Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-11-2024 23:57
Static task
static1
Behavioral task
behavioral1
Sample
83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe
Resource
win7-20240903-en
General
-
Target
83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe
-
Size
4.9MB
-
MD5
c373114b88515ff2956327bf7e65f898
-
SHA1
56a5b38dbd5a456719b0d429e253a946313a4895
-
SHA256
83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099
-
SHA512
47f4c17f0759b9c94de7f27d5bc880488eadb22bbc9a1333ea8d63d185d28f349c82f7b8fd410f9bebb30b022abe822613e2393e0e2630dc293c98209be34d2b
-
SSDEEP
49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 984 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 372 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1168 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 992 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 848 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 1688 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 1688 schtasks.exe 30 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe -
resource yara_rule behavioral1/memory/2932-3-0x000000001B7A0000-0x000000001B8CE000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1624 powershell.exe 1032 powershell.exe 2588 powershell.exe 2512 powershell.exe 2036 powershell.exe 1628 powershell.exe 2572 powershell.exe 1920 powershell.exe 2108 powershell.exe 2340 powershell.exe 1828 powershell.exe 1752 powershell.exe -
Executes dropped EXE 14 IoCs
pid Process 396 sppsvc.exe 1136 sppsvc.exe 2712 sppsvc.exe 2908 sppsvc.exe 2108 sppsvc.exe 1940 sppsvc.exe 2692 sppsvc.exe 1604 sppsvc.exe 1980 sppsvc.exe 348 sppsvc.exe 1296 sppsvc.exe 1836 sppsvc.exe 2840 sppsvc.exe 1056 sppsvc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe -
Drops file in Program Files directory 24 IoCs
description ioc Process File opened for modification C:\Program Files\Windows NT\RCX991F.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files\Windows NT\csrss.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\42af1c969fbb7b 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files\7-Zip\Lang\taskhost.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files\Reference Assemblies\RCXA47A.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files\DVD Maker\de-DE\sppsvc.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files (x86)\Microsoft Office\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files (x86)\Microsoft Office\1a3909386688ef 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files\DVD Maker\de-DE\sppsvc.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files (x86)\Microsoft Office\RCX9D94.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files\7-Zip\Lang\taskhost.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files\DVD Maker\de-DE\0a1fd5f707cd16 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files\Windows NT\886983d96e3d3e 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files (x86)\Microsoft Office\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files\Reference Assemblies\spoolsv.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files\Reference Assemblies\f3b6ecef712a24 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files\7-Zip\Lang\RCX86DE.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files\7-Zip\Lang\b75386f1303e64 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files\Windows NT\csrss.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files\Reference Assemblies\spoolsv.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files\DVD Maker\de-DE\RCX898E.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCXA276.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe -
Drops file in Windows directory 20 IoCs
