Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-11-2024 04:57
Static task
static1
Behavioral task
behavioral1
Sample
4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe
Resource
win7-20240903-en
General
-
Target
4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe
-
Size
4.9MB
-
MD5
6e7923159a06c48bb09a81080d2d8266
-
SHA1
a2126afd2d75f3dedb602fd7f63b9940e0b47c22
-
SHA256
4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14
-
SHA512
d2ddd13c739e92febab2685f393aeed15140c4b03d3c15ec49c86bac764ab6e3a01982a64118bd9d4e700161b85e1a7f3a91f904322ecc17d6253174a08f4365
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 644 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1284 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2700 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2700 schtasks.exe 31 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe -
resource yara_rule behavioral1/memory/2360-3-0x000000001BA40000-0x000000001BB6E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2408 powershell.exe 1932 powershell.exe 2744 powershell.exe 2120 powershell.exe 2148 powershell.exe 2680 powershell.exe 2860 powershell.exe 540 powershell.exe 2600 powershell.exe 3004 powershell.exe 2840 powershell.exe 2200 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2124 WMIADAP.exe 2576 WMIADAP.exe 2772 WMIADAP.exe 1932 WMIADAP.exe 1944 WMIADAP.exe 2684 WMIADAP.exe 1136 WMIADAP.exe 2292 WMIADAP.exe 2076 WMIADAP.exe 1860 WMIADAP.exe 1780 WMIADAP.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WMIADAP.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WMIADAP.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WMIADAP.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WMIADAP.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WMIADAP.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WMIADAP.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WMIADAP.exe -
Drops file in Program Files directory 24 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\wininit.exe 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\24dbde2999530e 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\wininit.exe 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\56085415360792 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File created C:\Program Files\VideoLAN\WMIADAP.exe 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File created C:\Program Files\VideoLAN\75a57c1bdf437c 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCXE8BF.tmp 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File created C:\Program Files (x86)\Windows Portable Devices\c5b4cb5e9653cc 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXE199.tmp 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File opened for modification C:\Program Files\Internet Explorer\de-DE\RCXF571.tmp 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File opened for modification C:\Program Files\Internet Explorer\de-DE\sppsvc.exe 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File created C:\Program Files (x86)\Windows Portable Devices\services.exe 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\services.exe 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File created C:\Program Files\Internet Explorer\de-DE\sppsvc.exe 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File created C:\Program Files\Internet Explorer\de-DE\0a1fd5f707cd16 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXF15A.tmp 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\RCXF35E.tmp 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\75a57c1bdf437c 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File opened for modification C:\Program Files\VideoLAN\RCXF775.tmp 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File opened for modification C:\Program Files\VideoLAN\WMIADAP.exe 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\AppCompat\Programs\OSPPSVC.exe 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File opened for modification C:\Windows\fr-FR\RCXFBFA.tmp 