Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 03:49
Static task
static1
Behavioral task
behavioral1
Sample
ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe
Resource
win7-20241010-en
General
-
Target
ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe
-
Size
4.9MB
-
MD5
4e3ae6b4f8ea1c5d2fb3a8bc008e2fff
-
SHA1
22329e6ce220cce52f7dde6e03c082d31f27bbae
-
SHA256
ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847
-
SHA512
6394d0a6883e478bf7f196ef1c829ff7d579ebfde1ddbdd5c59a57eb40ba82c5c15f41f71bfa4f31227198c8d722c5872c0aa01d5e750dd19523a8237db5b655
-
SSDEEP
49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2856 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2856 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2856 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2856 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2856 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2856 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2856 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2856 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2856 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2856 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2856 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2856 schtasks.exe 31 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe -
resource yara_rule behavioral1/memory/1764-2-0x000000001B440000-0x000000001B56E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1676 powershell.exe 2124 powershell.exe 1988 powershell.exe 828 powershell.exe 2664 powershell.exe 1124 powershell.exe 952 powershell.exe 1924 powershell.exe 2200 powershell.exe 2164 powershell.exe 896 powershell.exe 2560 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 3032 WmiPrvSE.exe 2000 WmiPrvSE.exe 2740 WmiPrvSE.exe 1808 WmiPrvSE.exe 1932 WmiPrvSE.exe 2064 WmiPrvSE.exe 1612 WmiPrvSE.exe 2432 WmiPrvSE.exe 1460 WmiPrvSE.exe 644 WmiPrvSE.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\de-DE\wininit.exe ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe File created C:\Program Files\Internet Explorer\de-DE\56085415360792 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe File opened for modification C:\Program Files\Internet Explorer\de-DE\RCX1B71.tmp ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe File opened for modification C:\Program Files\Internet Explorer\de-DE\wininit.exe ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2864 schtasks.exe 2820 schtasks.exe 2624 schtasks.exe 2256 schtasks.exe 1912 schtasks.exe 2600 schtasks.exe 2844 schtasks.exe 2120 schtasks.exe 2572 schtasks.exe 2992 schtasks.exe 2620 schtasks.exe 2716 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 2560 powershell.exe 952 powershell.exe 1124 powershell.exe 2164 powershell.exe 2200 powershell.exe 1988 powershell.exe 2124 powershell.exe 1676 powershell.exe 1924 powershell.exe 828 powershell.exe 2664 powershell.exe 896 powershell.exe 3032 WmiPrvSE.exe 2000 WmiPrvSE.exe 2740 WmiPrvSE.exe 1808 WmiPrvSE.exe 1932 WmiPrvSE.exe 2064 WmiPrvSE.exe 1612 WmiPrvSE.exe 2432 WmiPrvSE.exe 1460 WmiPrvSE.exe 644 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe Token: SeDebugPrivilege 2560 powershell.exe Token: SeDebugPrivilege 3032 WmiPrvSE.exe Token: SeDebugPrivilege 952 powershell.exe Token: SeDebugPrivilege 1124 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 2124 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 1924 powershell.exe Token: SeDebugPrivilege 828 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 896 powershell.exe Token: SeDebugPrivilege 2000 WmiPrvSE.exe Token: SeDebugPrivilege 2740 WmiPrvSE.exe Token: SeDebugPrivilege 1808 WmiPrvSE.exe Token: SeDebugPrivilege 1932 WmiPrvSE.exe Token: SeDebugPrivilege 2064 WmiPrvSE.exe Token: SeDebugPrivilege 1612 WmiPrvSE.exe Token: SeDebugPrivilege 2432 WmiPrvSE.exe Token: SeDebugPrivilege 1460 WmiPrvSE.exe Token: SeDebugPrivilege 644 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1764 wrote to memory of 2664 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 44 PID 1764 wrote to