Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2024 23:57
Static task
static1
Behavioral task
behavioral1
Sample
83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe
Resource
win7-20240903-en
General
-
Target
83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe
-
Size
4.9MB
-
MD5
c373114b88515ff2956327bf7e65f898
-
SHA1
56a5b38dbd5a456719b0d429e253a946313a4895
-
SHA256
83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099
-
SHA512
47f4c17f0759b9c94de7f27d5bc880488eadb22bbc9a1333ea8d63d185d28f349c82f7b8fd410f9bebb30b022abe822613e2393e0e2630dc293c98209be34d2b
-
SSDEEP
49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3456 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4392 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 220 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4236 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4056 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3948 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5080 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4256 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 116 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4152 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3160 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4372 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3924 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 368 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3880 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3664 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4280 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3356 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4576 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 696 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3100 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 4376 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 4376 schtasks.exe 85 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe -
resource yara_rule behavioral2/memory/1568-2-0x000000001BEC0000-0x000000001BFEE000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1996 powershell.exe 876 powershell.exe 1528 powershell.exe 5080 powershell.exe 2192 powershell.exe 4056 powershell.exe 3420 powershell.exe 4256 powershell.exe 4416 powershell.exe 400 powershell.exe 2508 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Executes dropped EXE 43 IoCs
pid Process 4840 tmpBE6E.tmp.exe 2364 tmpBE6E.tmp.exe 3548 RuntimeBroker.exe 4236 tmp73E.tmp.exe 4496 tmp73E.tmp.exe 2656 RuntimeBroker.exe 4696 tmp2824.tmp.exe 2304 tmp2824.tmp.exe 2956 tmp2824.tmp.exe 3060 RuntimeBroker.exe 3972 tmp5E48.tmp.exe 4128 tmp5E48.tmp.exe 1572 RuntimeBroker.exe 4032 RuntimeBroker.exe 4288 RuntimeBroker.exe 3048 tmpBC85.tmp.exe 2184 tmpBC85.tmp.exe 1308 RuntimeBroker.exe 4676 tmpF037.tmp.exe 1240 tmpF037.tmp.exe 3652 tmpF037.tmp.exe 3388 RuntimeBroker.exe 2940 tmp142A.tmp.exe 2300 tmp142A.tmp.exe 2148 RuntimeBroker.exe 2184 tmp32AF.tmp.exe 4360 tmp32AF.tmp.exe 3328 tmp32AF.tmp.exe 2584 RuntimeBroker.exe 868 tmp4F6E.tmp.exe 1080 tmp4F6E.tmp.exe 3204 tmp4F6E.tmp.exe 4600 RuntimeBroker.exe 2320 RuntimeBroker.exe 2404 tmp8C0A.tmp.exe 4360 tmp8C0A.tmp.exe 4992 RuntimeBroker.exe 1956 tmpBF8D.tmp.exe 4588 tmpBF8D.tmp.exe 3700 RuntimeBroker.exe 2164 tmpDF3B.tmp.exe 4268 tmpDF3B.tmp.exe 4028 RuntimeBroker.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe -
Suspicious use of SetThreadContext 12 IoCs
description pid Process procid_target PID 4840 set thread context of 2364 4840 tmpBE6E.tmp.exe 131 PID 4236 set thread context of 4496 4236 tmp73E.tmp.exe 168 PID 2304 set thread context of 2956 2304 tmp2824.tmp.exe 176 PID 3972 set thread context of 4128 3972 tmp5E48.tmp.exe 183 PID 3048 set thread context of 2184 3048 tmpBC85.tmp.exe 195 PID 1240 set thread context of 3652 1240 tmpF037.tmp.exe 202 PID 2940 set thread context of 2300 2940 tmp142A.tmp.exe 208 PID 4360 set thread context of 3328 4360 tmp32AF.tmp.exe 215 PID 1080 set thread context of 3204 1080 tmp4F6E.tmp.exe 222 PID 2404 set thread context of 4360 2404 tmp8C0A.tmp.exe 231 PID 1956 set thread context of 4588 1956 tmpBF8D.tmp.exe 237 PID 2164 set thread context of 4268 2164 tmpDF3B.tmp.exe 243 -
