Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 04:59
Static task
static1
Behavioral task
behavioral1
Sample
9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe
Resource
win7-20240903-en
General
-
Target
9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe
-
Size
4.9MB
-
MD5
ad5458bcf729c47d91d818cc1465b7cf
-
SHA1
90ad45413b8da4ce7ecf79cb87f4aa82304f1c1c
-
SHA256
9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59
-
SHA512
8a4bcf74c8d05243fc653fba5f2638505cd175f4bcffe1cca6c99142cbb8db44b5c1a91c1e1e37cdc7597fa2bcd24dbf99ffc6103702460688a29bd906327ad2
-
SSDEEP
49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8r:L
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3716 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4872 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3988 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 620 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4272 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3424 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 636 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4456 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 668 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 432 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4196 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4372 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4148 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3764 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5004 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3264 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4172 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3924 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4348 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 4492 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 4492 schtasks.exe 86 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe -
resource yara_rule behavioral2/memory/3684-3-0x000000001B530000-0x000000001B65E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3104 powershell.exe 1592 powershell.exe 2564 powershell.exe 3000 powershell.exe 1312 powershell.exe 4100 powershell.exe 4576 powershell.exe 4548 powershell.exe 3520 powershell.exe 2888 powershell.exe 2536 powershell.exe -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation TextInputHost.exe -
Executes dropped EXE 35 IoCs
pid Process 4500 tmp7FC2.tmp.exe 3548 tmp7FC2.tmp.exe 1628 TextInputHost.exe 4916 TextInputHost.exe 3752 tmpC321.tmp.exe 2828 tmpC321.tmp.exe 2332 TextInputHost.exe 5104 tmpDFF0.tmp.exe 736 tmpDFF0.tmp.exe 4852 TextInputHost.exe 1468 tmpFE9.tmp.exe 2688 tmpFE9.tmp.exe 4808 TextInputHost.exe 2692 tmp2C99.tmp.exe 1628 tmp2C99.tmp.exe 4084 TextInputHost.exe 2648 tmp5CB1.tmp.exe 3236 tmp5CB1.tmp.exe 4136 TextInputHost.exe 1864 tmp8D47.tmp.exe 2532 tmp8D47.tmp.exe 3580 tmp8D47.tmp.exe 4216 TextInputHost.exe 2564 tmpBDDC.tmp.exe 1704 tmpBDDC.tmp.exe 3880 TextInputHost.exe 836 tmpEE72.tmp.exe 4936 tmpEE72.tmp.exe 3988 TextInputHost.exe 1184 tmp9CA.tmp.exe 2080 tmp9CA.tmp.exe 628 TextInputHost.exe 1364 tmp25BE.tmp.exe 668 tmp25BE.tmp.exe 3104 TextInputHost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextInputHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextInputHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextInputHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextInputHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextInputHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe -
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 4500 set thread context of 3548 4500 tmp7FC2.tmp.exe 125 PID 3752 set thread context of 2828 3752 tmpC321.tmp.exe 168 PID 5104 set thread context of 736 5104 tmpDFF0.tmp.exe 177 PID 1468 set thread context of 2688 1468 tmpFE9.tmp.exe 191 PID 2692 set thread context of 1628 2692 tmp2C99.tmp.exe 199 PID 2648 set thread context of 3236 2648 tmp5CB1.tmp.exe 208 PID 2532 set thread context of 3580 2532 tmp8D47.tmp.exe 218 PID 2564 set thread context of 1704 2564 tmpBDDC.tmp.exe 228 PID 836 set thread context of 4936 836 tmpEE72.tmp.exe 238 PID 1184 set thread context of 2080 1184 tmp9CA.tmp.exe 247 PID 1364 set thread context of 668 1364 tmp25BE.tmp.exe 256 -