memory of 2664 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 44 PID 1764 wrote to memory of 2664 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 44 PID 1764 wrote to memory of 2164 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 45 PID 1764 wrote to memory of 2164 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 45 PID 1764 wrote to memory of 2164 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 45 PID 1764 wrote to memory of 1124 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 46 PID 1764 wrote to memory of 1124 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 46 PID 1764 wrote to memory of 1124 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 46 PID 1764 wrote to memory of 952 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 47 PID 1764 wrote to memory of 952 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 47 PID 1764 wrote to memory of 952 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 47 PID 1764 wrote to memory of 896 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 48 PID 1764 wrote to memory of 896 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 48 PID 1764 wrote to memory of 896 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 48 PID 1764 wrote to memory of 1676 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 49 PID 1764 wrote to memory of 1676 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 49 PID 1764 wrote to memory of 1676 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 49 PID 1764 wrote to memory of 2560 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 55 PID 1764 wrote to memory of 2560 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 55 PID 1764 wrote to memory of 2560 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 55 PID 1764 wrote to memory of 2124 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 56 PID 1764 wrote to memory of 2124 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 56 PID 1764 wrote to memory of 2124 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 56 PID 1764 wrote to memory of 1988 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 57 PID 1764 wrote to memory of 1988 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 57 PID 1764 wrote to memory of 1988 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 57 PID 1764 wrote to memory of 1924 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 58 PID 1764 wrote to memory of 1924 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 58 PID 1764 wrote to memory of 1924 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 58 PID 1764 wrote to memory of 828 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 59 PID 1764 wrote to memory of 828 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 59 PID 1764 wrote to memory of 828 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 59 PID 1764 wrote to memory of 2200 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 60 PID 1764 wrote to memory of 2200 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 60 PID 1764 wrote to memory of 2200 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 60 PID 1764 wrote to memory of 3032 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 68 PID 1764 wrote to memory of 3032 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 68 PID 1764 wrote to memory of 3032 1764 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe 68 PID 3032 wrote to memory of 2684 3032 WmiPrvSE.exe 69 PID 3032 wrote to memory of 2684 3032 WmiPrvSE.exe 69 PID 3032 wrote to memory of 2684 3032 WmiPrvSE.exe 69 PID 3032 wrote to memory of 944 3032 WmiPrvSE.exe 70 PID 3032 wrote to memory of 944 3032 WmiPrvSE.exe 70 PID 3032 wrote to memory of 944 3032 WmiPrvSE.exe 70 PID 2684 wrote to memory of 2000 2684 WScript.exe 71 PID 2684 wrote to memory of 2000 2684 WScript.exe 71 PID 2684 wrote to memory of 2000 2684 WScript.exe 71 PID 2000 wrote to memory of 884 2000 WmiPrvSE.exe 72 PID 2000 wrote to memory of 884 2000 WmiPrvSE.exe 72 PID 2000 wrote to memory of 884 2000 WmiPrvSE.exe 72 PID 2000 wrote to memory of 856 2000 WmiPrvSE.exe 