Analysis
-
max time kernel
108s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 00:53
Behavioral task
behavioral1
Sample
a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
Resource
win7-20240221-en
General
-
Target
a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe
-
Size
3.2MB
-
MD5
1553f67a0859a3057cde01f77db9dbc0
-
SHA1
2cfe40d1fea16093e16c96a35f3240b98da9a5e1
-
SHA256
a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152
-
SHA512
4ff68e4ad4299aa2ca2be8dfd1742d641cf9aee6b687f94b1e3c68062630b2e167a13550a8a184c8ff5a3df1da5b3182ebd29759a84a219af37a8688df6f0de5
-
SSDEEP
49152:vC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:vC0Fl8v/qXYrv5tG9uKJGAWl5N
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 616 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2560 schtasks.exe -
Processes:
a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exewininit.exewininit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe -
Processes:
resource yara_rule behavioral1/memory/1720-1-0x0000000000E40000-0x000000000117C000-memory.dmp dcrat C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe dcrat C:\Program Files (x86)\Windows Defender\csrss.exe dcrat behavioral1/memory/2112-226-0x0000000000BE0000-0x0000000000F1C000-memory.dmp dcrat behavioral1/memory/2468-238-0x0000000000F70000-0x00000000012AC000-memory.dmp dcrat behavioral1/memory/1972-251-0x0000000000150000-0x000000000048C000-memory.dmp dcrat -
Detects executables packed with SmartAssembly 8 IoCs
Processes:
resource yara_rule behavioral1/memory/1720-8-0x0000000000E00000-0x0000000000E10000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/1720-12-0x0000000002680000-0x000000000268A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/1720-19-0x0000000002740000-0x000000000274C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/1720-20-0x000000001AE40000-0x000000001AE4C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/1720-22-0x000000001AE60000-0x000000001AE6C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/1720-24-0x000000001AE80000-0x000000001AE8A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/1720-28-0x000000001AFC0000-0x000000001AFCC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/1720-30-0x000000001AFE0000-0x000000001AFEA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2968 powershell.exe 2044 powershell.exe 1936 powershell.exe 612 powershell.exe 2992 powershell.exe 1596 powershell.exe 3004 powershell.exe 2864 powershell.exe 764 powershell.exe 1508 powershell.exe 2140 powershell.exe 2928 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
wininit.exewininit.exepid process 2112 wininit.exe 2468 wininit.exe -
Processes:
a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exewininit.exewininit.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe -
Drops file in Program Files directory 25 IoCs
Processes:
a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exedescription ioc process File created C:\Program Files (x86)\Windows Defender\csrss.exe a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Program Files (x86)\Google\Temp\RCX1807.tmp a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX1EF0.tmp a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File created C:\Program Files\Windows Defender\ja-JP\wininit.exe a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Program Files (x86)\Windows Defender\RCX20F5.tmp a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ja-JP\RCX27DE.tmp a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File created C:\Program Files\Windows Defender\ja-JP\56085415360792 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File created C:\Program Files (x86)\Internet Explorer\ja-JP\audiodg.exe a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File created C:\Program Files (x86)\Internet Explorer\ja-JP\42af1c969fbb7b a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\7a0fd90576e088 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Program Files (x86)\Google\Temp\RCX1808.tmp a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\wininit.exe a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Program Files (x86)\Windows Defender\csrss.exe a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ja-JP\RCX27DF.tmp a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File created C:\Program Files (x86)\Google\Temp\7a0fd90576e088 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File created C:\Program Files (x86)\Windows Defender\886983d96e3d3e a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Program Files (x86)\Google\Temp\explorer.exe a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\RCX1A0C.tmp a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX1EF1.tmp a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ja-JP\audiodg.exe a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Program Files (x86)\Windows Defender\RCX2163.tmp a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File created C:\Program Files (x86)\Google\Temp\explorer.exe a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\RCX1A0D.tmp a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe -
