Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 10:12
Static task
static1
Behavioral task
behavioral1
Sample
76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Resource
win7-20240903-en
General
-
Target
76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
-
Size
4.9MB
-
MD5
0f75edb514278b6e45793f61c9a91a50
-
SHA1
e767580f580339a4b7091fc105ffebfbb7d00f03
-
SHA256
76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3c
-
SHA512
940e37f693ea83fcf991acdf85ffc3bb50b880c8f9ffe3cb4d7420651b9973f1bfd9d16d36e0ee0eaa08ad0d1f0b6da75e56e856e55a6ce6aeff4915c291f0ed
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2072 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2072 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3700 2072 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2072 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4192 2072 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2072 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4760 2072 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4884 2072 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2072 schtasks.exe 87 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe -
resource yara_rule behavioral2/memory/2760-2-0x000000001B970000-0x000000001BA9E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2916 powershell.exe 3320 powershell.exe 4160 powershell.exe 2140 powershell.exe 740 powershell.exe 400 powershell.exe 3716 powershell.exe 3796 powershell.exe 4544 powershell.exe 2484 powershell.exe 1372 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation explorer.exe -
Executes dropped EXE 50 IoCs
pid Process 4828 tmpAAEA.tmp.exe 1828 tmpAAEA.tmp.exe 1664 tmpAAEA.tmp.exe 5308 explorer.exe 5724 tmpD13A.tmp.exe 5796 tmpD13A.tmp.exe 5916 explorer.exe 1764 tmpEE57.tmp.exe 2336 tmpEE57.tmp.exe 2112 tmpEE57.tmp.exe 4000 explorer.exe 3532 tmpAE8.tmp.exe 2592 tmpAE8.tmp.exe 1936 explorer.exe 4880 tmp3CC6.tmp.exe 4356 tmp3CC6.tmp.exe 5292 explorer.exe 5792 tmp5B1B.tmp.exe 5472 tmp5B1B.tmp.exe 5860 explorer.exe 4712 tmp8D18.tmp.exe 6024 tmp8D18.tmp.exe 5160 explorer.exe 1584 tmpAA06.tmp.exe 5060 tmpAA06.tmp.exe 2752 explorer.exe 3908 tmpDB77.tmp.exe 2400 tmpDB77.tmp.exe 1952 explorer.exe 5596 tmpAE3.tmp.exe 5808 tmpAE3.tmp.exe 5556 explorer.exe 2248 tmp282F.tmp.exe 2416 tmp282F.tmp.exe 988 explorer.exe 4156 tmp5828.tmp.exe 4648 tmp5828.tmp.exe 2128 explorer.exe 5652 tmp87D4.tmp.exe 4520 tmp87D4.tmp.exe 2724 tmp87D4.tmp.exe 5804 explorer.exe 4584 tmpA464.tmp.exe 6016 tmpA464.tmp.exe 4752 explorer.exe 5184 tmpC181.tmp.exe 6104 tmpC181.tmp.exe 5332 tmpC181.tmp.exe 5728 tmpC181.tmp.exe 5644 explorer.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 1828 set thread context of 1664 1828 tmpAAEA.tmp.exe 103 PID 5724 set thread context of 5796 5724 tmpD13A.tmp.exe 138 PID 2336 set thread context of 2112 2336 tmpEE57.tmp.exe 145 PID 3532 set thread context of 2592 3532 tmpAE8.tmp.exe 151 PID 4880 set thread context of 4356 4880 tmp3CC6.tmp.exe 160 PID 5792 set thread context of 5472 5792 tmp5B1B.tmp.exe 166 PID 4712 set thread context of 6024 4712 tmp8D18.tmp.exe 172 PID 1584 set thread context of 5060 1584 tmpAA06.tmp.exe 179 PID 3908 set thread context of 2400 3908 tmpDB77.tmp.exe 185 PID 5596 set thread context of 5808 5596 tmpAE3.tmp.exe 191 PID 2248 set thread context of 2416 2248 tmp282F.tmp.exe 199 PID 4156 set thread context of 4648 4156 tmp5828.tmp.exe 211 PID 4520 set thread context of 2724 4520 tmp87D4.tmp.exe 218 PID 4584 set thread context of 6016 4584 tmpA464.tmp.exe 224 PID 5332 set thread context of 5728 5332 tmpC181.tmp.exe 235 -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\explorer.exe 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe File created C:\Program Files (x86)\Windows Photo Viewer\uk-UA\spoolsv.exe 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe File created C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe File opened for modification C:\Program Files\Google\Chrome\Application\RCXA5E6.tmp 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe File opened for modification C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe File created C:\Program Files\Google\Chrome\Application\explorer.exe 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe