Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 23:04
Behavioral task
behavioral1
Sample
5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Resource
win7-20240903-en
General
-
Target
5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
-
Size
1.8MB
-
MD5
5fe5c094a2fd1a198178aa10c5b62307
-
SHA1
766b36ad58f89249728f8405b893ee104f3a8e6d
-
SHA256
5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a
-
SHA512
c1d4c29f0bf10787c5ed6bafd244f466a9be5a805976670a52337d90362eb00d3f9a278d822d9858128d5c8189c1da1125da76dd75b3e10d04be639a4e30b0c0
-
SSDEEP
49152:mhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:mgVTVXYNX9mOWSkM
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4564 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4244 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 516 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3932 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3984 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3396 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4272 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3148 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3944 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3836 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 1028 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3400 1028 schtasks.exe 86 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe -
resource yara_rule behavioral2/memory/4924-1-0x0000000000C70000-0x0000000000E3E000-memory.dmp dcrat behavioral2/files/0x0007000000023ca7-26.dat dcrat behavioral2/files/0x000e000000023b5d-80.dat dcrat behavioral2/memory/3312-190-0x0000000000790000-0x000000000095E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4392 powershell.exe 3096 powershell.exe 4784 powershell.exe 1172 powershell.exe 2620 powershell.exe 1660 powershell.exe 4792 powershell.exe 2900 powershell.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe -
Executes dropped EXE 8 IoCs
pid Process 3312 dllhost.exe 1420 dllhost.exe 4148 dllhost.exe 2508 dllhost.exe 1616 dllhost.exe 3108 dllhost.exe 648 dllhost.exe 4076 dllhost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\6cb0b6c459d5d3 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\RCXADAC.tmp 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\6203df4a6bafc7 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCXA318.tmp 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCXA51C.tmp 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\TextInputHost.exe 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXAB98.tmp 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File created C:\Program Files (x86)\Windows Multimedia Platform\TextInputHost.exe 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\5940a34987c991 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File created C:\Program Files (x86)\Windows Multimedia Platform\22eafd247d37c3 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\apppatch\taskhostw.exe 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File created C:\Windows\Setup\State\taskhostw.exe 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File created C:\Windows\ImmersiveControlPanel\uk-UA\explorer.exe 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File opened for modification C:\Windows\apppatch\RCXA104.tmp 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File opened for modification C:\Windows\Setup\State\taskhostw.exe 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File opened for modification C:\Windows\apppatch\taskhostw.exe 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File created C:\Windows\apppatch\ea9f0e6c9e2dcd 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File created C:\Windows\Setup\State\ea9f0e6c9e2dcd 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe File opened for modification C:\Windows\Setup\State\RCXA721.tmp 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4244 schtasks.exe 1536 schtasks.exe 1780 schtasks.exe 3984 schtasks.exe 3396 schtasks.exe 2020 schtasks.exe 4564 schtasks.exe 516 schtasks.exe 1908 schtasks.exe 3944 schtasks.exe 1916 schtasks.exe 4272 schtasks.exe 3148 schtasks.exe 3836 schtasks.exe 2248 schtasks.exe 3400 schtasks.exe 3932 schtasks.exe 2480 schtasks.exe 2308 schtasks.exe 2940 schtasks.exe 1936 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 1172 powershell.exe 1172 powershell.exe 2900 powershell.exe 2900 powershell.exe 4392 powershell.exe 4392 powershell.exe 3096 powershell.exe 3096 powershell.exe 4792 powershell.exe 4792 powershell.exe 2620 powershell.exe 2620 powershell.exe 1660 powershell.exe 1660 powershell.exe 4784 powershell.exe 4784 powershell.exe 1172 powershell.exe 1660 powershell.exe 2900 powershell.exe 3096 powershell.exe 2620 powershell.exe 4392 powershell.exe 4792 powershell.exe 4784 powershell.exe 3312 dllhost.exe 1420 dllhost.exe 4148 dllhost.exe 2508 dllhost.exe 1616 dllhost.exe 3108 dllhost.exe 648 dllhost.exe 4076 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeDebugPrivilege 2900 powershell.exe Token: SeDebugPrivilege 4392 powershell.exe Token: SeDebugPrivilege 4792 powershell.exe Token: SeDebugPrivilege 3096 powershell.