Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 19:26
Static task
static1
Behavioral task
behavioral1
Sample
c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Resource
win7-20240903-en
General
-
Target
c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
-
Size
4.9MB
-
MD5
6980bcd5d7d665f70f434120a1d20549
-
SHA1
8104f0c2f92ecb1ab9c6700f14d56059a93a9465
-
SHA256
c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16
-
SHA512
2eb62827b55c986e2f6a076e9b5fb880bbcccc938d6581293f56ce9f2970a55f6bd27112486ccf20b792ef493cc7b1351a73a8bdda478af9b5c50e8ba0b00de3
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 656 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3692 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1176 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 452 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3636 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3668 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 668 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4980 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 224 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4884 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3664 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3348 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4148 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4556 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4300 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 792 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4872 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3084 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5040 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3768 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3888 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3192 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4440 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4204 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 932 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4456 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3756 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4324 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4632 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4104 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4472 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4264 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4996 876 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 876 schtasks.exe 85 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe -
resource yara_rule behavioral2/memory/4568-2-0x000000001B5B0000-0x000000001B6DE000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 640 powershell.exe 3200 powershell.exe 3464 powershell.exe 1312 powershell.exe 1948 powershell.exe 1796 powershell.exe 2432 powershell.exe 1112 powershell.exe 4996 powershell.exe 2012 powershell.exe 2156 powershell.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe -
Executes dropped EXE 49 IoCs
pid Process 4848 tmp9A6D.tmp.exe 4360 tmp9A6D.tmp.exe 1292 backgroundTaskHost.exe 4048 tmpE639.tmp.exe 4552 tmpE639.tmp.exe 1372 backgroundTaskHost.exe 4476 tmp173C.tmp.exe 2404 tmp173C.tmp.exe 4008 backgroundTaskHost.exe 2204 tmp46E7.tmp.exe 2164 tmp46E7.tmp.exe 2836 tmp46E7.tmp.exe 3464 backgroundTaskHost.exe 3420 tmp773E.tmp.exe 2024 tmp773E.tmp.exe 3616 tmp773E.tmp.exe 1044 backgroundTaskHost.exe 5116 tmp92E4.tmp.exe 2600 tmp92E4.tmp.exe 1504 backgroundTaskHost.exe 408 tmpAED9.tmp.exe 2340 tmpAED9.tmp.exe 4848 tmpAED9.tmp.exe 1744 tmpAED9.tmp.exe 1852 backgroundTaskHost.exe 3572 tmpDF5F.tmp.exe 440 tmpDF5F.tmp.exe 4732 backgroundTaskHost.exe 1016 tmpFB14.tmp.exe 4744 tmpFB14.tmp.exe 3540 backgroundTaskHost.exe 4556 tmp16F9.tmp.exe 4688 tmp16F9.tmp.exe 1092 backgroundTaskHost.exe 4752 tmp337A.tmp.exe 1796 tmp337A.tmp.exe 4504 tmp337A.tmp.exe 3364 tmp337A.tmp.exe 3584 tmp337A.tmp.exe 656 backgroundTaskHost.exe 64 tmp6400.tmp.exe 4108 tmp6400.tmp.exe 2308 backgroundTaskHost.exe 4016 tmp7F19.tmp.exe 1920 tmp7F19.tmp.exe 4596 backgroundTaskHost.exe 4904 tmpAF32.tmp.exe 452 tmpAF32.tmp.exe 1016 backgroundTaskHost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe -
Suspicious use of SetThreadContext 14 IoCs