File created C:\Program Files\Google\Chrome\Application\7a0fd90576e088 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe File created C:\Program Files (x86)\Windows Photo Viewer\uk-UA\f3b6ecef712a24 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe File created C:\Program Files (x86)\Windows Mail\9e8d7a4ca61bd9 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\uk-UA\RCXA7FA.tmp 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\uk-UA\spoolsv.exe 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe File opened for modification C:\Program Files (x86)\Windows Mail\RCXAA7B.tmp 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpEE57.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDB77.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp5828.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp87D4.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp87D4.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpA464.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC181.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAAEA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAE8.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp3CC6.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp5B1B.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8D18.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAE3.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp282F.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpD13A.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpEE57.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAA06.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC181.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC181.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAAEA.tmp.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4192 schtasks.exe 2532 schtasks.exe 448 schtasks.exe 2336 schtasks.exe 2248 schtasks.exe 4760 schtasks.exe 4884 schtasks.exe 2752 schtasks.exe 3700 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 61 IoCs
pid Process 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 2140 powershell.exe 2140 powershell.exe 4544 powershell.exe 4544 powershell.exe 400 powershell.exe 400 powershell.exe 3716 powershell.exe 3716 powershell.exe 3796 powershell.exe 3796 powershell.exe 2484 powershell.exe 2484 powershell.exe 740 powershell.exe 740 powershell.exe 4160 powershell.exe 4160 powershell.exe 3320 powershell.exe 3320 powershell.exe 1372 powershell.exe 1372 powershell.exe 3796 powershell.exe 2916 powershell.exe 2916 powershell.exe 4544 powershell.exe 400 powershell.exe 2140 powershell.exe 2140 powershell.exe 4160 powershell.exe 3716 powershell.exe 740 powershell.exe 2484 powershell.exe 3320 powershell.exe 1372 powershell.exe 2916 powershell.exe 5308 explorer.exe 5916 explorer.exe 4000 explorer.exe 1936 explorer.exe 5292 explorer.exe 5860 explorer.exe 5160 explorer.exe 2752 explorer.exe 1952 explorer.exe 5556 explorer.exe 988 explorer.exe 988 explorer.exe 2128 explorer.exe 2128 explorer.exe 5804 explorer.exe 5804 explorer.exe 4752 explorer.exe 4752 explorer.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 3796 powershell.exe Token: SeDebugPrivilege 4544 powershell.exe Token: SeDebugPrivilege 3320 powershell.exe Token: SeDebugPrivilege 400 powershell.exe Token: SeDebugPrivilege 3716 powershell.exe Token: SeDebugPrivilege 4160 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 740 powershell.exe Token: SeDebugPrivilege 1372 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 5308 explorer.exe Token: SeDebugPrivilege 5916 explorer.exe Token: SeDebugPrivilege 4000 explorer.exe Token: SeDebugPrivilege 1936 explorer.exe Token: SeDebugPrivilege 5292 explorer.exe Token: SeDebugPrivilege 5860 explorer.exe Token: SeDebugPrivilege 5160 explorer.exe Token: SeDebugPrivilege 2752 explorer.exe Token: SeDebugPrivilege 1952 explorer.exe Token: SeDebugPrivilege 5556 explorer.exe Token: SeDebugPrivilege 988 explorer.exe Token: SeDebugPrivilege 2128 explorer.exe Token: SeDebugPrivilege 5804 explorer.exe Token: SeDebugPrivilege 4752 explorer.exe Token: SeDebugPrivilege 5644 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2760 wrote to memory of 4828 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 