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File opened for modification C:\Windows\fr-FR\lsm.exe 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File created C:\Windows\AppCompat\Programs\OSPPSVC.exe 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File created C:\Windows\AppCompat\Programs\1610b97d3ab4a7 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File created C:\Windows\fr-FR\lsm.exe 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File created C:\Windows\fr-FR\101b941d020240 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe File opened for modification C:\Windows\AppCompat\Programs\RCXEB3F.tmp 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2456 schtasks.exe 1632 schtasks.exe 536 schtasks.exe 2212 schtasks.exe 2912 schtasks.exe 2100 schtasks.exe 2916 schtasks.exe 2624 schtasks.exe 2636 schtasks.exe 2800 schtasks.exe 692 schtasks.exe 1664 schtasks.exe 2864 schtasks.exe 2516 schtasks.exe 1908 schtasks.exe 1544 schtasks.exe 2540 schtasks.exe 1032 schtasks.exe 1044 schtasks.exe 1976 schtasks.exe 2756 schtasks.exe 1916 schtasks.exe 2036 schtasks.exe 644 schtasks.exe 2096 schtasks.exe 1852 schtasks.exe 2896 schtasks.exe 2384 schtasks.exe 916 schtasks.exe 1684 schtasks.exe 2572 schtasks.exe 2724 schtasks.exe 2844 schtasks.exe 2380 schtasks.exe 2856 schtasks.exe 2424 schtasks.exe 1840 schtasks.exe 1284 schtasks.exe 2972 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 2600 powershell.exe 2840 powershell.exe 2408 powershell.exe 1932 powershell.exe 2744 powershell.exe 2680 powershell.exe 540 powershell.exe 3004 powershell.exe 2148 powershell.exe 2860 powershell.exe 2120 powershell.exe 2200 powershell.exe 2124 WMIADAP.exe 2576 WMIADAP.exe 2772 WMIADAP.exe 1932 WMIADAP.exe 1944 WMIADAP.exe 2684 WMIADAP.exe 1136 WMIADAP.exe 2292 WMIADAP.exe 2076 WMIADAP.exe 1860 WMIADAP.exe 1780 WMIADAP.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 1932 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 540 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 2148 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 2120 powershell.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 2124 WMIADAP.exe Token: SeDebugPrivilege 2576 WMIADAP.exe Token: SeDebugPrivilege 2772 WMIADAP.exe Token: SeDebugPrivilege 1932 WMIADAP.exe Token: SeDebugPrivilege 1944 WMIADAP.exe Token: SeDebugPrivilege 2684 WMIADAP.exe Token: SeDebugPrivilege 1136 WMIADAP.exe Token: SeDebugPrivilege 2292 WMIADAP.exe Token: SeDebugPrivilege 2076 WMIADAP.exe Token: SeDebugPrivilege 1860 WMIADAP.exe Token: SeDebugPrivilege 1780 WMIADAP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2148 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 71 PID 2360 wrote to memory of 2148 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 71 PID 2360 wrote to memory of 2148 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 71 PID 2360 wrote to memory of 2680 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 72 PID 2360 wrote to memory of 2680 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 72 PID 2360 wrote to memory of 2680 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 72 PID 2360 wrote to memory of 2840 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 74 PID 2360 wrote to memory of 2840 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 74 PID 2360 wrote to memory of 2840 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 74 PID 2360 wrote to memory of 2120 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 75 PID 2360 wrote to memory of 2120 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 75 PID 2360 wrote to memory of 2120 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 75 PID 2360 wrote to memory of 3004 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 76 PID 2360 wrote to memory of 3004 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 76 PID 2360 wrote to memory of 3004 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 76 PID 2360 wrote to memory of 2600 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 