Drops file in Program Files directory 21 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\dllhost.exe 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File opened for modification C:\Program Files (x86)\Windows Mail\RCX88A1.tmp 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File created C:\Program Files\Windows Media Player\wininit.exe 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File created C:\Program Files\VideoLAN\VLC\locale\pl\sppsvc.exe 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\0a1fd5f707cd16 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pl\RCX8050.tmp 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File opened for modification C:\Program Files (x86)\Windows Mail\SppExtComObj.exe 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File opened for modification C:\Program Files\Internet Explorer\dllhost.exe 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File opened for modification C:\Program Files\Windows Media Player\wininit.exe 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File created C:\Program Files\Internet Explorer\5940a34987c991 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File opened for modification C:\Program Files\Windows Media Player\RCX7C36.tmp 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pl\sppsvc.exe 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File opened for modification C:\Program Files\Internet Explorer\RCX8D27.tmp 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File created C:\Program Files\VideoLAN\VLC\locale\pl\0a1fd5f707cd16 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File created C:\Program Files (x86)\Windows Mail\SppExtComObj.exe 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File created C:\Program Files (x86)\Windows Mail\e1ef82546f0b02 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RCX7E3A.tmp 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File created C:\Program Files\Windows Media Player\56085415360792 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\AppxMetadata\csrss.exe 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\GameBarPresenceWriter\winlogon.exe 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File created C:\Windows\GameBarPresenceWriter\winlogon.exe 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File created C:\Windows\GameBarPresenceWriter\cc11b995f2a76d 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe File opened for modification C:\Windows\GameBarPresenceWriter\RCX8478.tmp 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDFF0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp5CB1.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8D47.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8D47.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpBDDC.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpEE72.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9CA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7FC2.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC321.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFE9.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp2C99.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp25BE.tmp.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings TextInputHost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4172 schtasks.exe 620 schtasks.exe 3424 schtasks.exe 4372 schtasks.exe 2932 schtasks.exe 2900 schtasks.exe 5004 schtasks.exe 444 schtasks.exe 3988 schtasks.exe 2344 schtasks.exe 636 schtasks.exe 4148 schtasks.exe 3764 schtasks.exe 4196 schtasks.exe 4872 schtasks.exe 1704 schtasks.exe 4468 schtasks.exe 432 schtasks.exe 3264 schtasks.exe 2456 schtasks.exe 2728 schtasks.exe 2892 schtasks.exe 1580 schtasks.exe 4456 schtasks.exe 668 schtasks.exe 1000 schtasks.exe 4348 schtasks.exe 1528 schtasks.exe 3716 schtasks.exe 1016 schtasks.exe 4272 schtasks.exe 2612 schtasks.exe 3924 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 3000 powershell.exe 3000 powershell.exe 4100 powershell.exe 4100 powershell.exe 1592 powershell.exe 1592 powershell.exe 1312 powershell.exe 1312 powershell.exe 4576 powershell.exe 4576 powershell.exe 3520 powershell.exe 3520 powershell.exe 2888 powershell.exe 2888 powershell.exe 