100 PID 2760 wrote to memory of 4828 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 100 PID 2760 wrote to memory of 4828 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 100 PID 4828 wrote to memory of 1828 4828 tmpAAEA.tmp.exe 102 PID 4828 wrote to memory of 1828 4828 tmpAAEA.tmp.exe 102 PID 4828 wrote to memory of 1828 4828 tmpAAEA.tmp.exe 102 PID 1828 wrote to memory of 1664 1828 tmpAAEA.tmp.exe 103 PID 1828 wrote to memory of 1664 1828 tmpAAEA.tmp.exe 103 PID 1828 wrote to memory of 1664 1828 tmpAAEA.tmp.exe 103 PID 1828 wrote to memory of 1664 1828 tmpAAEA.tmp.exe 103 PID 1828 wrote to memory of 1664 1828 tmpAAEA.tmp.exe 103 PID 1828 wrote to memory of 1664 1828 tmpAAEA.tmp.exe 103 PID 1828 wrote to memory of 1664 1828 tmpAAEA.tmp.exe 103 PID 2760 wrote to memory of 2916 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 105 PID 2760 wrote to memory of 2916 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 105 PID 2760 wrote to memory of 3320 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 106 PID 2760 wrote to memory of 3320 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 106 PID 2760 wrote to memory of 3716 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 107 PID 2760 wrote to memory of 3716 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 107 PID 2760 wrote to memory of 3796 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 108 PID 2760 wrote to memory of 3796 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 108 PID 2760 wrote to memory of 4544 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 109 PID 2760 wrote to memory of 4544 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 109 PID 2760 wrote to memory of 2484 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 110 PID 2760 wrote to memory of 2484 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 110 PID 2760 wrote to memory of 4160 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 111 PID 2760 wrote to memory of 4160 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 111 PID 2760 wrote to memory of 2140 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 112 PID 2760 wrote to memory of 2140 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 112 PID 2760 wrote to memory of 400 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 113 PID 2760 wrote to memory of 400 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 113 PID 2760 wrote to memory of 1372 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 114 PID 2760 wrote to memory of 1372 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 114 PID 2760 wrote to memory of 740 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 115 PID 2760 wrote to memory of 740 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 115 PID 2760 wrote to memory of 2824 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 126 PID 2760 wrote to memory of 2824 2760 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe 126 PID 2824 wrote to memory of 5004 2824 cmd.exe 129 PID 2824 wrote to memory of 5004 2824 cmd.exe 129 PID 2824 wrote to memory of 5308 2824 cmd.exe 131 PID 2824 wrote to memory of 5308 2824 cmd.exe 131 PID 5308 wrote to memory of 5576 5308 explorer.exe 134 PID 5308 wrote to memory of 5576 5308 explorer.exe 134 PID 5308 wrote to memory of 5632 5308 explorer.exe 135 PID 5308 wrote to memory of 5632 5308 explorer.exe 135 PID 5308 wrote to memory of 5724 5308 explorer.exe 136 PID 5308 wrote to memory of 5724 5308 explorer.exe 136 PID 5308 wrote to memory of 5724 5308 explorer.exe 136 PID 5724 wrote to memory of 5796 5724 tmpD13A.tmp.exe 138 PID 5724 wrote to memory of 5796 5724 tmpD13A.tmp.exe 138 PID 5724 wrote to memory of 5796 5724 tmpD13A.tmp.exe 138 PID 5724 wrote to memory of 5796 5724 tmpD13A.tmp.exe 138 PID 5724 wrote to memory of 5796 5724 tmpD13A.tmp.exe 138 PID 5724 wrote to memory of 5796 5724 tmpD13A.tmp.exe 138 PID 5724 wrote to memory of 5796 5724 tmpD13A.tmp.exe 138 PID 5576 wrote to memory of 5916 5576 WScript.exe 139 PID 5576 wrote to memory of 5916 5576 WScript.exe 139 PID 5916 wrote to memory of 6044 5916 explorer.exe 140 PID 5916 wrote to memory of 6044 5916 explorer.exe 140 PID 5916 wrote to memory of 6124 5916 explorer.exe 141 PID 5916 wrote to memory of 6124 5916 explorer.exe 141 PID 5916 wrote to memory of 1764 5916 explorer.exe 142 PID 5916 wrote to memory of 1764 5916 explorer.exe 142 PID 5916 wrote to memory of 1764 5916 explorer.exe 142 -