78 PID 2360 wrote to memory of 2600 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 78 PID 2360 wrote to memory of 2600 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 78 PID 2360 wrote to memory of 2744 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 79 PID 2360 wrote to memory of 2744 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 79 PID 2360 wrote to memory of 2744 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 79 PID 2360 wrote to memory of 1932 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 81 PID 2360 wrote to memory of 1932 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 81 PID 2360 wrote to memory of 1932 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 81 PID 2360 wrote to memory of 540 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 83 PID 2360 wrote to memory of 540 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 83 PID 2360 wrote to memory of 540 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 83 PID 2360 wrote to memory of 2200 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 84 PID 2360 wrote to memory of 2200 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 84 PID 2360 wrote to memory of 2200 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 84 PID 2360 wrote to memory of 2408 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 85 PID 2360 wrote to memory of 2408 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 85 PID 2360 wrote to memory of 2408 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 85 PID 2360 wrote to memory of 2860 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 87 PID 2360 wrote to memory of 2860 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 87 PID 2360 wrote to memory of 2860 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 87 PID 2360 wrote to memory of 2876 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 95 PID 2360 wrote to memory of 2876 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 95 PID 2360 wrote to memory of 2876 2360 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe 95 PID 2876 wrote to memory of 2800 2876 cmd.exe 97 PID 2876 wrote to memory of 2800 2876 cmd.exe 97 PID 2876 wrote to memory of 2800 2876 cmd.exe 97 PID 2876 wrote to memory of 2124 2876 cmd.exe 98 PID 2876 wrote to memory of 2124 2876 cmd.exe 98 PID 2876 wrote to memory of 2124 2876 cmd.exe 98 PID 2124 wrote to memory of 2948 2124 WMIADAP.exe 99 PID 2124 wrote to memory of 2948 2124 WMIADAP.exe 99 PID 2124 wrote to memory of 2948 2124 WMIADAP.exe 99 PID 2124 wrote to memory of 1748 2124 WMIADAP.exe 100 PID 2124 wrote to memory of 1748 2124 WMIADAP.exe 100 PID 2124 wrote to memory of 1748 2124 WMIADAP.exe 100 PID 2948 wrote to memory of 2576 2948 WScript.exe 101 PID 2948 wrote to memory of 2576 2948 WScript.exe 101 PID 2948 wrote to memory of 2576 2948 WScript.exe 101 PID 2576 wrote to memory of 1612 2576 WMIADAP.exe 102 PID 2576 wrote to memory of 1612 2576 WMIADAP.exe 102 PID 2576 wrote to memory of 1612 2576 WMIADAP.exe 102 PID 2576 wrote to memory of 2536 2576 WMIADAP.exe 103 PID 2576 wrote to memory of 2536 2576 WMIADAP.exe 103 PID 2576 wrote to memory of 2536 2576 WMIADAP.exe 103 PID 1612 wrote to memory of 2772 1612 WScript.exe 104 PID 1612 wrote to memory of 2772 1612 WScript.exe 104 PID 1612 wrote to memory of 2772 1612 WScript.exe 104 PID 2772 wrote to memory of 2412 2772 WMIADAP.exe 105 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WMIADAP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WMIADAP.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe"C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2360 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hs0sn2L6wi.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2800
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2124 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3cdb8ee-0726-4212-b937-b3beddfec743.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2576 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b2a2203-4a5d-4a4a-a926-4c350a596aa9.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2772 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3a74449-cbc7-4681-8a73-247704307d6d.vbs"8⤵PID:2412