Drops file in Program Files directory 24 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files (x86)\Windows Defender\es-ES\6cb0b6c459d5d3 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\System.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files (x86)\Windows Mail\RCXC0E1.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files (x86)\Windows Mail\9e8d7a4ca61bd9 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files\Microsoft Office 15\csrss.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files\Microsoft Office 15\886983d96e3d3e 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files\dotnet\host\fxr\7.0.16\RCXC305.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files\dotnet\host\fxr\7.0.16\OfficeClickToRun.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\RCXC9CE.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\55b276f4edf653 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files\Microsoft Office 15\RCXD4EF.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCXDD2F.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files\dotnet\host\fxr\7.0.16\OfficeClickToRun.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files\dotnet\host\fxr\7.0.16\e6c9b481da804f 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files\Microsoft Office 15\csrss.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\System.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\27d1bcfc3c54e0 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\RCXDB1B.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe -
Drops file in Windows directory 16 IoCs
description ioc Process File created C:\Windows\bcastdvr\22eafd247d37c3 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Windows\Globalization\dwm.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Windows\L2Schemas\RCXD0C6.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Windows\Globalization\dwm.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Windows\Help\Windows\ContentStore\unsecapp.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Windows\L2Schemas\RuntimeBroker.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Windows\Help\Windows\ContentStore\RCXCC7F.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Windows\Help\Windows\ContentStore\29c1c3cc0f7685 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Windows\bcastdvr\TextInputHost.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Windows\Globalization\RCXC7BA.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Windows\Help\Windows\ContentStore\unsecapp.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Windows\bcastdvr\RCXCEA2.tmp 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Windows\bcastdvr\TextInputHost.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File opened for modification C:\Windows\L2Schemas\RuntimeBroker.exe 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Windows\Globalization\6cb0b6c459d5d3 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe File created C:\Windows\L2Schemas\9e8d7a4ca61bd9 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp5E48.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp142A.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4F6E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpBF8D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpBE6E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp32AF.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp32AF.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDF3B.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp2824.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpF037.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8C0A.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4F6E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp73E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp2824.