4548 powershell.exe 4548 powershell.exe 3104 powershell.exe 2536 powershell.exe 3104 powershell.exe 2536 powershell.exe 1312 powershell.exe 2564 powershell.exe 2564 powershell.exe 4576 powershell.exe 4100 powershell.exe 2888 powershell.exe 1592 powershell.exe 3000 powershell.exe 4548 powershell.exe 3520 powershell.exe 3104 powershell.exe 2536 powershell.exe 2564 powershell.exe 1628 TextInputHost.exe 1628 TextInputHost.exe 4916 TextInputHost.exe 2332 TextInputHost.exe 4852 TextInputHost.exe 4808 TextInputHost.exe 4084 TextInputHost.exe 4136 TextInputHost.exe 4216 TextInputHost.exe 3880 TextInputHost.exe 3988 TextInputHost.exe 628 TextInputHost.exe 3104 TextInputHost.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 4100 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 1312 powershell.exe Token: SeDebugPrivilege 4576 powershell.exe Token: SeDebugPrivilege 3520 powershell.exe Token: SeDebugPrivilege 2888 powershell.exe Token: SeDebugPrivilege 4548 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 3104 powershell.exe Token: SeDebugPrivilege 2564 powershell.exe Token: SeDebugPrivilege 1628 TextInputHost.exe Token: SeDebugPrivilege 4916 TextInputHost.exe Token: SeDebugPrivilege 2332 TextInputHost.exe Token: SeDebugPrivilege 4852 TextInputHost.exe Token: SeDebugPrivilege 4808 TextInputHost.exe Token: SeDebugPrivilege 4084 TextInputHost.exe Token: SeDebugPrivilege 4136 TextInputHost.exe Token: SeDebugPrivilege 4216 TextInputHost.exe Token: SeDebugPrivilege 3880 TextInputHost.exe Token: SeDebugPrivilege 3988 TextInputHost.exe Token: SeDebugPrivilege 628 TextInputHost.exe Token: SeDebugPrivilege 3104 TextInputHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3684 wrote to memory of 4500 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 123 PID 3684 wrote to memory of 4500 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 123 PID 3684 wrote to memory of 4500 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 123 PID 4500 wrote to memory of 3548 4500 tmp7FC2.tmp.exe 125 PID 4500 wrote to memory of 3548 4500 tmp7FC2.tmp.exe 125 PID 4500 wrote to memory of 3548 4500 tmp7FC2.tmp.exe 125 PID 4500 wrote to memory of 3548 4500 tmp7FC2.tmp.exe 125 PID 4500 wrote to memory of 3548 4500 tmp7FC2.tmp.exe 125 PID 4500 wrote to memory of 3548 4500 tmp7FC2.tmp.exe 125 PID 4500 wrote to memory of 3548 4500 tmp7FC2.tmp.exe 125 PID 3684 wrote to memory of 2564 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 131 PID 3684 wrote to memory of 2564 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 131 PID 3684 wrote to memory of 1312 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 132 PID 3684 wrote to memory of 1312 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 132 PID 3684 wrote to memory of 3000 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 133 PID 3684 wrote to memory of 3000 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 133 PID 3684 wrote to memory of 4100 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 134 PID 3684 wrote to memory of 4100 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 134 PID 3684 wrote to memory of 4576 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 135 PID 3684 wrote to memory of 4576 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 135 PID 3684 wrote to memory of 3520 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 136 PID 3684 wrote to memory of 3520 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 136 PID 3684 wrote to memory of 4548 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 137 PID 3684 wrote to memory of 4548 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 137 PID 3684 wrote to memory of 3104 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 138 PID 3684 wrote to memory of 3104 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 138 PID 3684 wrote to memory of 2888 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 139 PID 3684 wrote to memory of 2888 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 139 PID 3684 wrote to memory of 2536 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 140 PID 3684 wrote to memory of 2536 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 140 PID 3684 wrote to memory of 1592 