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1932 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53e2a958-5a4b-41d6-9f4e-c25d3c55600f.vbs"10⤵PID:2860
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1944 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e32edd9-6e70-4578-94ef-ee9f3be44825.vbs"12⤵PID:2320
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2684 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e430e252-e5f5-45b6-a030-9a719da2b330.vbs"14⤵PID:1600
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1136 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32f9b173-8f76-464c-b3cc-53ebd4189533.vbs"16⤵PID:2772
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2292 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86000b1e-ea65-4f43-973d-d5dfc0415136.vbs"18⤵PID:2352
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2076 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb541896-b775-4315-b5ff-f6ea9288c609.vbs"20⤵PID:2336
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1860 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e51c0d6-98e3-4963-877f-889aaa8eea97.vbs"22⤵PID:988
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1780 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e51f38fd-9ba6-4250-a4c8-2d9006856539.vbs"24⤵PID:2676
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28733509-40e2-4a82-8428-b0664447d8fd.vbs"24⤵PID:680
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da0aa89d-aa3b-48b2-878c-80493f910f67.vbs"22⤵PID:2376
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b959eb7-5698-48e1-97bb-56085a85d3d4.vbs"20⤵PID:2424
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c2f8a08-4d44-48a7-a649-7178c41ca286.vbs"18⤵PID:2268
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\621e4bb5-ea86-4af6-8bbd-359974861059.vbs"16⤵PID:328
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95932655-c738-490b-b26f-ab1a6bf3f3b6.vbs"14⤵PID:3052
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e66d39f-fbd5-4c52-970c-e552e9bc9e55.vbs"12⤵PID:2820
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6946b19-d9f7-43a1-b77e-0b6af9bf0db5.vbs"10⤵PID:580
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e72ad55-b141-43db-aeae-473cf7b63099.vbs"8⤵PID:1988
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71a54d09-d7d0-40f8-99cb-ef77c22aa4c9.vbs"6⤵PID:2536
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fc57db3-e45e-4322-8a73-b1b80b2d87a8.vbs"4⤵PID:1748
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\NetHood\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\AppCompat\Programs\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\AppCompat\Programs\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Videos\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default\Videos\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Videos\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\fr-FR\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
752B
MD577cefa19386b86b69fce53e37b631056
SHA1033e02c5eeec35dbcc2ddedb46f42355757330a1
SHA2566bffcecdf5645012551787c385e302f5942c5e865e2a03e60d234e823c8f1d48
SHA512cf8d4ee461649ee05cad98c7ccff3b1fd445dc0e9e025dd310d8daf92edcef4813b783b35882d65223e15c3db869c25f58e3d30a4152f7e4be46a3052d890e8c
-
Filesize
752B
MD59f11a492b0603d73bbfbb625c3b25c41
SHA18cbc0478fe7e49aeed547983229f9abb336fe7a6
SHA2568be0e250de8c3b01afa6c8306d1159868cd186098baf7706d4915e681416c9bd
SHA512a1b58fe60affafb7bf3e5e0311190360fca099177b00c12adf61daba6fa2d17e82c8986f1a86f7981f53503ffa707159d4ab082fb51011d3c9cb6e434a5d455a
-
Filesize
752B
MD5cceaad656d19f25ac987f2b83b251f29
SHA186312088f14a84ef577ea94a63332a9265628c37
SHA2565133b1e7c0df63d5991e82180a15afc9582e73ed3942ba269181b8b13d8326ac
SHA512b893f4033b6978f7150c38c97194b37add52e5a14bc1808fe21d06f3466df74e193bb1a1371f0ecc2a357c1a3500accb79311f3d871e254a36b3e4a3c5cb4fb6