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 4784 powershell.exe Token: SeDebugPrivilege 3312 dllhost.exe Token: SeDebugPrivilege 1420 dllhost.exe Token: SeDebugPrivilege 4148 dllhost.exe Token: SeDebugPrivilege 2508 dllhost.exe Token: SeDebugPrivilege 1616 dllhost.exe Token: SeDebugPrivilege 3108 dllhost.exe Token: SeDebugPrivilege 648 dllhost.exe Token: SeDebugPrivilege 4076 dllhost.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 4924 wrote to memory of 4784 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 111 PID 4924 wrote to memory of 4784 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 111 PID 4924 wrote to memory of 1172 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 112 PID 4924 wrote to memory of 1172 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 112 PID 4924 wrote to memory of 2620 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 113 PID 4924 wrote to memory of 2620 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 113 PID 4924 wrote to memory of 3096 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 114 PID 4924 wrote to memory of 3096 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 114 PID 4924 wrote to memory of 4392 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 116 PID 4924 wrote to memory of 4392 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 116 PID 4924 wrote to memory of 2900 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 117 PID 4924 wrote to memory of 2900 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 117 PID 4924 wrote to memory of 4792 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 118 PID 4924 wrote to memory of 4792 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 118 PID 4924 wrote to memory of 1660 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 119 PID 4924 wrote to memory of 1660 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 119 PID 4924 wrote to memory of 3312 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 127 PID 4924 wrote to memory of 3312 4924 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe 127 PID 3312 wrote to memory of 924 3312 dllhost.exe 129 PID 3312 wrote to memory of 924 3312 dllhost.exe 129 PID 3312 wrote to memory of 696 3312 dllhost.exe 130 PID 3312 wrote to memory of 696 3312 dllhost.exe 130 PID 924 wrote to memory of 1420 924 WScript.exe 133 PID 924 wrote to memory of 1420 924 WScript.exe 133 PID 1420 wrote to memory of 2784 1420 dllhost.exe 134 PID 1420 wrote to memory of 2784 1420 dllhost.exe 134 PID 1420 wrote to memory of 3836 1420 dllhost.exe 135 PID 1420 wrote to memory of 3836 1420 dllhost.exe 135 PID 2784 wrote to memory of 4148 2784 WScript.exe 136 PID 2784 wrote to memory of 4148 2784 WScript.exe 136 PID 4148 wrote to memory of 4360 4148 dllhost.exe 137 PID 4148 wrote to memory of 4360 4148 dllhost.exe 137 PID 4148 wrote to memory of 4772 4148 dllhost.exe 138 PID 4148 wrote to memory of 4772 4148 dllhost.exe 138 PID 4360 wrote to memory of 2508 4360 WScript.exe 140 PID 4360 wrote to memory of 2508 4360 WScript.exe 140 PID 2508 wrote to memory of 4796 2508 dllhost.exe 141 PID 2508 wrote to memory of 4796 2508 dllhost.exe 141 PID 2508 wrote to memory of 3816 2508 dllhost.exe 142 PID 2508 wrote to memory of 3816 2508 dllhost.exe 142 PID 4796 wrote to memory of 1616 4796 WScript.exe 144 PID 4796 wrote to memory of 1616 4796 WScript.exe 144 PID 1616 wrote to memory of 2296 1616 dllhost.exe 145 PID 1616 wrote to memory of 2296 1616 dllhost.exe 145 PID 1616 wrote to memory of 2844 1616 dllhost.exe 146 PID 1616 wrote to memory of 2844 1616 dllhost.exe 146 PID 2296 wrote to memory of 3108 2296 WScript.exe 147 PID 2296 wrote to memory of 3108 2296 WScript.exe 147 PID 3108 wrote to memory of 4688 3108 dllhost.exe 148 PID 3108 wrote to memory of 4688 3108 dllhost.exe 148 PID 3108 wrote to memory of 4924 3108 dllhost.exe 149 PID 3108 wrote to memory of 4924 3108 dllhost.exe 149 PID 4688 wrote to memory of 648 4688 WScript.exe 150 PID 4688 wrote to memory of 648 4688 WScript.exe 150 PID 648 wrote to memory of 680 648 dllhost.exe 151 PID 648 wrote to memory of 680 648 dllhost.exe 151 PID 648 wrote to memory of 3424 648 dllhost.exe 152 PID 648 wrote to memory of 3424 648 dllhost.exe 152 PID 680 wrote to memory of 4076 680 WScript.exe 153 PID 680 wrote to memory of 4076 680 WScript.exe 153 -
