exe lsass.exe PID 2148 wrote to memory of 3064 2148 lsass.exe WScript.exe PID 2148 wrote to memory of 3064 2148 lsass.exe WScript.exe PID 2148 wrote to memory of 3064 2148 lsass.exe WScript.exe PID 2148 wrote to memory of 1772 2148 lsass.exe WScript.exe PID 2148 wrote to memory of 1772 2148 lsass.exe WScript.exe PID 2148 wrote to memory of 1772 2148 lsass.exe WScript.exe PID 3064 wrote to memory of 1712 3064 WScript.exe lsass.exe PID 3064 wrote to memory of 1712 3064 WScript.exe lsass.exe PID 3064 wrote to memory of 1712 3064 WScript.exe lsass.exe PID 1712 wrote to memory of 2016 1712 lsass.exe WScript.exe PID 1712 wrote to memory of 2016 1712 lsass.exe WScript.exe PID 1712 wrote to memory of 2016 1712 lsass.exe WScript.exe PID 1712 wrote to memory of 3012 1712 lsass.exe WScript.exe PID 1712 wrote to memory of 3012 1712 lsass.exe WScript.exe PID 1712 wrote to memory of 3012 1712 lsass.exe WScript.exe PID 2016 wrote to memory of 2976 2016 WScript.exe lsass.exe PID 2016 wrote to memory of 2976 2016 WScript.exe lsass.exe PID 2016 wrote to memory of 2976 2016 WScript.exe lsass.exe PID 2976 wrote to memory of 2872 2976 lsass.exe WScript.exe PID 2976 wrote to memory of 2872 2976 lsass.exe WScript.exe PID 2976 wrote to memory of 2872 2976 lsass.exe WScript.exe PID 2976 wrote to memory of 2728 2976 lsass.exe WScript.exe PID 2976 wrote to memory of 2728 2976 lsass.exe WScript.exe PID 2976 wrote to memory of 2728 2976 lsass.exe WScript.exe PID 2872 wrote to memory of 1664 2872 WScript.exe lsass.exe -
System policy modification 1 TTPs 45 IoCs
Processes:
lsass.exelsass.exe7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe"C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2204 -
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:928 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6005f989-f7a9-4055-819d-977900273d66.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2804 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba96d3d6-50a6-4b08-af82-7eddc7691df5.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2852 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07522d8d-6031-4b5b-950c-1a759d2e8288.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1760 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba27be3a-0622-468f-838b-88eef2bc92f6.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2148 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25a607aa-d346-4672-9626-c059e84bcef7.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1712 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15ba4346-0aba-4a22-89bc-0b33c7cca7d1.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2976 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cc0817e-acb1-4b5a-878e-4ece6bb99ffd.vbs"15⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1664 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5168d97-7aaa-4218-8770-fbc36f5fafc7.vbs"17⤵PID:1472
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1648 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47e07594-bdcd-4a6e-b15c-17bbfaa171e0.vbs"19⤵PID:1704
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2348 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd4bc98f-1d37-461e-b4d7-ae9290da89a3.vbs"21⤵PID:1940
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2884 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11408965-a031-45a4-9ddd-1174e1951fa7.vbs"23⤵PID:2988
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:692 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cff87ea-880f-486c-83a2-108888155b08.vbs"25⤵PID:2484