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpBC85.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpF037.tmp.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings RuntimeBroker.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2192 schtasks.exe 2208 schtasks.exe 4488 schtasks.exe 4516 schtasks.exe 220 schtasks.exe 116 schtasks.exe 368 schtasks.exe 2744 schtasks.exe 4280 schtasks.exe 3048 schtasks.exe 2304 schtasks.exe 4932 schtasks.exe 3880 schtasks.exe 3100 schtasks.exe 1552 schtasks.exe 696 schtasks.exe 1128 schtasks.exe 3456 schtasks.exe 4392 schtasks.exe 4056 schtasks.exe 3948 schtasks.exe 4256 schtasks.exe 2596 schtasks.exe 4552 schtasks.exe 3044 schtasks.exe 4152 schtasks.exe 3924 schtasks.exe 2664 schtasks.exe 3664 schtasks.exe 3972 schtasks.exe 4236 schtasks.exe 3160 schtasks.exe 3356 schtasks.exe 4576 schtasks.exe 1828 schtasks.exe 2356 schtasks.exe 2228 schtasks.exe 5080 schtasks.exe 4372 schtasks.exe 2060 schtasks.exe 1832 schtasks.exe 1800 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 1528 powershell.exe 1528 powershell.exe 876 powershell.exe 876 powershell.exe 4056 powershell.exe 4056 powershell.exe 400 powershell.exe 400 powershell.exe 1996 powershell.exe 1996 powershell.exe 2192 powershell.exe 2192 powershell.exe 4256 powershell.exe 4256 powershell.exe 4416 powershell.exe 4416 powershell.exe 5080 powershell.exe 5080 powershell.exe 2508 powershell.exe 2508 powershell.exe 4416 powershell.exe 3420 powershell.exe 3420 powershell.exe 5080 powershell.exe 4256 powershell.exe 876 powershell.exe 876 powershell.exe 1996 powershell.exe 4056 powershell.exe 1528 powershell.exe 400 powershell.exe 1528 powershell.exe 2192 powershell.exe 2508 powershell.exe 3420 powershell.exe 3548 RuntimeBroker.exe 2656 RuntimeBroker.exe 3060 RuntimeBroker.exe 1572 RuntimeBroker.exe 4288 RuntimeBroker.exe 1308 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe Token: SeDebugPrivilege 876 powershell.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 4416 powershell.exe Token: SeDebugPrivilege 5080 powershell.exe Token: SeDebugPrivilege 4056 powershell.exe Token: SeDebugPrivilege 400 powershell.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 4256 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 3420 powershell.exe Token: SeDebugPrivilege 3548 RuntimeBroker.exe Token: SeDebugPrivilege 2656 RuntimeBroker.exe Token: SeDebugPrivilege 3060 RuntimeBroker.exe Token: SeDebugPrivilege 1572 RuntimeBroker.exe Token: SeDebugPrivilege 4288 RuntimeBroker.exe Token: SeDebugPrivilege 1308 RuntimeBroker.exe Token: SeDebugPrivilege 3388 RuntimeBroker.exe Token: SeDebugPrivilege 2148 RuntimeBroker.exe Token: SeDebugPrivilege 2584 RuntimeBroker.exe Token: SeDebugPrivilege 4600 RuntimeBroker.exe Token: SeDebugPrivilege 2320 RuntimeBroker.exe Token: SeDebugPrivilege 4992 RuntimeBroker.exe Token: SeDebugPrivilege 3700 RuntimeBroker.exe Token: SeDebugPrivilege 4028 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1568 wrote to memory of 4840 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 129 PID 1568 wrote to memory of 4840 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 129 PID 1568 wrote to memory of 4840 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 129 PID 4840 wrote to memory of 2364 4840 tmpBE6E.tmp.exe 131 PID 4840 wrote to memory of 2364 4840 tmpBE6E.tmp.exe 131 PID 4840 wrote to memory of 2364 4840 tmpBE6E.tmp.exe 131 PID 4840 wrote to memory of 2364 4840 tmpBE6E.tmp.exe 131 PID 4840 wrote to memory of 2364 4840 tmpBE6E.tmp.exe 131 PID 4840 wrote to memory of 2364 4840 tmpBE6E.tmp.exe 131 PID 4840 wrote to memory of 2364 4840 tmpBE6E.tmp.exe 131 PID 1568 wrote to memory of 4056 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 136 PID 1568 wrote to memory of 4056 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 136 PID 1568 wrote to memory of 3420 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 137 PID 1568 wrote to memory of 3420 