Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 05:23
Behavioral task
behavioral1
Sample
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe
Resource
win7-20240221-en
General
-
Target
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe
-
Size
3.2MB
-
MD5
438789fc2753a3a41d1704542bf93769
-
SHA1
81a6c969c14fc47a15d2574cfb63dee2cbcbf12c
-
SHA256
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2
-
SHA512
c2ae311e1d852759bcfcc3ad0d0daac2e702a8f95065ce71f6eb104d116cadcbacb6b775c0b646d5f57ec1d2463d3c1749803b1416caa75de5b30a03430e329c
-
SSDEEP
98304:2smfE8eD0M782w1JSdvi199xP9/ecsFjPSz:2QNBY2S99xl
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 920 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3976 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3524 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3624 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4068 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3284 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4560 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4500 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3380 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4672 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 816 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 4184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 4184 schtasks.exe -
Processes:
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe -
Processes:
resource yara_rule behavioral2/memory/3452-1-0x0000000000840000-0x0000000000B7C000-memory.dmp dcrat C:\Recovery\WindowsRE\RuntimeBroker.exe dcrat C:\Recovery\WindowsRE\RuntimeBroker.exe dcrat C:\Recovery\WindowsRE\smss.exe dcrat C:\Users\Admin\AppData\Local\Temp\4915170ccee1a4e10bf6f9f05322c0d4553d6be0.exe dcrat -
Detects executables packed with SmartAssembly 8 IoCs
Processes:
resource yara_rule behavioral2/memory/3452-9-0x000000001BDF0000-0x000000001BE00000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/3452-13-0x000000001BE80000-0x000000001BE8A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/3452-21-0x000000001BF50000-0x000000001BF5C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/3452-22-0x000000001BF60000-0x000000001BF6C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/3452-24-0x000000001BF90000-0x000000001BF9C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/3452-30-0x000000001C1E0000-0x000000001C1EC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/3452-26-0x000000001C2B0000-0x000000001C2BA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/3452-33-0x000000001C240000-0x000000001C24A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2600 powershell.exe 2112 powershell.exe 4904 powershell.exe 1980 powershell.exe 1856 powershell.exe 3976 powershell.exe 2296 powershell.exe 920 powershell.exe 3944 powershell.exe 4212 powershell.exe 2768 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe -
Executes dropped EXE 14 IoCs
Processes:
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exepid process 4080 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 1492 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 1540 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3296 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 400 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 1552 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 1752 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2448 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 1700 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 524 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 1460 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 4776 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3296 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 4500 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe -
Processes:
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe -
Drops file in Program Files directory 6 IoCs
Processes:
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exedescription ioc process File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File created C:\Program Files\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File created C:\Program Files\Windows NT\TableTextService\en-US\55b276f4edf653 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File created C:\Program Files\ModifiableWindowsApps\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\RCX4ADA.tmp fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\RCX4ADB.tmp fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe -
Drops file in Windows directory 5 IoCs
Processes:
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exedescription ioc process File created C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File created C:\Windows\Offline Web Pages\9dc782f1c4282e fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File opened for modification C:\Windows\Offline Web Pages\RCX54A6.tmp fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File opened for modification C:\Windows\Offline Web Pages\RCX54A7.tmp fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File opened for modification C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3524 schtasks.exe 3624 schtasks.exe 4560 schtasks.exe 1700 schtasks.exe 1992 schtasks.exe 2060 schtasks.exe 4500 schtasks.exe 4672 schtasks.exe 2324 schtasks.exe 3380 schtasks.exe 816 schtasks.exe 920 schtasks.exe 3976 schtasks.exe 2076 schtasks.exe 892 schtasks.exe 2640 schtasks.exe 3284 schtasks.exe 1032 schtasks.exe 1552 schtasks.exe 1540 schtasks.exe 4068 schtasks.exe 5112 schtasks.exe 1464 schtasks.exe 776 schtasks.exe -
Modifies registry class 14 IoCs
Processes:
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 920 powershell.exe 920 powershell.exe 2768 powershell.exe 2768 powershell.exe 4212 powershell.exe 4212 powershell.exe 3944 powershell.exe 3944 powershell.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2296 powershell.exe 2296 powershell.exe 1980 powershell.exe 1980 powershell.exe 1856 powershell.exe 1856 powershell.exe 2600 powershell.exe 2600 powershell.exe 3976 powershell.exe 3976 powershell.exe 4904 powershell.exe 4904 powershell.exe 2112 powershell.exe 2112 powershell.exe 920 powershell.exe 1856 powershell.exe 2296 powershell.exe 2600 powershell.exe 4212 powershell.exe 2768 powershell.exe 3944 powershell.exe 3976 powershell.exe 1980 powershell.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 4904 powershell.exe 2112 powershell.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exedescription pid process Token: SeDebugPrivilege 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Token: SeDebugPrivilege 920 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 4212 powershell.exe Token: SeDebugPrivilege 3944 powershell.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 1856 powershell.exe Token: SeDebugPrivilege 3976 powershell.exe Token: SeDebugPrivilege 4904 powershell.exe Token: SeDebugPrivilege 2112 powershell.exe Token: SeDebugPrivilege 4080 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Token: SeDebugPrivilege 1492 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Token: SeDebugPrivilege 1540 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Token: SeDebugPrivilege 3296 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Token: SeDebugPrivilege 400 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Token: SeDebugPrivilege 1552 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Token: SeDebugPrivilege 1752 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Token: SeDebugPrivilege 2448 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Token: SeDebugPrivilege 1700 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Token: SeDebugPrivilege 524 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Token: SeDebugPrivilege 1460 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Token: SeDebugPrivilege 4776 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Token: SeDebugPrivilege 3296 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Token: SeDebugPrivilege 4500 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exeWScript.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exeWScript.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exeWScript.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exeWScript.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exeWScript.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exeWScript.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exedescription pid process target process PID 3452 wrote to memory of 2112 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 2112 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 3944 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 3944 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 4904 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 4904 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 1980 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 1980 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 2600 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 2600 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 920 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 920 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 2296 