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"26⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1688 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac2b3ebf-d625-4c9b-9c61-4ad84d56c72c.vbs"27⤵PID:1384
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"28⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2660 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d54acb9-ea33-4fac-92c5-9957f249ba27.vbs"29⤵PID:928
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20cdbbdd-36ce-4ca2-b93d-286e19d97e79.vbs"29⤵PID:2060
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3aaada3-b943-4831-acbb-c0956fa2f593.vbs"27⤵PID:892
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fda90d4-8cfe-4d52-a897-85f577e3d378.vbs"25⤵PID:2736
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbf1ba91-215f-47b3-977d-57ab038a80a9.vbs"23⤵PID:1868
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d76cbd0-1849-47c9-9249-18e36dd297be.vbs"21⤵PID:2404
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5bcb7c6-d8b1-409f-81a9-466d7a016ec9.vbs"19⤵PID:1632
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f5e9975-a8cf-4f96-9267-bb709de46d0f.vbs"17⤵PID:2028
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1267f796-d6fc-438d-921f-1b587723bf4e.vbs"15⤵PID:2728
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef43f8ae-a172-4281-ad4f-32deec5a4441.vbs"13⤵PID:3012
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99ffe88c-8757-45cb-afdb-9aab142937bc.vbs"11⤵PID:1772
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fc9ecaf-5aae-4932-ba43-6c8497214311.vbs"9⤵PID:628
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8da6832-5614-47b8-8bfe-a24219509948.vbs"7⤵PID:2836
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5623b9b-fff1-4318-8815-fa267e3c2cb3.vbs"5⤵PID:552
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb895221-8cc4-4b74-8f2a-04e49e9174d7.vbs"3⤵PID:3048
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c477" /sc MINUTE /mo 13 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c477" /sc MINUTE /mo 13 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Downloads\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c477" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c477" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe
Filesize1.2MB
MD5ab847f6f56089b43846bfdab2d546973
SHA1e3687c95196a50e36952454992f9b2caf40437e9
SHA256c8c8cc6c7204e50535670740a1a5e91aa63c1c72e6bb61ecc727ed6f3f776f8d
SHA512db450dbf6bbee41df459cd7a37dfb740a602064e5559b0af66c6334ec67052963759cd7fdf75b31f9cf71e797a5bc7186fa2dd0d6c77804e0f9d141cd7e47a10
-
Filesize
1.2MB
MD57b05cf7f9e8162f55d50f10f711df29a
SHA16c077351d11f6069067d69b6ece6d0989e972c99
SHA2567ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47
SHA512275b2d3680a92510c0a72c5e369c5c2ca57be94b71e4c668a8be9874b85bf084a6d065973cfce685580ed123adfba95373338c0b2009be86399afcd4c7c1a0d8
-
Filesize
761B
MD5715d0544bbb8eaca9bdccfa03b5143e7
SHA15624a678fc68cc1a9d636f25a455f6f66ea7ccea
SHA256abd58ae25c40c288cace17553e97b72e1311161d47b2d08d2498c5f518520da2
SHA5124c3ee1ae2120d20d5f796cb9f7b000f3316e31147e5cc996952f89cb766f922e289d0e48696828b081c403a5c04ea92f171bee88558aa72dd0ddd661c29ce343
-
Filesize
761B
MD5c2c1e88dedc126c8adf047c557d21be5
SHA1d5019e7ae7ec64d815cc03165aedde85b613739b
SHA256b8f5b03e7320edb988d76fb8cdc9d04ea23ea81334ef9ba336e32f90573696cf
SHA5125c7f4946eaef2655cb3652f4d15def37881ed1b6a06dd9f9ac035ebb2bf2aee8fd39d5f69fc4cbd2be6a659de586d812104e151da798757c9b1c1eb9371b5216
-
Filesize
761B
MD5b0cbf2648c4063c3240ad614d8a28c5a
SHA1ccf3a5606cd18e27181dfe7e915b6b02e33a8ad4
SHA256fbbe3f330b925376016d4baf833bc2cc1db6e55c7bc9780663f9840ffca96bb9
SHA512cfbf0fad67d1210ace6b61410fdcb9b12846877c1284684b717b604ed94d9f81f26f4b916d29a4ebe5eaba2156d897950d19fb0b06b4c686def8daab92fbb754