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 137 PID 1568 wrote to memory of 1996 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 138 PID 1568 wrote to memory of 1996 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 138 PID 1568 wrote to memory of 876 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 139 PID 1568 wrote to memory of 876 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 139 PID 1568 wrote to memory of 400 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 140 PID 1568 wrote to memory of 400 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 140 PID 1568 wrote to memory of 1528 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 141 PID 1568 wrote to memory of 1528 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 141 PID 1568 wrote to memory of 5080 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 142 PID 1568 wrote to memory of 5080 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 142 PID 1568 wrote to memory of 2508 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 143 PID 1568 wrote to memory of 2508 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 143 PID 1568 wrote to memory of 2192 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 144 PID 1568 wrote to memory of 2192 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 144 PID 1568 wrote to memory of 4416 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 145 PID 1568 wrote to memory of 4416 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 145 PID 1568 wrote to memory of 4256 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 146 PID 1568 wrote to memory of 4256 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 146 PID 1568 wrote to memory of 368 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 156 PID 1568 wrote to memory of 368 1568 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe 156 PID 368 wrote to memory of 868 368 cmd.exe 162 PID 368 wrote to memory of 868 368 cmd.exe 162 PID 368 wrote to memory of 3548 368 cmd.exe 163 PID 368 wrote to memory of 3548 368 cmd.exe 163 PID 3548 wrote to memory of 3832 3548 RuntimeBroker.exe 164 PID 3548 wrote to memory of 3832 3548 RuntimeBroker.exe 164 PID 3548 wrote to memory of 1860 3548 RuntimeBroker.exe 165 PID 3548 wrote to memory of 1860 3548 RuntimeBroker.exe 165 PID 3548 wrote to memory of 4236 3548 RuntimeBroker.exe 166 PID 3548 wrote to memory of 4236 3548 RuntimeBroker.exe 166 PID 3548 wrote to memory of 4236 3548 RuntimeBroker.exe 166 PID 4236 wrote to memory of 4496 4236 tmp73E.tmp.exe 168 PID 4236 wrote to memory of 4496 4236 tmp73E.tmp.exe 168 PID 4236 wrote to memory of 4496 4236 tmp73E.tmp.exe 168 PID 4236 wrote to memory of 4496 4236 tmp73E.tmp.exe 168 PID 4236 wrote to memory of 4496 4236 tmp73E.tmp.exe 168 PID 4236 wrote to memory of 4496 4236 tmp73E.tmp.exe 168 PID 4236 wrote to memory of 4496 4236 tmp73E.tmp.exe 168 PID 3832 wrote to memory of 2656 3832 WScript.exe 169 PID 3832 wrote to memory of 2656 3832 WScript.exe 169 PID 2656 wrote to memory of 2852 2656 RuntimeBroker.exe 170 PID 2656 wrote to memory of 2852 2656 RuntimeBroker.exe 170 PID 2656 wrote to memory of 1192 2656 RuntimeBroker.exe 171 PID 2656 wrote to memory of 1192 2656 RuntimeBroker.exe 171 PID 2656 wrote to memory of 4696 2656 RuntimeBroker.exe 173 PID 2656 wrote to memory of 4696 2656 RuntimeBroker.exe 173 PID 2656 wrote to memory of 4696 2656 RuntimeBroker.exe 173 PID 4696 wrote to memory of 2304 4696 tmp2824.tmp.exe 175 PID 4696 wrote to memory of 2304 4696 tmp2824.tmp.exe 175 PID 4696 wrote to memory of 2304 4696 tmp2824.tmp.exe 175 -
System policy modification 1 TTPs 48 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe"C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe"3⤵
- Executes dropped EXE
PID:2364
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iR3fCogaVc.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:868
-
-