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 141 PID 3684 wrote to memory of 1592 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 141 PID 3684 wrote to memory of 1628 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 153 PID 3684 wrote to memory of 1628 3684 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe 153 PID 1628 wrote to memory of 1608 1628 TextInputHost.exe 158 PID 1628 wrote to memory of 1608 1628 TextInputHost.exe 158 PID 1628 wrote to memory of 4872 1628 TextInputHost.exe 159 PID 1628 wrote to memory of 4872 1628 TextInputHost.exe 159 PID 1608 wrote to memory of 4916 1608 WScript.exe 161 PID 1608 wrote to memory of 4916 1608 WScript.exe 161 PID 4916 wrote to memory of 700 4916 TextInputHost.exe 163 PID 4916 wrote to memory of 700 4916 TextInputHost.exe 163 PID 4916 wrote to memory of 3000 4916 TextInputHost.exe 164 PID 4916 wrote to memory of 3000 4916 TextInputHost.exe 164 PID 4916 wrote to memory of 3752 4916 TextInputHost.exe 166 PID 4916 wrote to memory of 3752 4916 TextInputHost.exe 166 PID 4916 wrote to memory of 3752 4916 TextInputHost.exe 166 PID 3752 wrote to memory of 2828 3752 tmpC321.tmp.exe 168 PID 3752 wrote to memory of 2828 3752 tmpC321.tmp.exe 168 PID 3752 wrote to memory of 2828 3752 tmpC321.tmp.exe 168 PID 3752 wrote to memory of 2828 3752 tmpC321.tmp.exe 168 PID 3752 wrote to memory of 2828 3752 tmpC321.tmp.exe 168 PID 3752 wrote to memory of 2828 3752 tmpC321.tmp.exe 168 PID 3752 wrote to memory of 2828 3752 tmpC321.tmp.exe 168 PID 700 wrote to memory of 2332 700 WScript.exe 171 PID 700 wrote to memory of 2332 700 WScript.exe 171 PID 2332 wrote to memory of 4016 2332 TextInputHost.exe 173 PID 2332 wrote to memory of 4016 2332 TextInputHost.exe 173 PID 2332 wrote to memory of 4416 2332 TextInputHost.exe 174 PID 2332 wrote to memory of 4416 2332 TextInputHost.exe 174 PID 2332 wrote to memory of 5104 2332 TextInputHost.exe 175 PID 2332 wrote to memory of 5104 2332 TextInputHost.exe 175 PID 2332 wrote to memory of 5104 2332 TextInputHost.exe 175 PID 5104 wrote to memory of 736 5104 tmpDFF0.tmp.exe 177 -
System policy modification 1 TTPs 39 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe"C:\Users\Admin\AppData\Local\Temp\9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\tmp7FC2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7FC2.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\tmp7FC2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7FC2.tmp.exe"3⤵
- Executes dropped EXE
PID:3548
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Users\Public\Music\TextInputHost.exe"C:\Users\Public\Music\TextInputHost.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1628 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\faf039b1-ff01-4817-9354-c88d92134e5c.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Public\Music\TextInputHost.exeC:\Users\Public\Music\TextInputHost.exe4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4916 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81bddab6-9aed-47d2-a7c9-a45a36e54608.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Users\Public\Music\TextInputHost.exeC:\Users\Public\Music\TextInputHost.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2332 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18ee56c0-09bf-46e8-b433-38f2beb94622.vbs"7⤵PID:4016
-
C:\Users\Public\Music\TextInputHost.exeC:\Users\Public\Music\TextInputHost.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4852 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1479248-89f1-426c-ba6e-39ff41937fd7.vbs"9⤵PID:3128
-
C:\Users\Public\Music\TextInputHost.exeC:\Users\Public\Music\TextInputHost.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4808 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8a34e94-c365-4735-8b19-5ddc776d95b7.vbs"11⤵PID:1972
-
C:\Users\Public\Music\TextInputHost.exeC:\Users\Public\Music\TextInputHost.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4084 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cb1e80f-be90-4e9f-87c3-ecede595b535.vbs"13⤵PID:4148
-
C:\Users\Public\Music\TextInputHost.exeC:\Users\Public\Music\TextInputHost.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4136 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1da05590-306e-46ba-9f02-7ddf26b6ce41.vbs"15⤵PID:924