description ioc Process File created C:\Windows\Setup\sppsvc.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\wininit.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Windows\Resources\Themes\Aero\fr-FR\audiodg.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\56085415360792 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Windows\Setup\0a1fd5f707cd16 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Windows\Fonts\dllhost.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Windows\Fonts\5940a34987c991 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Windows\system\RCX940E.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\RCX969F.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Windows\Resources\Themes\Aero\fr-FR\42af1c969fbb7b 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\wininit.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Windows\Resources\Themes\Aero\fr-FR\RCX920B.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Windows\Resources\Themes\Aero\fr-FR\audiodg.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Windows\Setup\RCXA90E.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Windows\system\56085415360792 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Windows\system\wininit.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Windows\Setup\sppsvc.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Windows\Fonts\RCXAB12.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Windows\Fonts\dllhost.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Windows\system\wininit.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2436 schtasks.exe 1740 schtasks.exe 1660 schtasks.exe 2724 schtasks.exe 2572 schtasks.exe 1720 schtasks.exe 2548 schtasks.exe 1624 schtasks.exe 3052 schtasks.exe 2644 schtasks.exe 448 schtasks.exe 2888 schtasks.exe 1788 schtasks.exe 2500 schtasks.exe 956 schtasks.exe 2852 schtasks.exe 1548 schtasks.exe 848 schtasks.exe 532 schtasks.exe 2368 schtasks.exe 2468 schtasks.exe 2544 schtasks.exe 1760 schtasks.exe 2520 schtasks.exe 372 schtasks.exe 2584 schtasks.exe 1724 schtasks.exe 1056 schtasks.exe 2080 schtasks.exe 2788 schtasks.exe 1540 schtasks.exe 2108 schtasks.exe 1168 schtasks.exe 1480 schtasks.exe 984 schtasks.exe 1868 schtasks.exe 2768 schtasks.exe 2588 schtasks.exe 1448 schtasks.exe 1932 schtasks.exe 2704 schtasks.exe 3048 schtasks.exe 1536 schtasks.exe 2872 schtasks.exe 2956 schtasks.exe 396 schtasks.exe 2008 schtasks.exe 2356 schtasks.exe 2600 schtasks.exe 2424 schtasks.exe 992 schtasks.exe 1744 schtasks.exe 1808 schtasks.exe 2992 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 2340 powershell.exe 1628 powershell.exe 2512 powershell.exe 2588 powershell.exe 1828 powershell.exe 1752 powershell.exe 1920 powershell.exe 1032 powershell.exe 2572 powershell.exe 1624 powershell.exe 2108 powershell.exe 2036 powershell.exe 396 sppsvc.exe 1136 sppsvc.exe 2712 sppsvc.exe 2908 sppsvc.exe 2108 sppsvc.exe 1940 sppsvc.exe 2692 sppsvc.exe 1604 sppsvc.exe 1980 sppsvc.exe 348 sppsvc.exe 1296 sppsvc.exe 1836 sppsvc.exe 2840 sppsvc.exe 1056 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe Token: SeDebugPrivilege 2340 powershell.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 2512 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 1828 powershell.exe Token: SeDebugPrivilege 1752 powershell.exe Token: SeDebugPrivilege 1920 powershell.exe Token: SeDebugPrivilege 1032 powershell.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 2036 powershell.exe Token: SeDebugPrivilege 396 sppsvc.exe Token: SeDebugPrivilege 1136 sppsvc.exe Token: SeDebugPrivilege 2712 sppsvc.exe Token: SeDebugPrivilege 2908 sppsvc.exe Token: SeDebugPrivilege 2108 sppsvc.exe Token: SeDebugPrivilege 1940 sppsvc.exe Token: SeDebugPrivilege 2692 sppsvc.exe Token: SeDebugPrivilege 1604 sppsvc.exe Token: SeDebugPrivilege 1980 sppsvc.exe Token: SeDebugPrivilege 348 sppsvc.exe Token: SeDebugPrivilege 1296 sppsvc.exe Token: SeDebugPrivilege 1836 sppsvc.exe Token: SeDebugPrivilege 2840 sppsvc.exe Token: SeDebugPrivilege 1056 sppsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2932 wrote to memory of 