description pid Process procid_target PID 4848 set thread context of 4360 4848 tmp9A6D.tmp.exe 143 PID 4048 set thread context of 4552 4048 tmpE639.tmp.exe 190 PID 4476 set thread context of 2404 4476 tmp173C.tmp.exe 202 PID 2164 set thread context of 2836 2164 tmp46E7.tmp.exe 213 PID 2024 set thread context of 3616 2024 tmp773E.tmp.exe 223 PID 5116 set thread context of 2600 5116 tmp92E4.tmp.exe 232 PID 4848 set thread context of 1744 4848 tmpAED9.tmp.exe 244 PID 3572 set thread context of 440 3572 tmpDF5F.tmp.exe 253 PID 1016 set thread context of 4744 1016 tmpFB14.tmp.exe 262 PID 4556 set thread context of 4688 4556 tmp16F9.tmp.exe 271 PID 3364 set thread context of 3584 3364 tmp337A.tmp.exe 284 PID 64 set thread context of 4108 64 tmp6400.tmp.exe 294 PID 4016 set thread context of 1920 4016 tmp7F19.tmp.exe 302 PID 4904 set thread context of 452 4904 tmpAF32.tmp.exe 311 -
Drops file in Program Files directory 29 IoCs
description ioc Process File created C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files\Internet Explorer\images\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files\7-Zip\Lang\backgroundTaskHost.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Program Files\VideoLAN\VLC\eddb19405b7ce1 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Program Files\Windows Portable Devices\System.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Program Files\7-Zip\Lang\eddb19405b7ce1 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RCXBF1D.tmp c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Program Files\VideoLAN\VLC\backgroundTaskHost.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\eddb19405b7ce1 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files\VideoLAN\VLC\backgroundTaskHost.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files\7-Zip\Lang\RCXB806.tmp c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\886983d96e3d3e c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Program Files\Internet Explorer\images\944d8125759fb4 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files\Internet Explorer\images\RCX9ED5.tmp c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\RCXA0F9.tmp c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\RCXAEDA.tmp c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files\Windows Portable Devices\RCXB5F1.tmp c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files\Windows Portable Devices\System.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Program Files\Internet Explorer\images\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Program Files\7-Zip\Lang\backgroundTaskHost.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Program Files\Windows Media Player\Media Renderer\9e8d7a4ca61bd9 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\Registry.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Program Files\VideoLAN\VLC\RCXA531.tmp c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe -
Drops file in Windows directory 16 IoCs
description ioc Process File opened for modification C:\Windows\security\RCX9A9D.tmp c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Windows\security\RuntimeBroker.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Windows\Web\Screen\explorer.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Windows\SystemResources\Windows.UI.BioFeedback\Fonts\66fc9ff0ee96c2 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Windows\Web\Screen\explorer.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Windows\SystemResources\Windows.UI.BioFeedback\Fonts\sihost.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Windows\Web\Screen\RCXB370.tmp c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Windows\SystemResources\Windows.UI.BioFeedback\Fonts\sihost.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Windows\GameBarPresenceWriter\RCXAC58.tmp c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Windows\security\9e8d7a4ca61bd9 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Windows\GameBarPresenceWriter\9e8d7a4ca61bd9 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Windows\Web\Screen\7a0fd90576e088 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File opened for modification C:\Windows\SystemResources\Windows.UI.BioFeedback\Fonts\RCXA30D.tmp c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe File created C:\Windows\security\RuntimeBroker.exe c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp92E4.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAED9.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAED9.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp337A.