-
C:\Users\Public\Music\TextInputHost.exeC:\Users\Public\Music\TextInputHost.exe16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4216 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9731ab82-26a7-44de-90fb-f29cfd1d41ad.vbs"17⤵PID:2880
-
C:\Users\Public\Music\TextInputHost.exeC:\Users\Public\Music\TextInputHost.exe18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3880 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\680515ee-f28c-438a-9f99-a6f940373db2.vbs"19⤵PID:4268
-
C:\Users\Public\Music\TextInputHost.exeC:\Users\Public\Music\TextInputHost.exe20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3988 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b602a4b-3059-499b-813e-1485ae3fdf95.vbs"21⤵PID:4740
-
C:\Users\Public\Music\TextInputHost.exeC:\Users\Public\Music\TextInputHost.exe22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:628 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc77c0e4-398a-4fcb-808a-a05fdb4d0e84.vbs"23⤵PID:1856
-
C:\Users\Public\Music\TextInputHost.exeC:\Users\Public\Music\TextInputHost.exe24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3104 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8d00a2f-d747-4bc8-b077-d9849251ea8d.vbs"25⤵PID:1916
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8a8337f-b273-4d8e-83b2-88f5962d8e4b.vbs"25⤵PID:4608
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01b583c0-1f70-4ea8-a402-e9f1d6cc9251.vbs"23⤵PID:1328
-
-
C:\Users\Admin\AppData\Local\Temp\tmp25BE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp25BE.tmp.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\tmp25BE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp25BE.tmp.exe"24⤵
- Executes dropped EXE
PID:668
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c813cb6-4370-4ad2-ae52-07aee9925b10.vbs"21⤵PID:3596
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9CA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9CA.tmp.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\tmp9CA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9CA.tmp.exe"22⤵
- Executes dropped EXE
PID:2080
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2334ddf3-3632-4727-9dc8-4b2df6550e08.vbs"19⤵PID:5116
-
-
C:\Users\Admin\AppData\Local\Temp\tmpEE72.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEE72.tmp.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:836 -
C:\Users\Admin\AppData\Local\Temp\tmpEE72.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEE72.tmp.exe"20⤵
- Executes dropped EXE
PID:4936
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\469d86c0-be4e-4f0d-8986-df1b1e94b64b.vbs"17⤵PID:3116
-
-
C:\Users\Admin\AppData\Local\Temp\tmpBDDC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBDDC.tmp.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\tmpBDDC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBDDC.tmp.exe"18⤵
- Executes dropped EXE
PID:1704
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3b0f2c7-10d2-4e6a-b44c-35153a9d674e.vbs"15⤵PID:2932
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8D47.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8D47.tmp.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\tmp8D47.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8D47.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\tmp8D47.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8D47.tmp.exe"17⤵
- Executes dropped EXE
PID:3580
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\263e9a15-69b1-4da0-a5b2-b8ea7dd6b1fb.vbs"13⤵PID:2208
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5CB1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5CB1.tmp.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\tmp5CB1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5CB1.tmp.exe"14⤵
- Executes dropped EXE
PID:3236
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\928b5845-ab0c-4930-9462-cff4701d28e8.vbs"11⤵PID:4880
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe"12⤵
- Executes dropped EXE
PID:1628
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5a9629b-afb6-462c-92ed-88070e63f6ae.vbs"9⤵PID:2348
-
-