2588 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 85 PID 2932 wrote to memory of 2588 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 85 PID 2932 wrote to memory of 2588 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 85 PID 2932 wrote to memory of 2340 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 86 PID 2932 wrote to memory of 2340 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 86 PID 2932 wrote to memory of 2340 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 86 PID 2932 wrote to memory of 2108 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 87 PID 2932 wrote to memory of 2108 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 87 PID 2932 wrote to memory of 2108 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 87 PID 2932 wrote to memory of 2512 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 89 PID 2932 wrote to memory of 2512 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 89 PID 2932 wrote to memory of 2512 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 89 PID 2932 wrote to memory of 1032 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 91 PID 2932 wrote to memory of 1032 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 91 PID 2932 wrote to memory of 1032 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 91 PID 2932 wrote to memory of 1624 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 92 PID 2932 wrote to memory of 1624 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 92 PID 2932 wrote to memory of 1624 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 92 PID 2932 wrote to memory of 1920 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 93 PID 2932 wrote to memory of 1920 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 93 PID 2932 wrote to memory of 1920 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 93 PID 2932 wrote to memory of 2572 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 94 PID 2932 wrote to memory of 2572 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 94 PID 2932 wrote to memory of 2572 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 94 PID 2932 wrote to memory of 1628 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 95 PID 2932 wrote to memory of 1628 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 95 PID 2932 wrote to memory of 1628 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 95 PID 2932 wrote to memory of 1752 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 96 PID 2932 wrote to memory of 1752 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 96 PID 2932 wrote to memory of 1752 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 96 PID 2932 wrote to memory of 1828 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 97 PID 2932 wrote to memory of 1828 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 97 PID 2932 wrote to memory of 1828 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 97 PID 2932 wrote to memory of 2036 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 98 PID 2932 wrote to memory of 2036 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 98 PID 2932 wrote to memory of 2036 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 98 PID 2932 wrote to memory of 396 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 109 PID 2932 wrote to memory of 396 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 109 PID 2932 wrote to memory of 396 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 109 PID 2932 wrote to memory of 396 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 109 PID 2932 wrote to memory of 396 2932 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 109 PID 396 wrote to memory of 680 396 sppsvc.exe 110 PID 396 wrote to memory of 680 396 sppsvc.exe 110 PID 396 wrote to memory of 680 396 sppsvc.exe 110 PID 396 wrote to memory of 2772 396 sppsvc.exe 111 PID 396 wrote to memory of 2772 396 sppsvc.exe 111 PID 396 wrote