-
Filesize
761B
MD55e0218baa47a2901ba134c328505f9e3
SHA12bb64ee2f73d053080274392db8fb0350acdbb06
SHA2564be23cbdc0c9958d5a96484b97cbffea1b977c9ef5f7c9624228bc571f6416ce
SHA512da69b3189f8fdd61fc1d30dd36515324127f75151b47753ba8efd8beea764ce3f2c2bf480e8c1e589fc9c4cc05ebb2aed130973e7066a9b4a36afbbb3faa99ee
-
Filesize
761B
MD5bbf2c6d6f0892434046c6ffd8ecefaa5
SHA19d631090e7841fd01bf971cbcb63c71294083d6e
SHA256ff776fb5343a99b17d1ffe31cde8d3cb1726f3ca7853dc4d4a6931d8973cc75d
SHA512b52a6e28875ad46ad2cf634c95b09660effef73ee4658b65385f92c054f47dcfe09c76ab4e5ba078c01d7528543e9ef6db4cd1579ddc72345899427368e396af
-
Filesize
761B
MD55aecee3885808d1bf02339513168d038
SHA1fc3bbbefc2972ab5faa21d6e947e5f092ccf5104
SHA2567de6ee9ba05eb99e46ba6bf7b21946f7d748a66389b8d578a54f85a227c90da0
SHA512bb8583b4a2206441cfe0b88b0e5007f60cea66893b1fe2d4f5f10301e9cdf86ed852635773e8c4d1428a6fbe273651d4ca754f353538e537856e587f1c8d183d
-
Filesize
760B
MD5f202e66b3cdfafad2ed7cf973a0105d3
SHA14dd3bbc884871ee944da3a8e8e4cfe0f43c3890b
SHA25614d4d26a32c02770051d68c542dfb6cee97fa621decdf359e598c109fbee1f6e
SHA512abc49dce47394cdafc04f67b16ddcbdc4bb18de952b74d88adac48d1b0fe6b4661a7dc0c4d0557c4731273edad9294058b106be3e612ed845d9453812f6f3400
-
Filesize
761B
MD53c7eb0fddd49c75da89865e9f1c7160c
SHA19ca5095f1334b1b2645b0b54dac4452ad77bc2e4
SHA256d9bdb1827b3b3376ec8bf19fe7cf3cf7a55c66a50b6202b69443f72354adecea
SHA512f1d4849948958ae22dad0582e2ee70b4e34767667065b4f872afe54418c290a4de72e3d10ff986544a2244e2a08dfc45a212da88196c1fbe23950c28278e587d
-
Filesize
760B
MD54d2b63e9b0e8d85831f24f87a1842014
SHA1c3db2597478f939e3d6073cd9fbaa5f7a7332922
SHA256ec74b48780bce6602b712f7acea271a10d1aba12f0046cc395714d8c36aeeff8
SHA5121cee5b6f0fa0401c00c3579f96c49c3636dec7661ce821c30202bf46f87a8479de511e79f41ce85ff0c4f1acf149b07f6d05531b9f9061cde881fc6bc9953c87
-
Filesize
761B
MD57a96a1ae0c59741c8a5a334ab66064cd
SHA10533f84c64330144dda9a341ce9a8986d0c627b2
SHA256f8d9e1e3e6b8d4b95024c7d19ffbbbab2cd991c1e94855dfdeacca98c62ba8fb
SHA512a68d827e54c4414f59eca2b52a6cb29bdbc021e766fffe16321015c4ce98ad854d283785e76013d27ccf1769246de6dd71aed07ec5a800b99aced0a6b96860ab
-
Filesize
761B
MD5aaa969ac0cd09473f1eb5bef6da6d29d
SHA1e1e1f8c09ffb3355a676248e5d0c252c65c23ade
SHA256b71fde81a0dc0b5fe9b7a19d23e3860355e1793c892ee3084f3b0a938cdbb53e
SHA512e343da1c2ed7444ba62cb7662403949e38db7d2cd1ee2ff0d116ffe6bb9a55c578efb25032ccab367702bcdc9850868c5c6ac17e8578d05f17e39e70304e531a
-
Filesize
761B
MD5044a06fc903c929e86777b8ebbeb5ffb
SHA102c0161bed0f2461637c980e93a623c703ed0e83
SHA256c3355dfab9bc4e1735450f4238e036b2afcd6f2b78f9ebde3b42b2c2c88a9c96
SHA51253a4c1419d43ce4b44d362de91d52f56b9ec09e47028e05f2b06bdfdf7c7fb776d8dac84fae53d352aaad490a82978837a87d8233cf78d345fa90bf793e34e63
-
Filesize
537B
MD514917d3fe5bafe470dd0e0c9e5f616bf
SHA17a2650084c6d1c9dbd1b7a9fc7939e2608bc05cd
SHA256a47ffb174650a7c570727277f79c9e946d2cbbc7955b4b595c8ee4c87d824aa3
SHA512c98e921749bae148c4fe20e27e72325bfeb8f5f4e358d2cebbe611d0135ee7e8dfac38498dd2bd3bd672fcc2ee05c58a82ff02152f1bbd6f361ec42144c6844c
-
Filesize
761B
MD517927551d5ebd705e83d7bb796d1c0fe
SHA1f1f79013bb0900bffbc91666eb569777da573fad
SHA256f65c8c0cb113a2c61be29f640840b0bc8811df6079a05f81be409ce0bba58613
SHA5125a335e4257a6f2697fb6e5e2e439d3911149f9710ce0013ab666907d5aae8b834c01a39bcecd09bd9382f4c745f603f5ff27197ce30983ecd4633d1ca88ed1c6
-
Filesize
761B
MD576111bb744cb6d49ae4cf05dc7c00b0f
SHA1329702f1b4f163a761f578a0706985c288ca0ce1
SHA256851928a7a3ee5694729b0c7e960ed83cf4ed5b5853f3ed9a7cfbcc127262f565
SHA51282f5cb505b484fea96ac28f142440992233efba3081eb658d350c20de42f1cce9eeceaee786db7e9e323970633733d4a0982455b2c1238c4179cb5a539d9dfb4