C:\Users\Admin\AppData\Local\Temp\tmpFE9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFE9.tmp.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\tmpFE9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFE9.tmp.exe"10⤵
- Executes dropped EXE
PID:2688
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e48a956-52fa-4ad4-be58-d38fd18fd864.vbs"7⤵PID:4416
-
-
C:\Users\Admin\AppData\Local\Temp\tmpDFF0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDFF0.tmp.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\tmpDFF0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDFF0.tmp.exe"8⤵
- Executes dropped EXE
PID:736
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f410a6e4-10e1-4e0c-b388-b11a204bd4e2.vbs"5⤵PID:3000
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC321.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC321.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\tmpC321.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC321.tmp.exe"6⤵
- Executes dropped EXE
PID:2828
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78bb63a9-042f-4748-92f2-475a7c02075a.vbs"3⤵PID:4872
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\locale\pl\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\pl\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\locale\pl\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\GameBarPresenceWriter\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\Music\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\Music\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
715B
MD5c7661e347f6516963465469a5a80ef3b
SHA12ed5c35a96e9cf97a12f3170923a50b3515536f5
SHA25613e9959a8e0614abc3cab8bdb6b092b4eb53cd14456086bc646126b796fb7706
SHA51255a9f2e675523ad2eec775a8b9569443ffec8232bc3d587cdf2ae44527ed650dbc05feb4679f7ac1169ad91c9144153b2a2818fdc570c10fb17706c8d3ed774e
-
Filesize
715B
MD5d3edae70dbc77ccfb6b8c78a4d94884d
SHA19f8ce37dfc076c16835202c65c110cf105605206
SHA2563584c5cd4874171a13f409f2a16603785bc15a804b6bd690ca63e3ba300472c4
SHA5128869607c45295365e3efc6841cfecb46caff339f21e16307ef4bb9883131dfef27e3fc55ef2e5380a0fb18015da8f63c794aa36aa4351e187d61f6656435e772
-
Filesize
715B
MD57272d34ca7a16c7788e867af1fc02cea
SHA176d4fef4a8c5c1b0e54b58c5d5d823901119f725
SHA2568d51560cd17b9717cf46cfac4f6c404f517e44be95d3eafb0b84409fdfce50c6
SHA512e790abf4bf1bf9c18f39390784e5087b122ed0b9770bd376c321383e171a9d4963fb61cbfcb78b0e5bb85ec08e3d250f630783e9f6bb1c248884d24151844970
-
Filesize
491B
MD5ca8aa566d9d1cd4f01b1323c9b984749
SHA1eab22071e8f5956d24758dd93a7974443cc18cfb
SHA2560d0de07e81a4bad7f8400deda730142c2215e4bae90913a0e0b0fdfbee19f85e
SHA512692825bf8201580280478f3a140284385f49fd9d9988ebc0bb1581c5e202824f1d76d5943fc63edcef8293e75654460ea1b3db5525608ced82e973c44c87e675
-
Filesize
715B
MD58f53307a6ea0e7fe58e98d9ed8079fa3
SHA1a03ac1c9b3115de7987426cdc9e790632cff2f53
SHA256db36bfcb56a0cdc9a80aeda969b00af2e8c6cd3794badc4b2232ddc3a5a52100
SHA5124ee9cad49c535ef1d336c0e2165e15478b663e27afdbd9774dee8310a2d3581f93ea2216bb9120068eaa55ae44e6a29b4e22b778d1c97509d5076a151d8e1224
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
715B
MD5eeb55497484b734d268820c7916169db
SHA1837c884b438e377f1a26b51f241066e019c206e5
SHA25676c1260ba56690a3f28982b4d619d7ebbeb5058cc7abe8f0168c5b3ab9b3eebf
SHA512f6c41bbd25870d4cbc13915d310e96e9db18a51779d6b2ceb2d433611f59f4066b794aec6c6ebb543ca81474e06579b71f1ef925cce9d23e7128e61420495e70
-
Filesize
715B
MD59223ff4321e2845137eee5b727d7b87a
SHA1e5191a21eb3c104091dc30bb52e100b4b83523e0
SHA256350725be7a5cb9c869770aaa2d97bb27aa095fab5bc1f190cf6e6d2c0b40d2e0
SHA512af7b19e29ea689d51c8c9ad3b6890b4a64b58d3f90918650fc801646c20020d33c3f4cfb675da54337c5efa3400f918a3ce69edade11fa2302ebdb1f484d38ca
-
Filesize
715B
MD5f889e85758b7a78a3aea0fc2e880f660
SHA15252e1eb4ac861c83dea7787ab627a6cb4832fad
SHA2564e43d61cf84b304ba0c3b6a06b604da3419af71c569f2ac6dac1feb8e94a8315
SHA512e51b8a57dfe910d76b660f9bb5fbfd7c209b60174c99ecf00918227b42bb1cd32664df8869f26aaf9bd4abdd679e2c3b510a41b321c91f746f84238d6c992ba5
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
4.9MB
MD5ad5458bcf729c47d91d818cc1465b7cf
SHA190ad45413b8da4ce7ecf79cb87f4aa82304f1c1c
SHA2569701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59
SHA5128a4bcf74c8d05243fc653fba5f2638505cd175f4bcffe1cca6c99142cbb8db44b5c1a91c1e1e37cdc7597fa2bcd24dbf99ffc6103702460688a29bd906327ad2