73 PID 2000 wrote to memory of 856 2000 WmiPrvSE.exe 73 PID 2000 wrote to memory of 856 2000 WmiPrvSE.exe 73 PID 884 wrote to memory of 2740 884 WScript.exe 74 PID 884 wrote to memory of 2740 884 WScript.exe 74 PID 884 wrote to memory of 2740 884 WScript.exe 74 PID 2740 wrote to memory of 2600 2740 WmiPrvSE.exe 75 PID 2740 wrote to memory of 2600 2740 WmiPrvSE.exe 75 PID 2740 wrote to memory of 2600 2740 WmiPrvSE.exe 75 PID 2740 wrote to memory of 1532 2740 WmiPrvSE.exe 76 PID 2740 wrote to memory of 1532 2740 WmiPrvSE.exe 76 PID 2740 wrote to memory of 1532 2740 WmiPrvSE.exe 76 PID 2600 wrote to memory of 1808 2600 WScript.exe 77 -
System policy modification 1 TTPs 33 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe"C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Users\Admin\Cookies\WmiPrvSE.exe"C:\Users\Admin\Cookies\WmiPrvSE.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3032 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d512a23-a4e3-42ab-803d-a234a2a9df0d.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\Cookies\WmiPrvSE.exeC:\Users\Admin\Cookies\WmiPrvSE.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2000 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1763930-92ac-4d53-af0f-3621aa4c20e6.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\Cookies\WmiPrvSE.exeC:\Users\Admin\Cookies\WmiPrvSE.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2740 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55252e5f-6d24-4a62-a47a-9f4e39d79f40.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\Cookies\WmiPrvSE.exeC:\Users\Admin\Cookies\WmiPrvSE.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1808 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bff3c35-cd3c-4b8e-ac30-750c6dc4d5a7.vbs"9⤵PID:700
-
C:\Users\Admin\Cookies\WmiPrvSE.exeC:\Users\Admin\Cookies\WmiPrvSE.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1932 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00d90837-e3ed-4606-8ba4-0840da34968c.vbs"11⤵PID:2392
-
C:\Users\Admin\Cookies\WmiPrvSE.exeC:\Users\Admin\Cookies\WmiPrvSE.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2064 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c08eff61-3fae-4d1b-82fb-32dc7137eaa5.vbs"13⤵PID:3056
-
C:\Users\Admin\Cookies\WmiPrvSE.exeC:\Users\Admin\Cookies\WmiPrvSE.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1612 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2f55063-d043-4df2-8c53-2fd0e06b2d47.vbs"15⤵PID:996
-
C:\Users\Admin\Cookies\WmiPrvSE.exeC:\Users\Admin\Cookies\WmiPrvSE.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2432 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd69200b-182b-47dc-a3d0-c36757f9ff9a.vbs"17⤵PID:1808
-
C:\Users\Admin\Cookies\WmiPrvSE.exeC:\Users\Admin\Cookies\WmiPrvSE.exe18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1460 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16479034-82db-4c3d-af5c-fd8296a722e3.vbs"19⤵PID:2764
-
C:\Users\Admin\Cookies\WmiPrvSE.exeC:\Users\Admin\Cookies\WmiPrvSE.exe20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:644 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbe4cbba-3d2f-4142-9604-01c92a051de7.vbs"21⤵PID:2428
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0f8d115-696d-41fc-bba3-9df05642fda1.vbs"21⤵PID:2596
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21ac5a72-85ea-47ee-be12-2e39c331b5a5.vbs"19⤵PID:2924
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae68b5be-48a5-42b7-865e-cdd9d3d010e4.vbs"17⤵PID:2476
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47628496-a2ac-4013-b760-36468519d37e.vbs"15⤵PID:2776
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80ba7ae6-6868-4fea-b3ba-2731963cfd6d.vbs"13⤵PID:2424
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c934e922-3cec-465b-8014-49faacf9f9b1.vbs"11⤵PID:2408
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4030b3ee-3f08-4ab0-8b95-b91ac2d11434.vbs"9⤵PID:1484
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9af99892-4a75-44b0-b0b9-95db8e6596fe.vbs"7⤵PID:1532
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa1676f4-4e7a-4495-99aa-72a3149551b7.vbs"5⤵PID:856