-
Filesize
528B
MD5d40872492033fdc6863a3f6ea94f5e9e
SHA14251f7287871540f6c6d2e5bba184c92ae0376e4
SHA256701bebb58771b0617fcead66fda1c3a93c5b12ccf6fe694650f4a281ec64e7a3
SHA512f6ed939134deb797da120fb43aed95efbd5b91e7dfd64eb92bdc951d9aa35d94c5b6f3ab52d66ad66096c3cd0651fe484838f028623ba8af16af8ac508bbfb67
-
Filesize
752B
MD57b6c3666ce9e445d1f15208ac4c514be
SHA171bb09182c207711a93e7652900a320d84d5b1c2
SHA256b316248992ee5b92d1932279edb859dd986570ce1e8c9120435bcdb38d7c530a
SHA51274ac0e4827e99fff5897fbb888d9dd677b8b0c9e307443f2f2df41038bf23e2922ff62930e03e1a2f129173cd172c173de21087c28da8e522143a155f9a982f9
-
Filesize
752B
MD5d12a0f0cfb4190390948d83562781d1e
SHA1cc9294211b3c2c24b0bc76936819ccd6789c961a
SHA256402fb2ea1ebcec0e2db2754df6e1c0dca341a97e6e4248f761b75441754e6bd7
SHA512aa22250b61ebb3862c00b739f76b7b00980dce14af878a32a15c3698f0fe6bd62c9b93074eeff1cf2f4d7d68e6791911ea83cbea6ce0f3c4c3b97849e66bfcfc
-
Filesize
752B
MD5bf8c598bdb6755214177f00ff5fc8956
SHA113a185e2de9b453ecfd06bd997ef146207fc3402
SHA256fc39641f8bebf6184ca5ab21657c7e83d4c0cbe0ce19d3e16e2439c0e619d30c
SHA5125412bc193aa39d58bd08f919c6d7bcbd64d5267c58c2a52c54bd23025f645f6636f63abe4955c3f9d0698ec70f7c477a7047540f745343f1ff18edd88be4e376
-
Filesize
752B
MD57904c55d5f164923e3fc85e32e8d2ec7
SHA19980c8880024f9b160a0b42ac9252338e7f46133
SHA2565b87be83c9c8c599c8e30e4b3b5257e7a28af928afc0b2b1ecb15c7c4808c9f8
SHA5128f72ce7b4f052243e53727f935440e5452985799597b56a8eed2ffebdf29e61528ea383d786d22bfde39bd92c60514c9decae4180cf291ec0342663d8af3048e
-
Filesize
752B
MD5bd3f74c53f228f7bd3ed7b1f13b5f3eb
SHA1e9a0a72fbecf1f0b99d10bf7792b1c870b49b084
SHA256410f95bcd6471ed4b24c695dd58ab2c8495f9f96e2b2711dba958a52bda71236
SHA5127d9d586d6ad705d9b1cdb99bd934cae5ec5836f1c0125dd748020cfc2bf5c6b67a856814b0baa162eb2d7592cd34761cf6bedeca453a62ec0e5d4fcdb8212c3b
-
Filesize
752B
MD5d5c186139e74b1fe59ad6de13331b3ac
SHA116e7187a8c1a9118b4dd6e7639892c5071166c43
SHA2562f7bf5349e18f8a64bb9a9d993816a40588b3a5d169208b8e4f2bb07c6e181b3
SHA5121fbaec516d998094df33f25cc904f1fcf0498f74893e336e96fa4c0bb00685cb05319f465b7056538e962bd5b8567f531e775f886abb06ee5874c1cddc7d6fc6
-
Filesize
752B
MD54020aae06740cb966b8baa521dad25ab
SHA1a8e479e29ceebdd299995e9f9809089df76a5ac0
SHA256b6e7e4e2b70a6355246853272fb38d93471d61a76cc6c9db46ab178c119d4a50
SHA512e3eaeb42bce372a93268615ed02c1ea322e2f4172719105cb33035810dccf5f865e8c9ff85a702f5b2f31c09b83f41b92ffc7570484c3b7b0ee6e4d0fd66ff4e
-
Filesize
752B
MD5dc4c43599351d067f4c44ccacddfdf6d
SHA161b2bea41fdba7b0ef9c4610ebe0f82d67329414
SHA256d7b077ea5293f46a2cb9cf039c8f94902e5452d198758eaf26e47040fcdbdae4
SHA5120538f85577c86038f2dcb54f1528dcc3a3b617551d2b1a24e07362ca166f6281c762b817b5473a61f28f8cbd90d25a2b14ef77b540fbc911701698e4121b9f8a
-
Filesize
241B
MD5cf094da7c9fa2ca9ca0ce3eb3bc24905
SHA1118e08c083158eb8d49a34ab57b732038d7f01ed
SHA2561a3d5e594d2261b07866caa156976a854bff8f40b03212e37cca9dd4cd7a2991
SHA5127d712718e53425602a8110181334e3355e674376b7040faf76d7767e15b14198aca906a25095b97798636563c37a1ea1f43cf76e5df72032a16fe28da75595fd
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5628dc3ec330924cd33ec8371221dd65c
SHA15c3d88d4618a27908ecf80f98f2d8d473839a04b
SHA2560dd56785cb0022cb5ab9b99ece4239297248d5065af6a5dece80f9698a619bd5
SHA512a090664d56d09a181b4710fba9526f379638af0fa7a666ea07569f38e24a4ba5b0ed6b0f24c1b8f5b4768ec3c01c76d1c12c7b164ac77487eb3c2509ac6f0f5e
-
Filesize
4.9MB
MD52931e6e3e42233d9b7e650bce7435f36
SHA134eb80ddcf0438f5627e8b12be7a22a2de2b7a6e
SHA256d8f391f6ab24765685b90a9815f3ff80dc3825f73dcaecf2aa25d786feb290bf
SHA5126d3be094a7bc7809bf5bea9271b0dc3ca34ab6172cb33037bbc45385ae483f2a273f36de7aca68a045ace98a99450b1eba8f81686d4b01691375f595c057a692
-
Filesize
4.9MB
MD56e7923159a06c48bb09a81080d2d8266
SHA1a2126afd2d75f3dedb602fd7f63b9940e0b47c22
SHA2564df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14
SHA512d2ddd13c739e92febab2685f393aeed15140c4b03d3c15ec49c86bac764ab6e3a01982a64118bd9d4e700161b85e1a7f3a91f904322ecc17d6253174a08f4365