C:\Windows\L2Schemas\RuntimeBroker.exe"C:\Windows\L2Schemas\RuntimeBroker.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3548 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa582840-a3be-4f02-a687-f1865c264ee2.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\L2Schemas\RuntimeBroker.exeC:\Windows\L2Schemas\RuntimeBroker.exe5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2656 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c287192-3253-437f-b103-603a45f81459.vbs"6⤵PID:2852
-
C:\Windows\L2Schemas\RuntimeBroker.exeC:\Windows\L2Schemas\RuntimeBroker.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3060 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c1595a1-b405-4080-beb4-63fe4fc46632.vbs"8⤵PID:4268
-
C:\Windows\L2Schemas\RuntimeBroker.exeC:\Windows\L2Schemas\RuntimeBroker.exe9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1572 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16336378-f9ec-4578-b7dc-6390a5dd4b77.vbs"10⤵PID:1904
-
C:\Windows\L2Schemas\RuntimeBroker.exeC:\Windows\L2Schemas\RuntimeBroker.exe11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
PID:4032 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb515cb5-db08-4484-9022-78b8974da11c.vbs"12⤵PID:4120
-
C:\Windows\L2Schemas\RuntimeBroker.exeC:\Windows\L2Schemas\RuntimeBroker.exe13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4288 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ff1ed28-0640-4c16-aa37-04bc878bfc8f.vbs"14⤵PID:3204
-
C:\Windows\L2Schemas\RuntimeBroker.exeC:\Windows\L2Schemas\RuntimeBroker.exe15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1308 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05f116f2-ac0d-43ab-a84d-1c4d758ca0d9.vbs"16⤵PID:684
-
C:\Windows\L2Schemas\RuntimeBroker.exeC:\Windows\L2Schemas\RuntimeBroker.exe17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3388 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67f89bc7-c2c4-45b5-ac87-ec7b2074a6ce.vbs"18⤵PID:2428
-
C:\Windows\L2Schemas\RuntimeBroker.exeC:\Windows\L2Schemas\RuntimeBroker.exe19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2148 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9360082b-46ba-4fc7-ba18-cbac774d3d65.vbs"20⤵PID:1272
-
C:\Windows\L2Schemas\RuntimeBroker.exeC:\Windows\L2Schemas\RuntimeBroker.exe21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2584 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57f82647-da11-41cd-9c5d-8a005bda3d76.vbs"22⤵PID:2764
-
C:\Windows\L2Schemas\RuntimeBroker.exeC:\Windows\L2Schemas\RuntimeBroker.exe23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4600 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9315a680-2aeb-4f02-9dda-ebb34534958a.vbs"24⤵PID:1016
-
C:\Windows\L2Schemas\RuntimeBroker.exeC:\Windows\L2Schemas\RuntimeBroker.exe25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2320 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be62b14d-9176-4cf9-8755-2fe53f9d53b8.vbs"26⤵PID:1996
-
C:\Windows\L2Schemas\RuntimeBroker.exeC:\Windows\L2Schemas\RuntimeBroker.exe27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4992 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cadb23f-3678-4dbc-bedf-566dbc69a5ba.vbs"28⤵PID:512
-
C:\Windows\L2Schemas\RuntimeBroker.exeC:\Windows\L2Schemas\RuntimeBroker.exe29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3700 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb09bd97-b401-4f94-8259-50951f507031.vbs"30⤵PID:4480
-
C:\Windows\L2Schemas\RuntimeBroker.exeC:\Windows\L2Schemas\RuntimeBroker.exe31⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4028 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e120433-4275-43a8-94ea-898b7ed35d35.vbs"32⤵PID:4436
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9b57f93-7be3-49fa-b4b9-c85619124a0c.vbs"32⤵PID:212
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66f0b135-f222-4ae8-bc3a-4d97cf995899.vbs"30⤵PID:4092
-
-
C:\Users\Admin\AppData\Local\Temp\tmpDF3B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDF3B.tmp.exe"30⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\tmpDF3B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDF3B.tmp.exe"31⤵