System policy modification 1 TTPs 45 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe"C:\Users\Admin\AppData\Local\Temp\76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\tmpAAEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAAEA.tmp.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\tmpAAEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAAEA.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\tmpAAEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAAEA.tmp.exe"4⤵
- Executes dropped EXE
PID:1664
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xi7FenmHsd.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:5004
-
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5308 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e91bb5f-e328-4384-903e-7e6bf8361b67.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:5576 -
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5916 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2c3a375-ca87-4599-a1a8-41089fd534ec.vbs"6⤵PID:6044
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4000 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5427b14e-896f-4d28-8bca-a5a4bd3c11b8.vbs"8⤵PID:2948
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1936 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1e0b14e-735c-4c2a-86c2-887058af74cd.vbs"10⤵PID:400
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5292 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9491b077-0523-497e-b330-298a446e57f6.vbs"12⤵PID:5544
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5860 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83119fff-861e-4724-9a45-2f4184c003bb.vbs"14⤵PID:5584
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5160 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2037fa93-8e4f-48de-a294-3ed81bc3e9cc.vbs"16⤵PID:5080
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2752 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06dfbdec-0f9b-463f-94d0-16a526ddd7dc.vbs"18⤵PID:2340
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1952 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\102146ad-83b7-47cc-90b0-331e6ad2ae9e.vbs"20⤵PID:3656
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5556 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4082c60-fde2-40e2-a3d3-225028507538.vbs"22⤵PID:4052
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:988 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3719f978-3d46-4c3f-b52c-3d1a05a82229.vbs"24⤵PID:4992
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2128 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8854e62-b9a2-4dfa-810a-2a618e969717.vbs"26⤵PID:860
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5804 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fec57453-2232-4ef9-b2b8-2541824b544f.vbs"28⤵PID:1556
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4752 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3774793-1d2d-486f-beda-1f05f7bf3f1a.vbs"30⤵PID:968
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5644
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cda4976c-801d-4777-9934-920850a24af8.vbs"30⤵PID:6100
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC181.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC181.tmp.exe"30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5184 -
C:\Users\Admin\AppData\Local\Temp\tmpC181.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC181.tmp.exe"31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6104 -
C:\Users\Admin\AppData\Local\Temp\tmpC181.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC181.tmp.exe"32⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5332 -
C:\Users\Admin\AppData\Local\Temp\tmpC181.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC181.tmp.exe"33⤵
- Executes dropped EXE
PID:5728
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d18ee60-71a1-4b92-b499-bdfd256fb580.vbs"28⤵PID:2968