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 2296 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 3976 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 3976 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 1856 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 1856 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 2768 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 2768 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 4212 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 4212 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 3452 wrote to memory of 4080 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe PID 3452 wrote to memory of 4080 3452 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe PID 4080 wrote to memory of 3748 4080 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 4080 wrote to memory of 3748 4080 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 4080 wrote to memory of 1160 4080 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 4080 wrote to memory of 1160 4080 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 3748 wrote to memory of 1492 3748 WScript.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe PID 3748 wrote to memory of 1492 3748 WScript.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe PID 1492 wrote to memory of 1524 1492 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 1492 wrote to memory of 1524 1492 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 1492 wrote to memory of 2924 1492 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 1492 wrote to memory of 2924 1492 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 1524 wrote to memory of 1540 1524 WScript.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe PID 1524 wrote to memory of 1540 1524 WScript.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe PID 1540 wrote to memory of 704 1540 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 1540 wrote to memory of 704 1540 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 1540 wrote to memory of 1532 1540 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 1540 wrote to memory of 1532 1540 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 704 wrote to memory of 3296 704 WScript.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe PID 704 wrote to memory of 3296 704 WScript.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe PID 3296 wrote to memory of 2620 3296 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 3296 wrote to memory of 2620 3296 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 3296 wrote to memory of 5012 3296 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 3296 wrote to memory of 5012 3296 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 2620 wrote to memory of 400 2620 WScript.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe PID 2620 wrote to memory of 400 2620 WScript.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe PID 400 wrote to memory of 432 400 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 400 wrote to memory of 432 400 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 400 wrote to memory of 4092 400 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 400 wrote to memory of 4092 400 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 432 wrote to memory of 1552 432 WScript.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe PID 432 wrote to memory of 1552 432 WScript.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe PID 1552 wrote to memory of 2772 1552 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 1552 wrote to memory of 2772 1552 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 1552 wrote to memory of 1992 1552 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 1552 wrote to memory of 1992 1552 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 2772 wrote to memory of 1752 2772 WScript.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe PID 2772 wrote to memory of 1752 2772 WScript.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe PID 1752 wrote to memory of 4788 1752 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 1752 wrote to memory of 4788 1752 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 1752 wrote to memory of 624 1752 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe PID 1752 wrote to memory of 624 1752 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe WScript.exe -
System policy modification 1 TTPs 45 IoCs
Processes:
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3452 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4080 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94b9ac9d-f132-4d58-9ecb-ec50f858cd71.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1492 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\748fa5cc-c786-4068-9469-39034a9fc335.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1540 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a5d2af0-8211-4e8d-90bf-c8bf40b0788b.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3296 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87e2794b-aefb-47b4-9fc3-3c4adc76c8f8.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:400 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\633a59a5-8277-42e2-9a2c-0801d19472e8.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1552 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6115834b-1760-4d3e-bcb4-d1c3d2a213ef.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1752 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa7bddee-3c78-4a61-8f55-81f010c028c5.vbs"15⤵PID:4788
-
C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2448 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0bd3e5a-7c74-4fe2-9014-1170511a2778.vbs"17⤵PID:2300
-
C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1700 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6af9a5f4-26ab-4380-80c4-1e19bfb923cd.vbs"19⤵PID:3912
-
C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:524 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3151bcac-f861-4e5d-923a-3f0a07258169.vbs"21⤵PID:4204
-
C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1460 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23309f03-b20b-44ef-b564-77bdaa6286fd.vbs"23⤵PID:712
-
C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4776 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d72b2557-c752-46af-9c39-c912e5a6f26e.vbs"25⤵PID:3384
-
C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3296 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cb166df-8172-4e72-b79f-eced626f5086.vbs"27⤵PID:3552
-
C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"28⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4500 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6eba04d-9983-4f38-a586-25804533dd7c.vbs"29⤵PID:3148
-
C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"30⤵PID:4564
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d9f0946-75e1-454e-b9c0-89adc782f254.vbs"29⤵PID:1656
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a3135fe-9e62-474b-955b-d962480954a0.vbs"27⤵PID:4144
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9038a684-e8f3-4b42-b603-7017b5e3adfb.vbs"25⤵PID:1716
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69feadab-9f6a-4f04-ac8b-dcc2426839c4.vbs"23⤵PID:920
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1f10f9c-ffb4-45c2-afd4-eee2bef78270.vbs"21⤵PID:4140
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd82a305-9143-41d4-bdd4-6bc2b71597eb.vbs"19⤵PID:208
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a72c44a-71bf-48af-b189-a1f9a37d0859.vbs"17⤵PID:740
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06c3dbe2-d1e8-41d7-8452-15b47fdb8cda.vbs"15⤵PID:624
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7a81244-ab1f-42db-bcbc-552e353ec3aa.vbs"13⤵PID:1992
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18638d66-21fd-409e-80d6-7d1bf10bbbd6.vbs"11⤵PID:4092
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\412dc657-5bbb-41b9-954e-2128d21e6a4e.vbs"9⤵PID:5012
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a8d8aa3-111f-43d8-a767-b82fb38cff7a.vbs"7⤵PID:1532
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d700e0af-cbb3-4724-8d34-c81ee8a7e1d4.vbs"5⤵PID:2924
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6081d05-8b05-47c0-a46d-83ba77d8c8ab.vbs"3⤵PID:1160
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2f" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2f" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5438789fc2753a3a41d1704542bf93769
SHA181a6c969c14fc47a15d2574cfb63dee2cbcbf12c
SHA256fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2
SHA512c2ae311e1d852759bcfcc3ad0d0daac2e702a8f95065ce71f6eb104d116cadcbacb6b775c0b646d5f57ec1d2463d3c1749803b1416caa75de5b30a03430e329c
-
Filesize
3.2MB
MD540721fa66267a40b1014615daa6ad230
SHA10615ff6d43e94a1de619d3bbe0ccb827cf7f0d5f
SHA256d3ad27d54ee053b638694c0a56cd0f3102543c94a2d2a03fe114746b48483c8d
SHA5122d6ff3abfd27438d005786aea57592b2414a59e21bdba64f942332375de2c061164d3542df9a1194dbe96e93de3aba25662a8c7431fcc37b7e0906803e0c7d9f
-
Filesize
3.2MB
MD596478b98110e190884150a10eb3bcaa1
SHA1e29401b4944b0e1c142145a856cdf0137a52e0d9
SHA256f5cd6b3675740cc78c7e3432af17bcf82e8b0bbd69a6a8c69471005147587780