to memory of 2772 396 sppsvc.exe 111 PID 680 wrote to memory of 1136 680 WScript.exe 113 PID 680 wrote to memory of 1136 680 WScript.exe 113 PID 680 wrote to memory of 1136 680 WScript.exe 113 PID 680 wrote to memory of 1136 680 WScript.exe 113 PID 680 wrote to memory of 1136 680 WScript.exe 113 PID 1136 wrote to memory of 2204 1136 sppsvc.exe 114 PID 1136 wrote to memory of 2204 1136 sppsvc.exe 114 PID 1136 wrote to memory of 2204 1136 sppsvc.exe 114 PID 1136 wrote to memory of 1744 1136 sppsvc.exe 115 PID 1136 wrote to memory of 1744 1136 sppsvc.exe 115 PID 1136 wrote to memory of 1744 1136 sppsvc.exe 115 PID 2204 wrote to memory of 2712 2204 WScript.exe 116 PID 2204 wrote to memory of 2712 2204 WScript.exe 116 PID 2204 wrote to memory of 2712 2204 WScript.exe 116 PID 2204 wrote to memory of 2712 2204 WScript.exe 116 PID 2204 wrote to memory of 2712 2204 WScript.exe 116 PID 2712 wrote to memory of 2172 2712 sppsvc.exe 117 -
System policy modification 1 TTPs 45 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe"C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2932 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Program Files\DVD Maker\de-DE\sppsvc.exe"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:396 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4168a809-0c5c-446f-9422-24333cf4321f.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Program Files\DVD Maker\de-DE\sppsvc.exe"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1136 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d42d2aa3-a12b-48af-ab57-6dc8a356cf78.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Program Files\DVD Maker\de-DE\sppsvc.exe"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2712 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55618d34-8e8d-4608-9725-e2894be7e94b.vbs"7⤵PID:2172
-
C:\Program Files\DVD Maker\de-DE\sppsvc.exe"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2908 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b891d9da-ce65-41b8-ad1d-4b211ee555f6.vbs"9⤵PID:2688
-
C:\Program Files\DVD Maker\de-DE\sppsvc.exe"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2108 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a61117d-66ed-43c0-8cc9-e1dd6a2f76a7.vbs"11⤵PID:2768
-
C:\Program Files\DVD Maker\de-DE\sppsvc.exe"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1940 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05dc9605-5aed-4b6b-9514-b07f2c3f5614.vbs"13⤵PID:1156
-
C:\Program Files\DVD Maker\de-DE\sppsvc.exe"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2692 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dce88c35-906b-49f9-8b91-f6462be76330.vbs"15⤵PID:1780
-
C:\Program Files\DVD Maker\de-DE\sppsvc.exe"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1604 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\480b9a70-d1a8-46f8-b5ca-db49d3bb8943.vbs"17⤵PID:316
-
C:\Program Files\DVD Maker\de-DE\sppsvc.exe"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1980 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5abf60e7-be24-4994-8b10-5aff32bf3b13.vbs"19⤵PID:2700
-
C:\Program Files\DVD Maker\de-DE\sppsvc.exe"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:348 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4b34bd7-631b-4176-b227-ad541a38129b.vbs"21⤵PID:1660
-
C:\Program Files\DVD Maker\de-DE\sppsvc.exe"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1296 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebcaa934-05f7-467f-b38b-aa8731e20cf4.vbs"23⤵PID:1528
-
C:\Program Files\DVD Maker\de-DE\sppsvc.exe"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1836 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48d0460c-1f17-4e74-9055-22cc88a635ce.vbs"25⤵PID:1760
-
C:\Program Files\DVD Maker\de-DE\sppsvc.exe"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"26⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2840 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d11cda63-1733-487f-9881-ddf64eaf8df9.vbs"27⤵PID:1560