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAF32.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp46E7.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp46E7.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp773E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAED9.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7F19.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9A6D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp773E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp16F9.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp337A.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp337A.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp337A.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp6400.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpE639.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp173C.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDF5F.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFB14.tmp.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings backgroundTaskHost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4148 schtasks.exe 2736 schtasks.exe 1964 schtasks.exe 656 schtasks.exe 3668 schtasks.exe 4884 schtasks.exe 5040 schtasks.exe 4632 schtasks.exe 3636 schtasks.exe 4556 schtasks.exe 2008 schtasks.exe 2304 schtasks.exe 3768 schtasks.exe 4440 schtasks.exe 1820 schtasks.exe 3692 schtasks.exe 3348 schtasks.exe 556 schtasks.exe 1076 schtasks.exe 4204 schtasks.exe 4324 schtasks.exe 452 schtasks.exe 1716 schtasks.exe 1312 schtasks.exe 4872 schtasks.exe 2732 schtasks.exe 4264 schtasks.exe 1600 schtasks.exe 4456 schtasks.exe 1328 schtasks.exe 5100 schtasks.exe 668 schtasks.exe 3888 schtasks.exe 1512 schtasks.exe 4980 schtasks.exe 1552 schtasks.exe 4300 schtasks.exe 3084 schtasks.exe 4648 schtasks.exe 4092 schtasks.exe 4472 schtasks.exe 224 schtasks.exe 3664 schtasks.exe 4488 schtasks.exe 4104 schtasks.exe 1524 schtasks.exe 792 schtasks.exe 3192 schtasks.exe 3756 schtasks.exe 4996 schtasks.exe 3024 schtasks.exe 932 schtasks.exe 1404 schtasks.exe 1176 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 2432 powershell.exe 2432 powershell.exe 640 powershell.exe 640 powershell.exe 2156 powershell.exe 2156 powershell.exe 1948 powershell.exe 1948 powershell.exe 3200 powershell.exe 3200 powershell.exe 1312 powershell.exe 1312 powershell.exe 3464 powershell.exe 3464 powershell.exe 1112 powershell.exe 1112 powershell.exe 2012 powershell.exe 2012 powershell.exe 1796 powershell.exe 1796 powershell.exe 4996 powershell.exe 4996 powershell.exe 2432 powershell.exe 4996 powershell.exe 3200 powershell.exe 640 powershell.exe 2156 powershell.exe 3464 powershell.exe 1796 powershell.exe 1112 powershell.exe 1948 powershell.exe 1312 powershell.exe 2012 powershell.exe 1292 backgroundTaskHost.exe 1372 backgroundTaskHost.exe 4008 backgroundTaskHost.exe 3464 backgroundTaskHost.exe 1044 backgroundTaskHost.exe 1504 backgroundTaskHost.exe 1852 backgroundTaskHost.exe 4732 backgroundTaskHost.exe 3540 backgroundTaskHost.exe 1092 backgroundTaskHost.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe Token: SeDebugPrivilege 2432 powershell.exe Token: SeDebugPrivilege 640 powershell.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 3200 powershell.exe Token: SeDebugPrivilege 1312 powershell.exe Token: SeDebugPrivilege 4996 powershell.exe Token: SeDebugPrivilege 3464 powershell.exe Token: SeDebugPrivilege 1112 powershell.exe Token: SeDebugPrivilege 1796 powershell.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeDebugPrivilege 1292 backgroundTaskHost.exe Token: SeDebugPrivilege 1372 backgroundTaskHost.exe Token: SeDebugPrivilege 4008 backgroundTaskHost.exe Token: SeDebugPrivilege 3464 backgroundTaskHost.exe Token: SeDebugPrivilege 1044 backgroundTaskHost.exe Token: SeDebugPrivilege 1504 backgroundTaskHost.exe Token: SeDebugPrivilege 1852 backgroundTaskHost.exe Token: SeDebugPrivilege 4732 backgroundTaskHost.exe Token: SeDebugPrivilege 3540 backgroundTaskHost.exe Token: SeDebugPrivilege 1092 backgroundTaskHost.exe Token: SeDebugPrivilege 656 backgroundTaskHost.exe Token: SeDebugPrivilege 2308 backgroundTaskHost.exe Token: SeDebugPrivilege 4596 backgroundTaskHost.exe Token: SeDebugPrivilege 1016 backgroundTaskHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4568 wrote to memory of 4848 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 141 PID 4568 wrote to memory of 4848 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 