Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 05:45
Behavioral task
behavioral1
Sample
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe
Resource
win10v2004-20240426-en
General
-
Target
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe
-
Size
2.7MB
-
MD5
a78d0c51cca6fcf4a6ef0c33e5fd0bd4
-
SHA1
5768a7cf4aeed1327d64087f55fc6fba34f817fd
-
SHA256
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8
-
SHA512
a3d3c48766afe5890562f0e86f5c44bf62beefebcf8f87dfc5065ba53ecae6cb8f9e4f441ac87ec5359170c08792fc784e9187366cb7c9a64fc6eb4c90e250c5
-
SSDEEP
49152:iH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:iHfE5Ad8Xd295UmGc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\dllhost.exe\", \"C:\\Users\\Public\\Pictures\\smss.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\taskhostw.exe\", \"C:\\Windows\\Sun\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\OfficeClickToRun.exe\", \"C:\\Windows\\Prefetch\\dllhost.exe\", \"C:\\Windows\\L2Schemas\\fontdrvhost.exe\", \"C:\\Windows\\SysWOW64\\tr-TR\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\dllhost.exe\", \"C:\\Users\\Public\\Pictures\\smss.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\taskhostw.exe\", \"C:\\Windows\\Sun\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\OfficeClickToRun.exe\", \"C:\\Windows\\Prefetch\\dllhost.exe\", \"C:\\Windows\\L2Schemas\\fontdrvhost.exe\", \"C:\\Windows\\SysWOW64\\tr-TR\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Pictures\\sysmon.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\dllhost.exe\", \"C:\\Windows\\INF\\ESENT\\0410\\unsecapp.exe\", \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\dwm.exe\", \"C:\\Windows\\es-ES\\RuntimeBroker.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\dllhost.exe\", \"C:\\Users\\Public\\Pictures\\smss.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\taskhostw.exe\", \"C:\\Windows\\Sun\\backgroundTaskHost.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\dllhost.exe\", \"C:\\Users\\Public\\Pictures\\smss.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\taskhostw.exe\", \"C:\\Windows\\Sun\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\OfficeClickToRun.exe\", \"C:\\Windows\\Prefetch\\dllhost.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\dllhost.exe\", \"C:\\Users\\Public\\Pictures\\smss.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\taskhostw.exe\", \"C:\\Windows\\Sun\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\OfficeClickToRun.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\dllhost.exe\", \"C:\\Users\\Public\\Pictures\\smss.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\taskhostw.exe\", \"C:\\Windows\\Sun\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\OfficeClickToRun.exe\", \"C:\\Windows\\Prefetch\\dllhost.exe\", \"C:\\Windows\\L2Schemas\\fontdrvhost.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\dllhost.exe\", \"C:\\Users\\Public\\Pictures\\smss.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\taskhostw.exe\", \"C:\\Windows\\Sun\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\OfficeClickToRun.exe\", \"C:\\Windows\\Prefetch\\dllhost.exe\", \"C:\\Windows\\L2Schemas\\fontdrvhost.exe\", \"C:\\Windows\\SysWOW64\\tr-TR\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Pictures\\sysmon.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\dllhost.exe\", \"C:\\Windows\\INF\\ESENT\\0410\\unsecapp.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\dllhost.exe\", \"C:\\Users\\Public\\Pictures\\smss.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\taskhostw.exe\", \"C:\\Windows\\Sun\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\OfficeClickToRun.exe\", \"C:\\Windows\\Prefetch\\dllhost.exe\", \"C:\\Windows\\L2Schemas\\fontdrvhost.exe\", \"C:\\Windows\\SysWOW64\\tr-TR\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Pictures\\sysmon.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\dllhost.exe\", \"C:\\Windows\\INF\\ESENT\\0410\\unsecapp.exe\", \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\SearchApp.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\dllhost.exe\", \"C:\\Users\\Public\\Pictures\\smss.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\dllhost.exe\", \"C:\\Users\\Public\\Pictures\\smss.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\taskhostw.exe\", \"C:\\Windows\\Sun\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\OfficeClickToRun.exe\", \"C:\\Windows\\Prefetch\\dllhost.exe\", \"C:\\Windows\\L2Schemas\\fontdrvhost.exe\", \"C:\\Windows\\SysWOW64\\tr-TR\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Pictures\\sysmon.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\dllhost.exe\", \"C:\\Windows\\INF\\ESENT\\0410\\unsecapp.exe\", \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\dllhost.exe\", \"C:\\Users\\Public\\Pictures\\smss.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\taskhostw.exe\", \"C:\\Windows\\Sun\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\OfficeClickToRun.exe\", \"C:\\Windows\\Prefetch\\dllhost.exe\", \"C:\\Windows\\L2Schemas\\fontdrvhost.exe\", \"C:\\Windows\\SysWOW64\\tr-TR\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Pictures\\sysmon.