System policy modification 1 TTPs 27 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe"C:\Users\Admin\AppData\Local\Temp\5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\apppatch\taskhostw.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\TextInputHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\taskhostw.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3312 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ca729e7-4b6a-4703-9bf7-0734dfe5f534.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1420 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0c7b52f-602e-460b-bf19-c3f74033b9cd.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4148 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1b58bf5-d653-40b7-b8c3-b42a49c40d2d.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2508 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f33a790a-1f3b-40f8-a935-1736934a533a.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1616 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f14ea849-73f3-4df5-8b84-363ed7711195.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3108 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\646fa27d-4432-45fd-a3c1-3d7ef9275359.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:648 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eeecae90-5449-4db1-a903-4ef85450c482.vbs"15⤵
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4076
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f31370b-8e40-41f3-8ffb-4763f56580a0.vbs"15⤵PID:3424
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9061f2a1-69a2-4bb7-bdbe-d922fb62aef8.vbs"13⤵PID:4924
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c631a1dd-98a0-462f-b09a-f3dced3d63f4.vbs"11⤵PID:2844
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\198ddc90-c2d0-42c9-b42b-5696911c37b2.vbs"9⤵PID:3816
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afa264da-98d8-4556-be90-cee631da1f13.vbs"7⤵PID:4772
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84c2662d-47b6-4d86-8f12-a7fb0b64ec20.vbs"5⤵PID:3836
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8a8c2a9-d5c6-4353-ae11-70e19ad1957c.vbs"3⤵PID:696
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Windows\apppatch\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\apppatch\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Windows\apppatch\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Setup\State\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5b82f5228435b1b6d2f6c65d65eb514da
SHA1cc6bff1d0d7e34581b0b9720384333e2401529c9
SHA2564e3c6dcbc73055ff404e7326ae5d0846c8e8c9aed2e6760480e03e20992c3e76
SHA512266bd8af58a3e92cb53ad10cd572390a32e1833aa67aad8d73454488bd84ea8c4ed955386826187fceca8a403f8463862ec76fea811b9cda4440c0ea15093aab
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
735B
MD5fba723fdb281a5dd6259d5d49aca7f14
SHA1a6951f1754ffdd77a02894c31030ab956b522c07
SHA256a553c48e8bdabf30e57b735a2b0c0e67492a476f8ca6c4842213df1cf16d9cdd
SHA512826590f049152197feaf9a9cff64da14e1cf170c39e0e16fd90548c0789c879ae347482be7c598542dce46e9a9479552109abced6d9c05f48d0d745dca200872
-
Filesize
735B
MD58fe84219a5156e72594b0ff8d2cde685
SHA10e0a304819b04ccf8cd1c49b7c54f8bb71203b68
SHA2568f4275f0d27f993a33506d003cf7d6e6df27d8b0532a30a532019fc68292920a
SHA512d20ffa2ef6b0aa6bb227fbbd6195d39eb4ebe2d00433c844fe0c6b2f1bea3534ebd79480ba702f50ae516bd6a3fb0ba669ecfa6f6259aecdcbccf89406a04070
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
735B
MD5c94d921abd26206279c5d543e1009fa9
SHA12ed1bf709eed9a6558d1394c2dda71ea10bf5057
SHA256821d98c8f4f8c8c9cb96184748f9167505875235dd11c02e7ef26d4be25b3ec9
SHA5122decf7780f2ff03242ebf9724bed41f1ae3cbbd1cc1e9a9ccc20318805062e9e0b3da6889df262595ccb48d1fd12e4671a4ded3430c585e5c2dd39f89e5191be
-
Filesize
735B
MD5589f2b1e6508eb945e5d9accb1a95ac9
SHA197549c1608c987a3f9277ac80cc48f9e51cdd3b9
SHA25686dfcd3e7172cb70a95866334147385a45cd5444949778c74c9cb161b6279104
SHA51293f94ea446879df52b8d7a487768589bb6dcb1fd9544c0e475739a73fbdac4b028052bc257798fc1daa5afeb7065d1915149cdb6efabe00803cda73256f19d13
-
Filesize
511B
MD56531214b5fcb4b63e09558f95e477da6
SHA15c1bd619bd5e017017af93c78f502d261f48576a
SHA2567a13772a9b59d0e8e17cf090ac1c088b3cc47ff8b671351f32360a74f86c9c79
SHA5120212e17b6dde36a4baa3150b37407948be5bf83872fb258792ada7158e73d64a4fa6306de3555cdff6b47449c1353521903c56b6f12ac8716122d16f7b8954fc
-
Filesize
734B
MD57c9c57fdd605cf4b9cf73cb8c79d5e3a
SHA1b4a39998019a1fdcd902c3d36c1b58c51f0ff9c9
SHA25637a1df98c7cdc6c5d658d0352349c2b3e9f5ac7d417a173085454fd8559e3fff
SHA512cd31d8ac6f7a4cbade615749d95863f99c241f1931901c4b791705227f848c03cde51265aa9cb353958af4f28ce5d2fd514c08833a3c5df29498d51676b3fcc8
-
Filesize
735B
MD595576ebc132c451fc94d9c46fc43a879
SHA108fd101fad750e1089e7238d06bcf7562658f14c
SHA256347e28d345cea7d91241e35655a7ef6c66afac5f8ccd20ab30c01450b83b97c7
SHA5126d4950cc95bd2870b87264b9dcfb30ab68e3fb87ea06d966eb5db871ade86100d228cd670d0a783b47f58f41bad5606c76a825e5322dc1b26486e18261fcea79
-
Filesize
735B
MD55a4985dfea01bcce227f94922ed39a67
SHA139ea0b71019c14c4182310a71132ebabc645c9ac
SHA2566add77f73294c6e0e3bc7e63d19a3d4adf6d9f9bbc75434ff5bd9954552937ae
SHA51296c1062f5146fd4c217992a9dfee2be02da2adee0fb79637afddc5c87c483c6122fdc8b26db990e1dd8b87e5da4001167e4abb390a4a646fd2ccfcffb13da029
-
Filesize
1.8MB
MD55fe5c094a2fd1a198178aa10c5b62307
SHA1766b36ad58f89249728f8405b893ee104f3a8e6d
SHA2565e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a
SHA512c1d4c29f0bf10787c5ed6bafd244f466a9be5a805976670a52337d90362eb00d3f9a278d822d9858128d5c8189c1da1125da76dd75b3e10d04be639a4e30b0c0