SHA512ec8eba96edfdec64a962f06349833cde489fd6a24fe1b4aab53bf97c0e72d118f20129474f512c62d670a6dd7b3f19783855a06b5f9c77ce69e9d54ee19730aa
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe.log
Filesize1KB
MD5655010c15ea0ca05a6e5ddcd84986b98
SHA1120bf7e516aeed462c07625fbfcdab5124ad05d3
SHA2562b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14
SHA512e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
773B
MD5b6050d1c253115bd09f689db02cb3e9a
SHA16753fefd1f4d461c8965b0e729ba54f810c907c8
SHA2560dba2333ba6a4218fd8cf1083e9ab155f82229d2cbaf9f50e909f5db0efefc30
SHA512c152b8c67ef83f01fc7355137eeeb6ccda09f376e5a215135cb6567017f1674d495e4ec20a47a82d2ac48ad22ae0fd56de2b9ca498011cd1b7c38ca2bc3b17c0
-
Filesize
772B
MD5311a7494b5041385b5352a4405792327
SHA1689c42532258179a0a199bd0ca3804c4335e7ac3
SHA256762faadea90d8159657276232d7d55c9b453c12a8e814c62f234119314060a80
SHA5129e493bd8f8a52bc7578566bffc62aa6b07608a060cd049c759dbc9df8f73f46b6082af3d83629eae2851f5837e3972e5cff473a0ddfa86b18e905b280bb4d85b
-
Filesize
3.2MB
MD53c3ec29aa1f155bd89d18a47b4e71310
SHA1c703547af7764177de6cd0cd7e20323bdc13eba5
SHA256c750ebde3de5d003b728ad04c0d0c535935682f6b0e7fb900a9833bf4adbe3e9
SHA512e6dc5308ee5e1709338b5eb7ae9afe02caa14eaa1552f1f92ecfbd9806bc6014d6a57a1659f4fa5a89e0bc9359ff422e57fefc59c069b50d0fee795da39b66a3
-
Filesize
773B
MD5c3e39de617bd3c242a23f7ce8c38b4e9
SHA1b7e5e0f9f89a7f7b550b33040f82809a39eff4cc
SHA2563d0845723ce4b0f2f68efc3549209eaff85398c07c67fcb13338f23c18901658
SHA512260f10910e5e77d463fde4d3fd2a6bcb9b74480729dffa351fa8886e897d8d673e4deb1fbdeb339739eb3dc20b9902790daa18621a0e454f5219e66fdafd92e9
-
Filesize
772B
MD5346b5510d107885087bed6616041f015
SHA144493aba332f77241f03e52e7dee5815eb699dc8
SHA256af3b5f1b4404e6163efae44645c863498cd31b28047708c9e0b392e04648180d
SHA5121c9c7b5468f7099cb583fca1b6b9bec8f00f46ab9df8d662bfbb0f98f764aec01606bc6679b66516cb3d510cd4a21144a3ae47c6a86a46e1ff5e174a2a3f7216
-
Filesize
773B
MD546cdefd5836499227934e3041a33a16e
SHA1a126e17f833888692f13454800673e7dabee4aa8
SHA2565a356fd7a3f43df2621135bf8aa14f37c0d46311035b4f50fe23e042dd60c67f
SHA5120a67ef48472f7b0ae788dc8a7d1e29fe79c5e4c64039568625d364563af31f1db723fc3ae71d66aa129bc0e8e90e10d3cec12209eaf4f6ab4d7f26ce0837a30c
-
Filesize
773B
MD523c35a8e2d2320db1623efadf69ff3b4
SHA10940662f6a0c563b872be1581b6b71ac3ff83762
SHA256012808503e876492f853d35f75f5064dcb3306721d86cee43a0ed48d3036b557
SHA512a2734b735e55c78ceb7c5c8d28356601a89cd42f702f73a5c36833fd1c13f7d7778d4f6ac9e64de0e74b76eb6a1e4d68f19c8539c38e644e4b89e01e8d453421
-
Filesize
773B
MD541af0b6c1fa3dfd3826881402f4686b6
SHA17bb5d121beb65739a13c9767db17419847e4af1d
SHA256486e46257c1c7bed64732bcac7cb89d6cb84bdc949332430572e5439fe25fa8c
SHA5125254899babe3f9abcdedd6b23c4368cfb97d78054285295ba6abfa7bcf254a5a9cdf9aec6b0f1064aba7e722239dfccf48266736a93642f20c8aba1456f0ba9d
-
Filesize
773B
MD53caff10e9641e5a97a7fe515326d0a06
SHA17eca5cc9a8a127f60fdd72a75d3da2444af339e6
SHA256a35192e330b313a8fd0e564b9caa488749b334fe16071644523970b11ce83419
SHA51278dfadd9d3739abbed04eb7b4e15e7cc8734784b75f682d860f2706862d97577f1175b63c989bf755d405c6ddf336864315250eeddf46a1764edd58004d11d36
-
Filesize
773B
MD53a9a58e4b48416a0973387a4ee0a2446
SHA1060ea620022fca3c5a422582998413670b910c0e
SHA256deaf1f5a1c4497ad7a3f05df8696c5c6a09bafb74da2190f0a6afcb48563aec7
SHA51215193de5ada2a944aa0dee365fad24af17513bae06bc846076c2e546a4a7865bdbd01fcf06bb7d3aab966b79ee6a41adf4f0e913a95eea68ed2dbe9d5e9c8d79
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
773B
MD5025d35b02f307215dd2e80968824a0ad
SHA1c1b42882672b561372c8af6a19631c03ec4c7f89
SHA256e0f5e2d6f8c204d3c9f710e719a52891fd52b59c555e0a783cd70f271d8c2922
SHA512cc35c3c2ad98a563f75f536c2f0128ee57d4eb90dd67c97df2b153d95d117035eb7e91851a4242f61052ea1e2f34461737d22a79879fbd9e4a3f7d82537ca73c
-
Filesize
549B
MD5e5828c3b884203dd5e6f4a13896774c3
SHA171b7f55eea0da9182888aeaf5c010bacdaef0096
SHA25612910d4c48b1d8f91906cdc1ee8d9051c91144a20e57fae68f0e38612c181e11
SHA512d69572a7aea07d454d72ae316112714eb567ea2504b34b4b8e5142b47b839becdc4022111799794835c22cf17ed66d55e38470627ce09124c7ff822e46e7f31e
-
Filesize
773B
MD525a58ad01d80b08822ef99c962897ca3
SHA16802baed3350c71c9867ccb85cb3be1e69caf182
SHA25612e8fe1d4a57c5a718d349eb2af2cfcf5916285cf991934c7c047f491bd86514
SHA5122e11d10ce17da78f4c34a5c37d54c96f9755a8a03020a32868d60c20f0d451621dd3a5a64184ce22100c548b9c30f00d58355a1ca23a9ddd2ccf8166df37816a
-
Filesize
773B
MD5c01ed1d5ce3eb1851f7c0255eda039ae
SHA18f3188d70be25ece55534c0821ece1233a5974d8
SHA2565885e4bfc893d39bc7b6242aa1fcd457b83356ee1c7cc5ab7b03c03272edb780
SHA512e81e22b8b6bd14b0674e3bdfdc90fe405f0ce7bfbd0e22fef7c56b6868ee4b396faeb89609b0529a2db31b0d1ba967c9cd22817c1ed518437c25e53741bd661a