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\dllhost.exe\", \"C:\\Windows\\INF\\ESENT\\0410\\unsecapp.exe\", \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\dwm.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\dllhost.exe\", \"C:\\Users\\Public\\Pictures\\smss.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\taskhostw.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\dllhost.exe\", \"C:\\Users\\Public\\Pictures\\smss.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\taskhostw.exe\", \"C:\\Windows\\Sun\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\OfficeClickToRun.exe\", \"C:\\Windows\\Prefetch\\dllhost.exe\", \"C:\\Windows\\L2Schemas\\fontdrvhost.exe\", \"C:\\Windows\\SysWOW64\\tr-TR\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Pictures\\sysmon.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\dllhost.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\dllhost.exe\", \"C:\\Users\\Public\\Pictures\\smss.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\taskhostw.exe\", \"C:\\Windows\\Sun\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\OfficeClickToRun.exe\", \"C:\\Windows\\Prefetch\\dllhost.exe\", \"C:\\Windows\\L2Schemas\\fontdrvhost.exe\", \"C:\\Windows\\SysWOW64\\tr-TR\\smss.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\dllhost.exe\", \"C:\\Users\\Public\\Pictures\\smss.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\taskhostw.exe\", \"C:\\Windows\\Sun\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\OfficeClickToRun.exe\", \"C:\\Windows\\Prefetch\\dllhost.exe\", \"C:\\Windows\\L2Schemas\\fontdrvhost.exe\", \"C:\\Windows\\SysWOW64\\tr-TR\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Pictures\\sysmon.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\dllhost.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe -
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4680 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1340 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3200 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4392 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5076 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3304 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3336 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 932 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3504 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 700 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3400 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4576 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4912 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4804 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4260 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3488 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3620 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 980 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4208 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4360 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4472 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4168 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4888 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4008 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3992 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3920 4404 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 4404 schtasks.exe -
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exesmss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe -
Processes:
resource yara_rule behavioral2/memory/3652-1-0x0000000000700000-0x00000000009C0000-memory.dmp dcrat C:\Program Files\Windows Multimedia Platform\taskhostw.exe dcrat C:\Program Files\Windows Multimedia Platform\taskhostw.exe dcrat C:\Program Files\Windows Portable Devices\RCX883A.tmp dcrat C:\Program Files (x86)\Windows Defender\de-DE\RCX8CD0.tmp dcrat -
Detects executables packed with SmartAssembly 8 IoCs
Processes:
resource yara_rule behavioral2/memory/3652-7-0x0000000002B10000-0x0000000002B20000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/3652-12-0x0000000002B70000-0x0000000002B7A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/3652-13-0x000000001B6E0000-0x000000001B736000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/3652-16-0x000000001B730000-0x000000001B73C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/3652-19-0x000000001BD70000-0x000000001BD7C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/3652-23-0x000000001BFB0000-0x000000001BFBC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/3652-22-0x000000001BEA0000-0x000000001BEAC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/3652-25-0x000000001BFD0000-0x000000001BFDA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe -
Executes dropped EXE 1 IoCs
Processes:
smss.exepid process 4824 smss.exe -
Adds Run key to start application 2 TTPs 36 IoCs