141 PID 4568 wrote to memory of 4848 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 141 PID 4848 wrote to memory of 4360 4848 tmp9A6D.tmp.exe 143 PID 4848 wrote to memory of 4360 4848 tmp9A6D.tmp.exe 143 PID 4848 wrote to memory of 4360 4848 tmp9A6D.tmp.exe 143 PID 4848 wrote to memory of 4360 4848 tmp9A6D.tmp.exe 143 PID 4848 wrote to memory of 4360 4848 tmp9A6D.tmp.exe 143 PID 4848 wrote to memory of 4360 4848 tmp9A6D.tmp.exe 143 PID 4848 wrote to memory of 4360 4848 tmp9A6D.tmp.exe 143 PID 4568 wrote to memory of 1112 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 157 PID 4568 wrote to memory of 1112 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 157 PID 4568 wrote to memory of 2432 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 158 PID 4568 wrote to memory of 2432 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 158 PID 4568 wrote to memory of 2156 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 159 PID 4568 wrote to memory of 2156 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 159 PID 4568 wrote to memory of 1796 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 160 PID 4568 wrote to memory of 1796 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 160 PID 4568 wrote to memory of 2012 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 161 PID 4568 wrote to memory of 2012 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 161 PID 4568 wrote to memory of 3200 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 162 PID 4568 wrote to memory of 3200 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 162 PID 4568 wrote to memory of 640 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 163 PID 4568 wrote to memory of 640 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 163 PID 4568 wrote to memory of 1948 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 164 PID 4568 wrote to memory of 1948 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 164 PID 4568 wrote to memory of 4996 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 165 PID 4568 wrote to memory of 4996 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 165 PID 4568 wrote to memory of 1312 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 167 PID 4568 wrote to memory of 1312 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 167 PID 4568 wrote to memory of 3464 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 168 PID 4568 wrote to memory of 3464 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 168 PID 4568 wrote to memory of 3500 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 178 PID 4568 wrote to memory of 3500 4568 c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe 178 PID 3500 wrote to memory of 2580 3500 cmd.exe 181 PID 3500 wrote to memory of 2580 3500 cmd.exe 181 PID 3500 wrote to memory of 1292 3500 cmd.exe 183 PID 3500 wrote to memory of 1292 3500 cmd.exe 183 PID 1292 wrote to memory of 4884 1292 backgroundTaskHost.exe 185 PID 1292 wrote to memory of 4884 1292 backgroundTaskHost.exe 185 PID 1292 wrote to memory of 1304 1292 backgroundTaskHost.exe 186 PID 1292 wrote to memory of 1304 1292 backgroundTaskHost.exe 186 PID 1292 wrote to memory of 4048 1292 backgroundTaskHost.exe 188 PID 1292 wrote to memory of 4048 1292 backgroundTaskHost.exe 188 PID 1292 wrote to memory of 4048 1292 backgroundTaskHost.exe 188 PID 4048 wrote to memory of 4552 4048 tmpE639.tmp.exe 190 PID 4048 wrote to memory of 4552 4048 tmpE639.tmp.exe 190 PID 4048 wrote to memory of 4552 4048 tmpE639.tmp.exe 190 PID 4048 wrote to memory of 4552 4048 tmpE639.tmp.exe 190 PID 4048 wrote to memory of 4552 4048 tmpE639.tmp.exe 190 PID 4048 wrote to memory of 4552 4048 tmpE639.tmp.exe 190 PID 4048 wrote to memory of 4552 4048 tmpE639.tmp.exe 190 PID 4884 wrote to memory of 1372 4884 WScript.exe 196 PID 4884 wrote to memory of 1372 4884 WScript.exe 196 PID 1372 wrote to memory of 4856 1372 backgroundTaskHost.exe 198 PID 1372 wrote to memory of 4856 1372 backgroundTaskHost.exe 198 PID 1372 wrote to memory of 3688 1372 backgroundTaskHost.exe 199 PID 1372 wrote to memory of 3688 1372 backgroundTaskHost.exe 199 PID 1372 wrote to memory of 4476 1372 backgroundTaskHost.exe 200 PID 1372 wrote to memory of 4476 1372 backgroundTaskHost.exe 200 PID 1372 wrote to memory of 4476 1372 backgroundTaskHost.exe 200 PID 4476 wrote to memory of 2404 4476 tmp173C.tmp.exe 202 PID 4476 wrote to memory of 2404 4476 tmp173C.tmp.exe 202 PID 4476 wrote to memory of 2404 4476 tmp173C.tmp.exe 202 -