- Executes dropped EXE
PID:4268
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5e8c313-b220-44d3-b31b-769eb7646bf4.vbs"28⤵PID:1588
-
-
C:\Users\Admin\AppData\Local\Temp\tmpBF8D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBF8D.tmp.exe"28⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\tmpBF8D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBF8D.tmp.exe"29⤵
- Executes dropped EXE
PID:4588
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\941d8491-7d5b-48b5-9c29-eac67576d22d.vbs"26⤵PID:2060
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp.exe"26⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp.exe"27⤵
- Executes dropped EXE
PID:4360
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df606b32-650f-4bab-a354-c060b708d22e.vbs"24⤵PID:4492
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\475115af-b8fd-4c1f-b9f6-61ac67eba8bb.vbs"22⤵PID:4736
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4F6E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4F6E.tmp.exe"22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:868 -
C:\Users\Admin\AppData\Local\Temp\tmp4F6E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4F6E.tmp.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\tmp4F6E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4F6E.tmp.exe"24⤵
- Executes dropped EXE
PID:3204
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11b2f92a-efc5-4a3c-b397-a881877686af.vbs"20⤵PID:1012
-
-
C:\Users\Admin\AppData\Local\Temp\tmp32AF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp32AF.tmp.exe"20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\tmp32AF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp32AF.tmp.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\tmp32AF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp32AF.tmp.exe"22⤵
- Executes dropped EXE
PID:3328
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36b4282c-c05b-4b48-aea0-738656e28646.vbs"18⤵PID:380
-
-
C:\Users\Admin\AppData\Local\Temp\tmp142A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp142A.tmp.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\tmp142A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp142A.tmp.exe"19⤵
- Executes dropped EXE
PID:2300
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2af269d5-d3b0-459c-8151-b732b12fe997.vbs"16⤵PID:1392
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF037.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF037.tmp.exe"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\tmpF037.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF037.tmp.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1240 -
C:\Users\Admin\AppData\Local\Temp\tmpF037.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF037.tmp.exe"18⤵
- Executes dropped EXE
PID:3652
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c79cb528-8b16-430b-be0d-f68d2c692599.vbs"14⤵PID:4644
-
-
C:\Users\Admin\AppData\Local\Temp\tmpBC85.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBC85.tmp.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\tmpBC85.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBC85.tmp.exe"15⤵
- Executes dropped EXE
PID:2184
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c618794-7a1f-44cb-85ac-a110b5768040.vbs"12⤵PID:2228
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\773442b3-a309-4d9e-8ffd-e39b9d06481a.vbs"10⤵PID:4496
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\172c2b50-0397-4f24-884b-72baeed05231.vbs"8⤵PID:3136
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5E48.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5E48.tmp.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\tmp5E48.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5E48.tmp.exe"9⤵
- Executes dropped EXE
PID:4128
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4fd6195-3bd6-4f24-82db-ad7a06f84448.vbs"6⤵PID:1192
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe"8⤵
- Executes dropped EXE
PID:2956
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0c15e39-27a2-4921-8a13-70b39d24c2eb.vbs"4⤵PID:1860