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Windows Multimedia Platform\\taskhostw.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\OfficeClickToRun.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Prefetch\\ReadyBoot\\dllhost.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Prefetch\\ReadyBoot\\dllhost.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Prefetch\\dllhost.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Public\\Pictures\\sysmon.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Defender\\de-DE\\dwm.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Internet Explorer\\dllhost.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\Sun\\backgroundTaskHost.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\SysWOW64\\tr-TR\\smss.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Public\\Pictures\\sysmon.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Windows Multimedia Platform\\taskhostw.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\L2Schemas\\fontdrvhost.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\INF\\ESENT\\0410\\unsecapp.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\Admin\\SearchApp.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Defender\\de-DE\\dwm.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\INF\\ESENT\\0410\\unsecapp.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\es-ES\\RuntimeBroker.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Pictures\\smss.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Pictures\\smss.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\Sun\\backgroundTaskHost.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\L2Schemas\\fontdrvhost.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\SysWOW64\\tr-TR\\smss.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\Admin\\SearchApp.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Prefetch\\dllhost.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\es-ES\\RuntimeBroker.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Internet Explorer\\dllhost.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\OfficeClickToRun.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe -
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exesmss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Drops file in System32 directory 4 IoCs
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exedescription ioc process File opened for modification C:\Windows\SysWOW64\tr-TR\smss.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\SysWOW64\tr-TR\smss.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\SysWOW64\tr-TR\69ddcba757bf72 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Windows\SysWOW64\tr-TR\RCX7D19.tmp fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe -
Drops file in Program Files directory 24 IoCs
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exedescription ioc process File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\OfficeClickToRun.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files\Windows Portable Devices\RuntimeBroker.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files\Windows Multimedia Platform\RCX7276.tmp fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCX76FC.tmp fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files\Windows Multimedia Platform\taskhostw.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files\Windows Multimedia Platform\ea9f0e6c9e2dcd fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files\Windows Portable Devices\RCX883A.tmp fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\e6c9b481da804f fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\OfficeClickToRun.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\e6c9b481da804f fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files\Internet Explorer\RCX6DE0.tmp fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files\Windows Multimedia Platform\taskhostw.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files\Internet Explorer\dllhost.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files\Internet Explorer\5940a34987c991 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files (x86)\Windows Defender\de-DE\6cb0b6c459d5d3 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files\Internet Explorer\dllhost.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\RCX7F9B.tmp fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files\Windows Portable Devices\RuntimeBroker.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\RCX8CD0.tmp fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe -
Drops file in Windows directory 26 IoCs
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exedescription ioc process File opened for modification C:\Windows\Prefetch\RCX7901.tmp fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Windows\Prefetch\ReadyBoot\dllhost.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\es-ES\RuntimeBroker.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\L2Schemas\5b884080fd4f94 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\ServiceState\SearchApp.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\INF\ESENT\0410\29c1c3cc0f7685 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Windows\L2Schemas\fontdrvhost.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-wwanhc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_13e36a069156ad7d\sihost.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\Prefetch\ReadyBoot\5940a34987c991 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\Prefetch\5940a34987c991 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Windows\Sun\RCX74F7.tmp fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Windows\INF\ESENT\0410\unsecapp.