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA464.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA464.tmp.exe"28⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\tmpA464.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA464.tmp.exe"29⤵
- Executes dropped EXE
PID:6016
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd7b9689-b61a-418b-b461-286d8a3ea0fc.vbs"26⤵PID:4628
-
-
C:\Users\Admin\AppData\Local\Temp\tmp87D4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp87D4.tmp.exe"26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5652 -
C:\Users\Admin\AppData\Local\Temp\tmp87D4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp87D4.tmp.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\tmp87D4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp87D4.tmp.exe"28⤵
- Executes dropped EXE
PID:2724
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df95298f-b7e4-4aac-be4b-4109b32eaec9.vbs"24⤵PID:4764
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5828.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5828.tmp.exe"24⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\tmp5828.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5828.tmp.exe"25⤵
- Executes dropped EXE
PID:4648
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07c015ea-206c-471d-9432-523512c2df93.vbs"22⤵PID:4116
-
-
C:\Users\Admin\AppData\Local\Temp\tmp282F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp282F.tmp.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\tmp282F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp282F.tmp.exe"23⤵
- Executes dropped EXE
PID:2416
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\916bab3d-5b86-44de-aabb-169d05574e5c.vbs"20⤵PID:1400
-
-
C:\Users\Admin\AppData\Local\Temp\tmpAE3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAE3.tmp.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5596 -
C:\Users\Admin\AppData\Local\Temp\tmpAE3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAE3.tmp.exe"21⤵
- Executes dropped EXE
PID:5808
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5a86ce4-6ca9-4cc8-9a76-a0c963a88d94.vbs"18⤵PID:1628
-
-
C:\Users\Admin\AppData\Local\Temp\tmpDB77.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB77.tmp.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\tmpDB77.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB77.tmp.exe"19⤵
- Executes dropped EXE
PID:2400
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09e062d9-0bf0-4a39-be42-41c534385743.vbs"16⤵PID:2384
-
-
C:\Users\Admin\AppData\Local\Temp\tmpAA06.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAA06.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\tmpAA06.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAA06.tmp.exe"17⤵
- Executes dropped EXE
PID:5060
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd4c0bed-4aba-4233-ac2f-6aeb9377e5cc.vbs"14⤵PID:6020
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8D18.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8D18.tmp.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\tmp8D18.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8D18.tmp.exe"15⤵
- Executes dropped EXE
PID:6024
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4948718-e310-4c8a-bb3d-ac20b2facb1e.vbs"12⤵PID:5684
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5B1B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5B1B.tmp.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5792 -
C:\Users\Admin\AppData\Local\Temp\tmp5B1B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5B1B.tmp.exe"13⤵
- Executes dropped EXE
PID:5472
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\082fe04a-a0ce-4016-8523-70dc7ac3484f.vbs"10⤵PID:4064
-
-
C:\Users\Admin\AppData\Local\Temp\tmp3CC6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3CC6.tmp.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\tmp3CC6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3CC6.tmp.exe"11⤵
- Executes dropped EXE
PID:4356
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c01f973-bcb1-4fae-b73b-fa80950a63e8.vbs"8⤵PID:3832
-
-
C:\Users\Admin\AppData\Local\Temp\tmpAE8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAE8.tmp.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\tmpAE8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAE8.tmp.exe"9⤵
- Executes dropped EXE
PID:2592