-
C:\Program Files\DVD Maker\de-DE\sppsvc.exe"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"28⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1056 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6340a7fd-e481-40a5-9496-949061b8e034.vbs"29⤵PID:2448
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e1db9dc-7ebf-49e1-9c79-5834dddb55e3.vbs"29⤵PID:952
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31f07690-e989-4cef-b7c4-694832cb2844.vbs"27⤵PID:2524
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\463cc1a1-faa2-4fca-b0e9-cf8d0591249a.vbs"25⤵PID:2416
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0c7de44-41b8-428a-ab2e-a71543bfc0b8.vbs"23⤵PID:3048
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3622f946-46af-4490-97cc-9d4ebd9873d3.vbs"21⤵PID:1004
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b39b2a71-20db-4e8f-a005-43ebf728796e.vbs"19⤵PID:1692
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a5e709b-a857-42a1-b4ec-62af5d655acd.vbs"17⤵PID:1480
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c96b43c8-9127-4861-8dcd-3c251e9d9a0b.vbs"15⤵PID:2204
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa84f080-67c3-49e0-809b-e98a36ad5093.vbs"13⤵PID:2012
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1eed196-bab8-409d-b0a3-dcec040cfa94.vbs"11⤵PID:2324
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a9a3141-19e2-4b92-a63b-321d87cd0d32.vbs"9⤵PID:2824
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\016fee74-0d97-4640-be63-e7977b3d04d2.vbs"7⤵PID:2472
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a0c2139-8e56-47c5-a85c-282eccd9736d.vbs"5⤵PID:1744
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce009a05-6605-40f5-bc74-8a2c2e4cccea.vbs"3⤵PID:2772
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\de-DE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\de-DE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\Themes\Aero\fr-FR\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\fr-FR\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Themes\Aero\fr-FR\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\system\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Documents\My Videos\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Documents\My Videos\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a0998" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a0998" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Documents\My Videos\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Documents\My Videos\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Setup\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5c373114b88515ff2956327bf7e65f898
SHA156a5b38dbd5a456719b0d429e253a946313a4895
SHA25683e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099
SHA51247f4c17f0759b9c94de7f27d5bc880488eadb22bbc9a1333ea8d63d185d28f349c82f7b8fd410f9bebb30b022abe822613e2393e0e2630dc293c98209be34d2b
-
Filesize
4.9MB
MD55399086aaf8216803bfb6b126aee396a
SHA1f19bccda72834717eb112b2f33fb6a17d89af756
SHA2565e2df70b00f8f24ad5d3396f75c16c4df89ae7fa818bfd0218a2e25e97723382
SHA512a5b8cbb840cadc0b956435e942b673ef51aaeba692ff3d7638d5afc1097a95939f2e7cd796e03f8f8b4c3d8ed6868ff4b5f4a28b05dc912df567c34091eaa63c
-
Filesize
719B
MD599d6a65530148081dc6f3c06554502c6
SHA10f8d9ffcad9d178a089a232e42f8488a363d5297
SHA256c92e0713e6e082d6a15002be97eb34ad40d7e48b19a877c08f45c7f4ea395420
SHA512757d62228915a1fe2ab8a6f98470aa8884ce9e5872022293c81720cc8493c22c6a18750c24b5b8d3659be55ab90206090644bcfec8015323391d6ee5debe7e84
-
Filesize
719B
MD57b5d7f382185a820beb3ceace5b774ae
SHA102ee1e38419d01c30efa73e02c706496150d8f77
SHA2562002120ccae5ef05dcf0fa16e81587b619ad91e3389910f3b3c4f6e4eacedfde
SHA512a38284c48fb0fe5a9a0101a023d7098f5d121d9889e84703066a4ff2f8bf9d0fae807b47ca29e78ea45d2cc3e27ea884402fedf09fedb21a162bb257de114978
-
Filesize
718B
MD5a6dac5d4b628c7268849e42c7180662a