System policy modification 1 TTPs 45 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe"C:\Users\Admin\AppData\Local\Temp\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\tmp9A6D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9A6D.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\tmp9A6D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9A6D.tmp.exe"3⤵
- Executes dropped EXE
PID:4360
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cu2NHRNC8u.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2580
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1292 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b361a854-4060-42f8-b4c0-bf950cbdb976.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1372 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebf4b16b-84ea-46ce-9f33-5eaf830fc79a.vbs"6⤵PID:4856
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4008 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\145dc23a-1cf2-4d53-a855-9101d3bedcce.vbs"8⤵PID:3272
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3464 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\031fc456-02c8-45a2-9a43-ef0537e6f331.vbs"10⤵PID:1040
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1044 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af40ee13-6d33-4e48-b171-5fc46007354a.vbs"12⤵PID:4084
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1504 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bf4621c-612b-4563-9c6d-964ab0bd11d7.vbs"14⤵PID:792
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1852 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64c97409-d8b2-4d18-a0b9-bdea9efc4bab.vbs"16⤵PID:3472
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4732 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e71bdca6-75d0-4359-aad0-178947c00b81.vbs"18⤵PID:2852
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3540 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6fd6073-d643-460c-aa2e-a873665d74f5.vbs"20⤵PID:4660
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1092 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7df45b5e-f71c-4e49-b023-4b632b4636ab.vbs"22⤵PID:1492
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:656 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83966967-7008-479e-9aee-ce0ab2882372.vbs"24⤵PID:556
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2308 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5395a6fb-53d0-4a4c-9d2a-9430aa7c0bfa.vbs"26⤵PID:3932
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4596 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e690930a-ab04-4f3c-8871-3d70ca763dd5.vbs"28⤵PID:1980
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe"29⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1016
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2414eb1-54c0-438a-afec-2548a75c177c.vbs"28⤵PID:816
-
-
C:\Users\Admin\AppData\Local\Temp\tmpAF32.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAF32.tmp.exe"28⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\tmpAF32.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAF32.tmp.exe"29⤵
- Executes dropped EXE
PID:452
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a801d22c-6382-43bb-9c28-36f055963f0a.vbs"26⤵PID:408
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7F19.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7F19.tmp.exe"26⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\tmp7F19.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7F19.tmp.exe"27⤵
- Executes dropped EXE
PID:1920
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e384b76-fa9f-4dd2-b469-f9a1dbaf6a80.vbs"24⤵PID:2976
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6400.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6400.tmp.exe"24⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:64 -
C:\Users\Admin\AppData\Local\Temp\tmp6400.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6400.tmp.exe"25⤵
- Executes dropped EXE
PID:4108
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddd6953a-89ed-46aa-8246-0676b24fa479.vbs"22⤵PID:4276
-
-
C:\Users\Admin\AppData\Local\Temp\tmp337A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp337A.tmp.exe"22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\tmp337A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp337A.tmp.exe"23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\tmp337A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp337A.tmp.exe"24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\tmp337A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp337A.tmp.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3364 -