-
-
C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe"5⤵
- Executes dropped EXE
PID:4496
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Globalization\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\Windows\ContentStore\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Help\Windows\ContentStore\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\Windows\ContentStore\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Windows\bcastdvr\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD56283810fd0c6ee940d7bb41c1645bd10
SHA1224c27ef424b906f7261974f4ad2921a961a1559
SHA25637223a1c53df3ac06c2699269ebb4b517bbd3b6282da413dcb2031446bbe7f63
SHA512e1e788b727c8d3170e9a8f2c522f23d1c1a274eea1fde931bd5dccef3e0e91480c0ad73ca5fa3b209d9d06eb8e12211f8837883bfd2a4ca301a9e3f12cc7c216
-
Filesize
4.9MB
MD5c373114b88515ff2956327bf7e65f898
SHA156a5b38dbd5a456719b0d429e253a946313a4895
SHA25683e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099
SHA51247f4c17f0759b9c94de7f27d5bc880488eadb22bbc9a1333ea8d63d185d28f349c82f7b8fd410f9bebb30b022abe822613e2393e0e2630dc293c98209be34d2b
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
714B
MD5541aaa4d888bec5073c081daeb91bc43
SHA11ec5cd758aa09891ea5ebd91b75686b9b25b4edb
SHA256b0fb36ef41aa6906c0ffca345e468d8e54afe680b6323d71a22c69004767c768
SHA51245295eeb67b705ce2f07b7bcfaabe895e929ba26c560b11453e2771e46c074beee4411aae32b0556445c116ed76a02e0b4dc9c31f819ceb4d509814e6651c596
-
Filesize
714B
MD55a76a57d1aa27235802e30f04afbd9e5
SHA1566e79256f210e50856948dcefb4b398f85e420a
SHA256cd38dc73ec99fa73a3f1c7af8792783813e6f9a3a93f3b6edcae1b888ab8e622
SHA5123afc8edac1eec9ceb8f51055dd787fb98c83e6a797905035711cab6066d4585f1d394c7901dc7c5a407dee06d49b2263703b808e5ca4feb10559a1d8f8b89395
-
Filesize
714B
MD53411f6c19b4597e522fe7e73de27df25
SHA1cc3f1c6c26f97953057f2f2cbf203a0f9a5efd2d
SHA256f690d287604f56be0a9cd7c573dac6a285bc8d65e27e551a7041dc73ad4a12fa
SHA5129ee2ae47e282a57e1c0bd05265109c570129214aec8478294519f82a10402fb117a1d4afd8e3f5e0462b6003a298c697dd4ab4308f28796e1912597329f14309
-
Filesize
714B
MD56c991e272b1ef8bd5e9c3b2dc00fc0c9
SHA15ab5f73432ff967f6fa9c16346a49b6193ad9b76
SHA2563784ac15a0ed8a5d3d55bbf4f00c7fbdead1940b4e1fd27316356a87304285e7
SHA512f50c6e9cea4d74d5cd2eb71763842782afcf2262ec92f92a3d258c69d8c4c67e07bc9a168b62be6c98831da568dbfda13c0dde1bbaf412672d17a9f710c8b130
-
Filesize
714B
MD5774fcd06c833f1579802384d68dad1c2
SHA17e3ebe540926b7e5847163259734e2d858766bbe
SHA256d624b659ded526ff632bb60b11d6f520ae172a319b69da0dee998efa6de011b0
SHA51218fc5f9b25d7bfc6ec78b21c94c79d0e8bd92cff7d2a2f501247e9e551b352f21d5d23c3cf9a8c0c48a1689326d90a4fcab1802a8fb9276a7f3eee09dc6a9fa5
-
Filesize
714B
MD59884a09577a92a7dcf87ea6ec9f6a8ec
SHA13b6586cf3e7a2ed70f428a4719e27a2bebaaa11a
SHA25680572f309fb1598cfba966dffd6418e41356e1af2b55a3361f8b7a8b95fa2ebc
SHA512a9865d4c9c9ca54ef6b2b456f2a43299de4b587f82a66b938c0c4dd5756d578a95fbe17bae2fc5497e209e21793b3d40c6617148016e66e6b9eb592cace88d20
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
490B
MD52b7a09b0bc7adf077963ba0dffe84e08
SHA13d4e158ce9774ab25ded1dbb21aa012181ae75e6
SHA256219de39c24fda58eb16f6c3e00ac61d59267c05dafcb9ea15391b6012669e082
SHA512d0a5b1bbbf3ac82e65d4526cd86416f4456277e5a9e731a580932d4cffee53b81958fbbf9ebe6aa362b440800b6ce6a2b6d62c428bbabb70a7376e0412232b6b
-
Filesize
714B
MD549b3a9688859b4e23f09e6ac066f3792
SHA1ab02411ba2be4dfd818b696a9514ecb4b2ba273d
SHA256f02db771a26abcfc2320999f67416b38599fab7fe148ff1a8f258ce4b7331edf
SHA5125b04f6fe043bb3be3f117b4981ac4c5e28fe2c7fc6d4a2ac2a8570e9b761d37e88f24d9dd60e144677de713c5b80b8265dbf7f2a6c7eda0f2a2f346e169b10a9
-
Filesize
203B
MD5274ee6de0f9b0d95c050bd084a1a4794
SHA158df64dc5dc35138829b0acf59290afec707c2b8
SHA256a0a7d76dd33bf55bb96a08a6742eda8c7039bb4948c762783a39c6af8c6572aa
SHA512dce4c6b550f83cdff98d0a2f936574d28947ecc4e5468e8df08b1294df415398c1610f8cb416bf93791b105935f1b12a2a322c7590725b58ca752c0153395fe4
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2