SHA1e465dfa5d0553bfb5dcfdc981c4d05b7ff0d5933
SHA2560c2f34b201106bddfd3b7e5c9b9243ab06c4752f9d98e563ee52b2f4d994992d
SHA512807e7c13f8406e45fd3c3a94daa70d3aebb7f7d8f989c1ca7c2ca55e56ab062b557889260b780f166c75f89433e1133eb6630f2a6d384fb11523d2fdcda73d2f
-
Filesize
719B
MD58cdbf1bd743ef622ab88341a2c36fbe4
SHA1b70a4b093457534c295796e5c2391ae084c2067a
SHA2568eae7e25f4681f83b206376db00c58ea917f0d2c70a7cddbc2b54b4a6eb03e34
SHA51215cadf745c97e44cd762711846820a09630963d68a01375af0d1ebe5634a80dee14b1c0760fa1938690efb3a83f4bdc26335022033338d31059c8fbb6cf79d16
-
Filesize
719B
MD53526ca0b6de24f1ecd4b10ac7f068406
SHA1361a4ccb376305872ff1f6d39cfdde2e9fa37401
SHA256d9b9bfe51007bce3f995be18d86bcedfc44ff7e6d183e2f1e598557bbf0c56ce
SHA5128543889603db841750bd58d390648b1961840f2402035353d3904a296799c58898607f812277fc3628362e055e6842f4f269216c6fb82f314e2ce017fc1a9c57
-
Filesize
719B
MD562ff6edc1f190e6775071618f3fdbea5
SHA1abb43364459153315d9bad3cdead84c97e657cc2
SHA2569117b0cce774f348fa4ef62cb6c91b70f20e49898bc8ea4a656b48f9db187ebd
SHA512ac90fe844cdae1ab6ce818a01b898c43a87a9ddaf4dd03d2aaf626700097943eb330600641a2395c0fc263250db7372170246bf4696227075687c5c9bca6b39f
-
Filesize
719B
MD57322bd66f14f3ebda6212ea87180afa8
SHA19e10336dac690f4f477f8b2c4a54f92909b69ed9
SHA2561f84686c30d74afd65a30aec47e778c9eb34b3a4c74a0e78358e11c4c79e6e82
SHA51273cf03fa1e17d9e4922cc8e78b19d39557ad4486c85b168eaa735339ea35a7246be014af575a304367d5b3689cf717732b3849e80f26e235e5d57512e92332c8
-
Filesize
719B
MD52fe06ba9f2696566a0a145cdd872cc04
SHA190b467e41efa030aa11a8507571c6d34a77f4f4a
SHA256da32991a8103352b2209694009eeda9855ed1eeef47f72b8e54c0f885f72d932
SHA5122a7748d2599861bad7b6d411840d03328a7f727fbab7b8cac985cf51770e2b9563641014aeeda3caba9279edbac3c60d3f7c935f71464ac87144c5ca40d45a17
-
Filesize
495B
MD539ff076509dbfdc6423bed6c8ed3e947
SHA117032ec9938327b8d06055bbae040171d715a052
SHA25671cb905f0dcbf96f79de3fb6d5186a74a5177b7d19c7e41c8a1d239791b6cd00
SHA5128fccb3ad8789633f5758da912a25ebd12b3519e6908cb02b5cb080af138b5d2231373f19149d702d9eeefe305d8f5d102fad57f12c32f7591642bd229408ce46
-
Filesize
719B
MD569b1c01002ef36e8ed3b44ad9bba773d
SHA13f5522280dc033f861a994e394e438962e4a07a1
SHA256cccdffd960f43832557b0d714b853dbf7ff59cf205ffbbe7016775c919d901ef
SHA512d571e3d2d1b5b34ee371d2d6d750e57c18f65b862c3560fbfed1c8306d3d7dbc50c80712e183d295a081f7d8af94af362f78f63d987ef8fcd6e682da27f55da2
-
Filesize
719B
MD56af8a90404d791b489681a732ba66c1b
SHA112df339e4feae27149a3c74fb5b0ff3bbcb4e5ed
SHA2565ba72da5091595eb32cbfa48bb3323b7deea6b4c9fae49f753c684da6acfd135
SHA51231f77515b532a47d0686d3c8e828582735ea46002282900089ffa8f5eea83d688cace82599c7ad13d69abcbd5e2037cf4f0c2207814b68c96d035bdb44ace00e
-
Filesize
719B
MD5ddd0a456537c28d36588e25345cb5854
SHA1a9740f7846ec4ef7d29bc4793a0754481c3ed62f
SHA25624e8a86920da543aacc05645ec31aa581e5abdd16c9202958a2c8b1bd0ad75f4
SHA51207a1d508f3ae4bf426e74dd28049ea5bcfb3f3e88dec07930e9afc17e44d200f1272b3ab3f623a20986bcdc63c325ed05bb2c6226f62fcaeede733da026f567d
-
Filesize
719B
MD50aa061bee821bbedc7c9e20aa4af36a1
SHA1a5bcc9e5f6f7130fffc0b601b94cb1629573bec6
SHA2565f1b4b305f89d239325368a04cf5f684664a720f118804b29b46890ea7938c6c
SHA512d9ffa7f52d0e2f65de827d95a675772520cfa56241c3634827ed8b2de4eff22a9af7584e65c8d6ee7b6dc0095ef3a4d785d9d12caa11f074e8ce1bd5833927ca
-
Filesize
718B
MD5761370f9c911d9f7fe424ee74f42d925
SHA1c593271c4bc9ead43d0f60b9ae4f5d70623c03bf
SHA2563caa5dcad8fa7710b39397d8fd7e0a9230ac99fc0128db5ea9605b7e799b5c06
SHA5121d62b6a34ca3acc67e483441fe65b80afda96f35c68352de4e2a7cc5fc4becfc390fb12f9ce11650746b36fb6713af02b1b1b9cddb633b142652ce35864d4288
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c95bc7771cbdc5e398ea848d55b605c9
SHA1f3f06a740d307f9f7f840fd3c76f1c987287df22
SHA256ab370e3fba08f688c3ee98e06006831f02dd8fae773ce05f4b5a3e85aff9a4c4
SHA512c44abcef986fb978af3d9daa31d36bc7fd3dd19eed68ed33d0f272e2f67ca468349d002137891c1f7c5aa763c4206e20c08cfd8bc958bfbf055ba45043d1b7cf