Drops file in Windows directory 10 IoCs
Processes:
a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exedescription ioc process File opened for modification C:\Windows\ShellNew\RCX1C7F.tmp a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Windows\ShellNew\sppsvc.exe a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Windows\DigitalLocker\de-DE\RCX2367.tmp a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Windows\DigitalLocker\de-DE\RCX2368.tmp a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File created C:\Windows\ShellNew\sppsvc.exe a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File created C:\Windows\ShellNew\0a1fd5f707cd16 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File created C:\Windows\DigitalLocker\de-DE\101b941d020240 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Windows\ShellNew\RCX1C7E.tmp a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File opened for modification C:\Windows\DigitalLocker\de-DE\lsm.exe a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe File created C:\Windows\DigitalLocker\de-DE\lsm.exe a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1324 schtasks.exe 1996 schtasks.exe 1528 schtasks.exe 1312 schtasks.exe 2764 schtasks.exe 2952 schtasks.exe 1588 schtasks.exe 2704 schtasks.exe 2240 schtasks.exe 2832 schtasks.exe 2268 schtasks.exe 2716 schtasks.exe 2452 schtasks.exe 2524 schtasks.exe 2796 schtasks.exe 2960 schtasks.exe 2340 schtasks.exe 616 schtasks.exe 1712 schtasks.exe 2632 schtasks.exe 2720 schtasks.exe 1440 schtasks.exe 2064 schtasks.exe 2528 schtasks.exe 2840 schtasks.exe 3016 schtasks.exe 2012 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewininit.exepid process 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 2864 powershell.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe 2968 powershell.exe 3004 powershell.exe 612 powershell.exe 764 powershell.exe 2140 powershell.exe 2992 powershell.exe 1596 powershell.exe 2928 powershell.exe 1936 powershell.exe 1508 powershell.exe 2044 powershell.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe 2112 wininit.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewininit.exewininit.exedescription pid process Token: SeDebugPrivilege 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 612 powershell.exe Token: SeDebugPrivilege 764 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 2992 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 1936 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 2044 powershell.exe Token: SeDebugPrivilege 2112 wininit.exe Token: SeDebugPrivilege 2468 wininit.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exewininit.exeWScript.exewininit.exedescription pid process target process PID 1720 wrote to memory of 2864 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 2864 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 2864 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 3004 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 3004 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 3004 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 2968 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 2968 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 2968 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 1596 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 1596 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 1596 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 2992 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 2992 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 2992 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 2044 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 2044 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 2044 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 2140 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 2140 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 2140 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 612 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 612 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 612 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 1508 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 1508 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 1508 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 1936 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 1936 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 1936 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 764 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 764 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 764 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 2928 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 2928 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 2928 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe powershell.exe PID 1720 wrote to memory of 2112 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe wininit.exe PID 1720 wrote to memory of 2112 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe wininit.exe PID 1720 wrote to memory of 2112 1720 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe wininit.exe PID 2112 wrote to memory of 1980 2112 wininit.exe WScript.exe PID 2112 wrote to memory of 1980 2112 wininit.exe WScript.exe PID 2112 wrote to memory of 1980 2112 wininit.exe WScript.exe PID 2112 wrote to memory of 1556 2112 wininit.exe WScript.exe PID 2112 wrote to memory of 1556 2112 wininit.exe WScript.exe PID 2112 wrote to memory of 1556 2112 wininit.exe WScript.exe PID 1980 wrote to memory of 2468 1980 WScript.exe wininit.exe PID 1980 wrote to memory of 2468 1980 WScript.exe wininit.exe PID 1980 wrote to memory of 2468 1980 WScript.exe wininit.exe PID 2468 wrote to memory of 2616 2468 wininit.exe WScript.exe PID 2468 wrote to memory of 2616 2468 wininit.exe WScript.exe PID 2468 wrote to memory of 2616 2468 wininit.exe WScript.exe PID 2468 wrote to memory of 2936 2468 wininit.exe WScript.exe PID 2468 wrote to memory of 2936 2468 wininit.exe WScript.exe PID 2468 wrote to memory of 2936 2468 wininit.exe WScript.exe -
System policy modification 1 TTPs 9 IoCs
Processes:
a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exewininit.exewininit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe"C:\Users\Admin\AppData\Local\Temp\a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1720 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Program Files\Windows Defender\ja-JP\wininit.exe"C:\Program Files\Windows Defender\ja-JP\wininit.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2112 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\413a7cb5-67b4-4ea0-9043-e78841d3455f.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Program Files\Windows Defender\ja-JP\wininit.exe"C:\Program Files\Windows Defender\ja-JP\wininit.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2468 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e4a79a4-97f5-4228-9d1e-19e4bc5360bc.vbs"5⤵PID:2616
-
C:\Program Files\Windows Defender\ja-JP\wininit.exe"C:\Program Files\Windows Defender\ja-JP\wininit.exe"6⤵PID:1972
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\944a39d5-f21c-4b7a-bef9-31a0bc9d583a.vbs"7⤵PID:2912
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6e809e3-bf87-42bd-be61-bc83425e4c22.vbs"7⤵PID:2556
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\235315e5-9449-4144-8b12-fcc8ec65657f.vbs"5⤵PID:2936
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\328c5629-bcf3-4a59-a127-5cd78f32a355.vbs"3⤵PID:1556
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\ja-JP\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\de-DE\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5e5bd2eb74017da8167f8190df2b5e160
SHA1dd2339931cb2532176aa1947c3763677c8e5e0b2
SHA256070bd4093b734e38ee715ade0573757e8933049fd737b5594ff7026c395836a1
SHA512ce530140fd05949a3fd2878494cfc81cbd570952154b913cc8ca1dfa0e715d708ced9fde50dde70b5b8739f94430b7ebcf7c3e06f72e6b18f497d73c0817d437
-
Filesize
3.2MB
MD51553f67a0859a3057cde01f77db9dbc0
SHA12cfe40d1fea16093e16c96a35f3240b98da9a5e1
SHA256a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152
SHA5124ff68e4ad4299aa2ca2be8dfd1742d641cf9aee6b687f94b1e3c68062630b2e167a13550a8a184c8ff5a3df1da5b3182ebd29759a84a219af37a8688df6f0de5
-
Filesize
727B
MD5e6641cecc7df2e5ae458afda9c4fd78a
SHA130df669f217fbcd40bfed4f5912524194265327a
SHA256259bf7c565830e2589c8169f5da1913e560df5735937fa9c377f7c175261e68b
SHA512dbbaf6ed2b85f4a3433f69b3dc35049bf4e913365bb68f0b9aa340a3b7d351337fcb9b69d6fa074f5fb83beaafd41317fb500e63b984dfa815052cbbdeb8299b
-
Filesize
503B
MD522c912a581a28f7ebef81ce8f813f61e
SHA120208a75c7c370bc2a0bf36fa3003eb8ea690aea
SHA2568aa801d4f61c232eeb0b315ef960423059dd6f2276a4e9912313b8ff4399eaa7
SHA512b5dc83f882f662f9469c4be3b39ba6a2d5344f67c85da9952947535dceb8d54e48926ed95b2adddb66de6d49b71b50e34bc161c23ded0cc535ebeff601b2a379
-
Filesize
727B
MD5a9f7f6f135657dd13e62e8d4305683ac
SHA1092bbd9563e5dad679d8098d058eea0431654b25
SHA256c85b7ae082ac0fd2883f890ff3a81d5ce638e78732872264ba61c871653885db
SHA512547222653c37c045af04c1871f5050fbf0b26958ed0aa5a073c6ef2a4224ccd83dbd28d286301cb0de84663d6fa0ec081ee35ed0bf001521a4f50589ca234828
-
Filesize
727B
MD51771326029e08d890f137cb3823b37ae
SHA12b90a83128fe95d45a535824a7d44fb6a2bba0b3
SHA2560c0980cbf6d04742dc5f59dfbdfd84224bdd81a43843c80c8d049567a272040a
SHA51212c147535ec289002eaa47ecbde4cfbf500b59005e1468dc8d2163d61831caf13811802f37a9e38cac695ef98422ca5210f8e21496263463fa0fa59c958883e5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD587879bfc037e4d31bbc4309bec1d430f
SHA133d379a1946874cf41eb86cd508a6a73ce52c307
SHA25662da0975e1527a9973e1e3504cf89a44cca5b0dc76060a7e9dfe288386afd2ac
SHA512b70378282a1e1146009fd013b50179040f6557baa42365bc4e01dbd46a00e10ae9710d98863c84355bed0ca4419298ef49745b248ea636109afdcaa16301a703