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\Sun\backgroundTaskHost.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Windows\Sun\backgroundTaskHost.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Windows\Prefetch\ReadyBoot\RCX8421.tmp fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\Prefetch\ReadyBoot\dllhost.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Windows\Prefetch\dllhost.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Windows\L2Schemas\RCX7B05.tmp fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Windows\es-ES\RuntimeBroker.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\INF\ESENT\0410\unsecapp.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Windows\INF\ESENT\0410\RCX8636.tmp fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\es-ES\9e8d7a4ca61bd9 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\Prefetch\dllhost.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\L2Schemas\fontdrvhost.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Windows\es-ES\RCX8ED5.tmp fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\Sun\eddb19405b7ce1 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3400 schtasks.exe 3488 schtasks.exe 4208 schtasks.exe 3304 schtasks.exe 700 schtasks.exe 1676 schtasks.exe 4392 schtasks.exe 2264 schtasks.exe 1832 schtasks.exe 4168 schtasks.exe 1160 schtasks.exe 1340 schtasks.exe 960 schtasks.exe 1232 schtasks.exe 844 schtasks.exe 4008 schtasks.exe 2500 schtasks.exe 1708 schtasks.exe 1936 schtasks.exe 1904 schtasks.exe 1044 schtasks.exe 3336 schtasks.exe 4912 schtasks.exe 4360 schtasks.exe 5076 schtasks.exe 2200 schtasks.exe 2768 schtasks.exe 4808 schtasks.exe 4888 schtasks.exe 3200 schtasks.exe 3504 schtasks.exe 2140 schtasks.exe 2188 schtasks.exe 4260 schtasks.exe 980 schtasks.exe 1632 schtasks.exe 1396 schtasks.exe 932 schtasks.exe 3620 schtasks.exe 2304 schtasks.exe 2980 schtasks.exe 4576 schtasks.exe 4472 schtasks.exe 1808 schtasks.exe 3920 schtasks.exe 4680 schtasks.exe 4512 schtasks.exe 5028 schtasks.exe 1536 schtasks.exe 2472 schtasks.exe 4804 schtasks.exe 3992 schtasks.exe 2316 schtasks.exe 448 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exepid process 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exepowershell.exesmss.exedescription pid process Token: SeDebugPrivilege 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 4824 smss.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exedescription pid process target process PID 3652 wrote to memory of 1792 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe powershell.exe PID 3652 wrote to memory of 1792 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe powershell.exe PID 3652 wrote to memory of 4824 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe smss.exe PID 3652 wrote to memory of 4824 3652 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe smss.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exesmss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe"C:\Users\Admin\AppData\Local\Temp\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3652 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1792 -
C:\Users\Public\Pictures\smss.exe"C:\Users\Public\Pictures\smss.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\Sun\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Sun\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\tr-TR\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SysWOW64\tr-TR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\SysWOW64\tr-TR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\Pictures\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\ESENT\0410\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\INF\ESENT\0410\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\INF\ESENT\0410\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5d9d7acdb9a142121002743b6c8bd0013
SHA17507f0bda7b154909e200e09663fa6803cd9a683
SHA2568d0096b8474c1fb7057138178fb291fad8695c9af18032e909010e13decedad1
SHA5126a1d3ddad6d46c155932cb347febf87e0e25661fd6ca233754763ce2ee22d63fe6f0b15482a7a7c21521469d604f5dc26ab5104fd88f34a1d6911eb52f5d8d87
-
Filesize
2.7MB
MD5a78d0c51cca6fcf4a6ef0c33e5fd0bd4
SHA15768a7cf4aeed1327d64087f55fc6fba34f817fd
SHA256fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8
SHA512a3d3c48766afe5890562f0e86f5c44bf62beefebcf8f87dfc5065ba53ecae6cb8f9e4f441ac87ec5359170c08792fc784e9187366cb7c9a64fc6eb4c90e250c5
-
Filesize
2.7MB
MD5d0580b07a083f3b0a350986d0d202165
SHA18a313d2fb6010c166a7972cb06d6513726166274
SHA256c21adfaa96108fa3ad0618cca8b46e26c75ad78681681d78ea25db512d53a624
SHA512fd4b662dd5b8bc69ae046bbe879b3686d0dfffa575fe6ff4d0b41cacee5c26fcf90d14641d4cdabaf97509cce081bdd724684c365a5eaa5701981910b471f728
-
Filesize
2.7MB
MD504479fcb901e1acb9718e457d95a13a2
SHA1c3eec52ef48f4434e709e09b9151a98b01dcad20
SHA2562793f19a919c52ff7426d61a06499295b767a26e0a7e2779ba920a078b311cd7
SHA5125f80cab96c262f7168674da3fef9cd63c8497088adbc26e6ffffd1efd6e84f7f6aaa5ecc472bf05fa6c630c1b623005160affddc31a70c3afc189fe32a1dbb56
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82