C:\Users\Admin\AppData\Local\Temp\tmp337A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp337A.tmp.exe"26⤵
- Executes dropped EXE
PID:3584
-
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f3e0102-1128-41bc-b101-451c39d52df9.vbs"20⤵PID:2008
-
-
C:\Users\Admin\AppData\Local\Temp\tmp16F9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp16F9.tmp.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\tmp16F9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp16F9.tmp.exe"21⤵
- Executes dropped EXE
PID:4688
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaaafc74-6491-4f60-99b6-7126edf2f49d.vbs"18⤵PID:2672
-
-
C:\Users\Admin\AppData\Local\Temp\tmpFB14.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFB14.tmp.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\tmpFB14.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFB14.tmp.exe"19⤵
- Executes dropped EXE
PID:4744
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebb09a2a-8a43-4f2c-9ed6-6fee53a1e09e.vbs"16⤵PID:3732
-
-
C:\Users\Admin\AppData\Local\Temp\tmpDF5F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDF5F.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\tmpDF5F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDF5F.tmp.exe"17⤵
- Executes dropped EXE
PID:440
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecf00dba-d1a8-4fc0-b731-2cbcd44c2329.vbs"14⤵PID:4140
-
-
C:\Users\Admin\AppData\Local\Temp\tmpAED9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAED9.tmp.exe"14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:408 -
C:\Users\Admin\AppData\Local\Temp\tmpAED9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAED9.tmp.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\tmpAED9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAED9.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\tmpAED9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAED9.tmp.exe"17⤵
- Executes dropped EXE
PID:1744
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1fa5ef5-578a-4d7b-978e-2ff4ce6c3daa.vbs"12⤵PID:2140
-
-
C:\Users\Admin\AppData\Local\Temp\tmp92E4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp92E4.tmp.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\tmp92E4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp92E4.tmp.exe"13⤵
- Executes dropped EXE
PID:2600
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6139d598-4e76-49c4-9ff9-ed80dfc7128d.vbs"10⤵PID:3772
-
-
C:\Users\Admin\AppData\Local\Temp\tmp773E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp773E.tmp.exe"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\tmp773E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp773E.tmp.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\tmp773E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp773E.tmp.exe"12⤵
- Executes dropped EXE
PID:3616
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\924b506e-f87c-4170-8af7-425e8df3252b.vbs"8⤵PID:3524
-
-
C:\Users\Admin\AppData\Local\Temp\tmp46E7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp46E7.tmp.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\tmp46E7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp46E7.tmp.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\tmp46E7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp46E7.tmp.exe"10⤵
- Executes dropped EXE
PID:2836
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\391c9880-992b-429f-85d8-3f528b7e7176.vbs"6⤵PID:3688
-
-
C:\Users\Admin\AppData\Local\Temp\tmp173C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp173C.tmp.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\tmp173C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp173C.tmp.exe"7⤵
- Executes dropped EXE
PID:2404
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b3a51b4-d100-4ef3-b516-c09a85f0f60d.vbs"4⤵PID:1304
-
-
C:\Users\Admin\AppData\Local\Temp\tmpE639.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE639.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\tmpE639.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE639.tmp.exe"5⤵
- Executes dropped EXE
PID:4552