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f3717a6-9e30-4213-b12e-5ad881720207.vbs"6⤵PID:6124
-
-
C:\Users\Admin\AppData\Local\Temp\tmpEE57.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEE57.tmp.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\tmpEE57.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEE57.tmp.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\tmpEE57.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEE57.tmp.exe"8⤵
- Executes dropped EXE
PID:2112
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1ae418c-db24-429f-9ba6-3b0673adce6d.vbs"4⤵PID:5632
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD13A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD13A.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5724 -
C:\Users\Admin\AppData\Local\Temp\tmpD13A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD13A.tmp.exe"5⤵
- Executes dropped EXE
PID:5796
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD50f75edb514278b6e45793f61c9a91a50
SHA1e767580f580339a4b7091fc105ffebfbb7d00f03
SHA25676788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3c
SHA512940e37f693ea83fcf991acdf85ffc3bb50b880c8f9ffe3cb4d7420651b9973f1bfd9d16d36e0ee0eaa08ad0d1f0b6da75e56e856e55a6ce6aeff4915c291f0ed
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD5e448fe0d240184c6597a31d3be2ced58
SHA1372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA5120b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4
-
Filesize
731B
MD55a7c0aa3dd88cb6544324a04980e0106
SHA146d909bff36894df3e34ab959b5816e1d971e6a2
SHA256050bf8358cc2a5668c17f2bf206693304710b642ff0ed376e4396f1cceab966a
SHA5129743c07c1bf5bb6922a218ee7103673eb84c7251684963f0183539f4ffa8d25986292d081b202532b43ec725dee871f7a5f768cc3052611cf964cf16f25d62ef
-
Filesize
731B
MD5a44c48a954271a3963c913cda5607c28
SHA1e7642bf080d329d356d54241ee1076ebeaeb7739
SHA2563d923bfba01883b2d5663f3476e215ec6b875acdbacf6e2b7bdb30f28f18f6b1
SHA5121a23df2447610281665ae68261e21e98b65a73cd57b9792ac31f07c8eec325defce22b14006b5107b983a3c85833c9f9821b8bfd38cf1c69ee081e155549a7f5
-
Filesize
731B
MD57c34519ead67637d2619da35adbf98d0
SHA138915fc14ff672564be67f6c748c644c0b23fe0a
SHA256f9190a22b2f0ee6efc13214ff3a6a849ead4c4dfbfb20ffc3e52c8e7ed6df9bf
SHA5128365f55fb3a3eb7fdac0adf02490fae14ce51293c326a4fc275740d554f294691e65f32ac682e21cfcdc954ab6237bd5bae50023715d3d1878413221630c8f6e
-
Filesize
731B
MD5449ef36c755438fc246f0e22049d01bb
SHA182a008ef8848c0bc21f6436c01dcfb57951f1aec
SHA2563b31acc7882ad7f1fd740f0c198eaefa0f817443e833443a688f6e7322cb296a
SHA5121c292977d80c8c3fbb6874812c05031acd0cf4e3e1879fa8c9ada910f7b2b1a7054d39c6ce2e3da70fb46d686a63d357ab371ae923a4ca69465cde5f92f049bd
-
Filesize
731B
MD55471433057771fc3f37bd07ce633c2f6
SHA14a322959ea6554f58840fcd09987185149fe295f
SHA2563ae5acc67d0044663ef58b9875f672ffab8938e9f3817556b8eccf45c438de5f
SHA512db08676259ff465c5e2051bab4bb4af1dd76ca336945d1ac4daf2d123e655e0c3f3dfa4ba428185f30f3e9aa310a4a3bb0abaaa623944f10d738bc2e5e0241b5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
731B
MD5ed12cbd899eab85b51d7508870172b0f
SHA1cc62833ea34b03f243d4e4ddb1a78589ac5b261e
SHA256d8a4770d7f226b8e4da664b0d0a5c70494b0f7abfaaed899ad777f9860976352
SHA512b130eaed5d6008920b76bda6ab88c1f3775ab43337fe0ab4577ae87637a11f150ef590a63825866b5f40e341689ad48a993033fbdfb2bf06c6e03fe68345ed28
-
Filesize
507B
MD5133800af645f19ed37ad882ce2df38a1
SHA15f4f67e5e8dcf20aee0c83d603a59b04e762cf16
SHA2563a514de7addf3c6a97d9c05f31c9cf52ee7e2a64c3b13d79dc61893756d5d6ea
SHA512fcf06ebe7853d7408e1cb368cb848630a4b67223209e0f1651a942e59e9e022970401671eee167128a33ecb98c9b976259dbf8b6223bc551cbb36a74dc416eb3
-
Filesize
731B
MD595497f5a95dcab972aaf7721859ec545
SHA11642e7ba702f4243ead7a5179d2c21ecc48bbb56
SHA256c07aa18eaf06e0a09b5cd68fbdd5655e001d6175210e807f49647bc751a307cc
SHA512c5acb5e485cdc9034d2f5cdc0966190c41a905317c358108bc82fbfc8283a01754e23648e1802bac4ed3a187639cd1059b3656b0af4f200fa3f32a4bcd1f011a
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
220B
MD5154ca8b69c99a4c558915332de2e4de9
SHA13b59234d142c98081efea898c6c26ec7a5d54f0d
SHA256d0176d000d6e5122cb5d6ab1f5e70de5c5807501e40e395eec05d9c9938a3676
SHA5128ba0e6b6ad107ddfa60faac50eaccf04a370d0b6a9675999dcabf78262a9786410faa6514ca082321dd70ca280b5dc969fab9674792177b6e08466d010ddbdcc