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Pictures\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Pictures\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\security\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\security\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\security\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Application Data\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Application Data\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16c" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\images\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16c" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\images\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemResources\Windows.UI.BioFeedback\Fonts\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.BioFeedback\Fonts\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemResources\Windows.UI.BioFeedback\Fonts\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\PrintHood\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\Screen\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Web\Screen\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Screen\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5a289a1669ce27507d836f32b5113feb9
SHA155f23dc348fc447f73f7a3e122f656c44c128369
SHA256708c1fe367261cb6a0c930b28b31883dffef249671daf9b97c82849d6cb15b19
SHA512ad47ee31870f9b7c90d70deed1b3d3ea89d87efa0b616f7c947191de603a6a6bdce6134bb56b4f83522abc781b54751fb0170c51dbafbd79a26c56f0cd18f2af
-
Filesize
4.9MB
MD56980bcd5d7d665f70f434120a1d20549
SHA18104f0c2f92ecb1ab9c6700f14d56059a93a9465
SHA256c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16
SHA5122eb62827b55c986e2f6a076e9b5fb880bbcccc938d6581293f56ce9f2970a55f6bd27112486ccf20b792ef493cc7b1351a73a8bdda478af9b5c50e8ba0b00de3
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD56c47b3f4e68eebd47e9332eebfd2dd4e
SHA167f0b143336d7db7b281ed3de5e877fa87261834
SHA2568c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA5120acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca
-
Filesize
754B
MD58d4c650f1333e8670e4c2bff8340035a
SHA1b58aef7176708847e000a20e15cb8ea7ca2ae948
SHA256ba5ada1db45ee429c6a7b04641b5fa1df70e71fbfe9e3333c5e7af4787db6f39
SHA51229d8bae84d89c92d30c18870a2652d97848d5652c90ddfd7323db18bd97be87fc629aa360c3cb536e9bb74fe24c0e48eb407927f44756b9755cd24db0e78830e
-
Filesize
754B
MD5f5e5edca5f6b1509d3cc06b6b6fc3832
SHA12d7c3f22ab6ff7b5d0e56e8c9ed343728c4075b5
SHA256d0901bab912f10bf64fc8f2ad64282eed0bac4432f7e146d2f2f0cdb0d4e51a3
SHA5120da4bb4a5bda2bed45663374d5b710aa569521eb386fd59bcb8bde46c708f24cbd0271329cd4407f3f5d6152b123cd543b8e80bfadccefe6ab7d4035944daa8b
-
Filesize
754B
MD5e56ae67e8e9f6e9f7fdfe9daae852a9a
SHA17db8e28fb51050ab5af47bc124e4b5ec3db718f6
SHA256ada4c7b09d900155a1e4be8c09ef2441f4228a7871776a299b9ee86769a6d2a3
SHA5128176de120580ccf1bab84ab13ff28a10775dde32080c2d7d1091fd193077a864b5929db8eff809e0fc5e7b285e9b77dc044718d84a89a098757020f841ebfdb4
-
Filesize
530B
MD588d169027377548f49077343ce887f2f
SHA198561f31c8340aafea2cc3f1869fb17ebe2625a0
SHA2569944a6de4c8eced744b06b77f0a638f4213b7ce90f9c7ba0ddb755310db57e98
SHA5129808e415a982fb34e38a46d6461f10edf7e89ebf41dc98a1915d5012016d4ce6885b199170baa9c312c0dd8e566e3f203f15df9a943211a88ac9d523e9d82e4c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
754B
MD527529eed0cc4baa2b43e8ec46937365d
SHA1abc9ff938267d56adc8f7dd0eae1e4737c563696
SHA2561a4c23a0e0805c25774bb43581efe8a5a5d527633f51ffe38aa00e4e6c501448
SHA51247786f21f153017ecadbb04fba43ed5677145834dfcf2cdbd2cb1b80623575f647a48c12e3fd9fa2fba8d27fb4e588c41a4ef61b67b9cd1837367ecedfb801df
-
Filesize
754B
MD59867a998e0b9dce23ff0107f54400ce2
SHA1420f75229bb93612a7c56790321d42adfa6aa176
SHA256c68ec69616b526f5261fc818c6ee29afc185c0a751483eaa77dcbc3ff0891120
SHA512a17ea51c1b8459eafdf591be747f25ae060f0edf2c9dfbc6ee362edbfb4f60d411f6a138ddbf67f22ab9016f4ea9aa6068404283793ff89eadf11a28791e5e79
-
Filesize
243B
MD551a89dbbe68408c77bb1cb55d093c717
SHA1908310059f63faa733340bdb2526a66db45c9d4c
SHA256036978268baebdc78597c3b0be1d746c6807a7bc7b78a5720a2fe42f0ab36ace
SHA5121cbb5f61c67f491d496a2149030cc8afc4a6ce06bd0648a3dbdad4f372e9a5621e4334ee7e3d652728acf8baea1994b051c2de7800abf37def0c31d908860fb0
-
Filesize
754B
MD502c5259ee524f0f591cae929c82fd46e
SHA1ea10ad38905d7c52d2d292f0e2ca02f315f5150f
SHA256f038a63156e6d6d3585a03265c4fc805af9c084785a83e65f6a8ebb0faff69e4
SHA51246ed50a1674e06d5384a07cbf38aaa41df0947b434931d66296b3e67a276f90838603d84aa3314109cc4cbe444831ca9d733c178abc4376302140e22b7746e9e
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2