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e83e84e-4be8-43cd-bdb8-117aa6237fa6.vbs"3⤵PID:944
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\de-DE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
711B
MD50aaeec535e77a477cec4b931dd15d356
SHA14324739e9408728e33d31f440618cf52a16aa959
SHA2567df9d7ba20ff6eadf57d6980c8cabcda6460f0ec101f5fcaf89f11584314607f
SHA5125914292535f932e9def5bcdd3eba10ec8acfbab258902bbdce0a9ffd81afaf6223597ee5dc4a9887896bb4aaad8d38159059b53407c15948026bf97557ae64d2
-
Filesize
711B
MD52b4884943050a1d7482f567f817e5eee
SHA130a20e688788208bc93f7ea3cfce5db48e03fcac
SHA2561f51faec70f14dbb0744f75798a054219703be45ceb4bdf9a1c04981c952cb5f
SHA5122a0abc0067117ec06c5f07c57ceeaebf7e08cbfdc4b194da0364a4677cfed4435185f088d8f75dcbbc4df3255da6496b7550e51080595892e41659cec6fd900d
-
Filesize
711B
MD53eb62b339662e510e0ddc515e0581108
SHA1b934f40d37922f28e4d60b9f41545eb3304a1a42
SHA25642b5dd133d877a0fcc1a5cb28add526170edac04130cfeee5826125dfb3ddcd1
SHA512b2d697ba4b14dbd828a67c35aa94aa80d8fa867387fcd6e2edda83653e831937edde4151488620ac6d782bf0638eb5c4e28297a0fe161853d5c347a07857055e
-
Filesize
487B
MD5e44534f976685c8ecffe7f60fcf84bcf
SHA141e39347dfbaa8dd658db229fe1fa6f2c63305ec
SHA256217e48b7a62edfc3ddb02d8c899b457640fdec39fd0859d12475c85d3397a747
SHA51265a7dc8d674b5c1112740937fa2836e6bcc5fd2c80fd23aa95b01d05f96e83856e504becdacfd36711e76c744c9d11600a1fa1a29d5db3742be0a4e5e5866439
-
Filesize
711B
MD55296bc5801741202c188e76bcd3ec34b
SHA14047e409a26316b0869fae6da236f15f95bdbe0a
SHA256d025fbef86ccd5d57cd0318ac6b0bf61a750d7da5d7277fd9f012aff2d82dfd3
SHA51223f37d8ff8297e1a9131f5656a6a10edf74dc28575feaf04eb27bd3ed080b5c9daf436f22e6eda387ba55b74823c6d44e55810bd892189a7ae7cc06ca34f1b51
-
Filesize
4.9MB
MD59f858c55cd3f0a35a565230f3111e077
SHA18078ee58f72ba679148a77ccf7349df29a152c92
SHA256cbec168771bb5e467f8a02a550d3d8d28e61e1e917d425e3df3196954ecf42d8
SHA5120995d1a792236aae5262074ca145d027090478b6661d976f220ff7ba2a4fd5c05ce0268a368f177c593db44b864b8164176be76811a6aba31a7b38206337e537
-
Filesize
711B
MD5a51b0a52ff2cd2c7b51a4c64bf8cfffd
SHA1c1675049f02994d0b802f29f3a733b474a244881
SHA2567418d306a388ddd5f5086e152f3e4a58f2a43f4c1be6041276aaed32ff723cdb
SHA512813bf50f4fde98e87a587fe241bfaaacebcc9d6cea0a804fdf7f98f926f360553b4a55ee38ff76cae4cbb665fd2ba8a98a7c198735ac007038d4a0e638770b82
-
Filesize
711B
MD53b453640376770c7ed9ddf19a4a49139
SHA1ddf919357befa9e5d7bc7d210ac0f4eea71aa647
SHA256f6545dc69990bfee216fedcdc748c920856604796631c0b7efe58a77890411fa
SHA5120ccad00af4bc524b105130ebd3af9f3ddb39ff987ca236a4d8870db5cb66f3d8965515baeb76e044b894f720c6277af2eff9b05fe9a74b3265978054a5572622
-
Filesize
710B
MD5f75095c435cc54b4e872de1922eec7e0
SHA1067a73f11aab870862f54b5068d4c81d99580a94
SHA2561c6d766b1888932ce6b40de36a29c96997d31761af011f78415cae48ccee05b1
SHA512367e4d50ee302739472a29639b758ed5df4816650f9cc9e44df4804ba2f0d60cea78e32f64ee7a1665042d6bb5d89a7dc76c376ae14d814a96931756844cd9ec
-
Filesize
711B
MD5584f04ec0a3897cf41a8ebe92be3b0fc
SHA1da3ae586c4554170601f3bdc790fc920ca562142
SHA25633c7d8003e88d4337c728aeea9d1dd75104d27da8346b67c393d2846f138ead1
SHA512e33f9b4a61f808ad206357b4f80ddd50cbcfb11e303019a66095c3792c644fac135fe41d2d21d88b8ad051f6fccacd20077c44340ce9fe109870f0ee339ca11c
-
Filesize
711B
MD52394902cc50ab9f660fcc18339183e69
SHA1467828b66e3444d0966889eaf7667df78306d7a6
SHA256ceb858c7cf99a0c1519b3a87a63135485bf90432a011b7879d0b9c925643fbf8
SHA512c22aeefd1224fa19eedb4669c90608fb1f0af79ee39c7c1d9e9cf44b24aca16ba75a6bec6daadb32b57c3ea8bf2b262f0fcb69d9a790576d927f8ba2307a2184
-
Filesize
711B
MD56b3ca7647177a30ce885ebc8f15ab0fd
SHA1bcdcc238b8f2caed2ddf094abfd5ffd7a26020e4
SHA2562386764d46738eb40ff40a4fd8e1d47bb6d7c921341bd685b8f1acca0eb665a8
SHA5125f7b0d9de698dc9ce753b556202714472dbca92bb249215f768a5cc45dee580b7a67b8cec999a14a64b13376a05da08aa2f32a72bb99f10336c2f79fb90570ce
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57cf70a377a9839411de49bf1f4f61773
SHA14be1676995c3a8be69377425b19358bf78492b6d
SHA256d79eb408b86d6bf0c951b7654d0cd285ea0a309b7e7be49968216a2b1007f6e8
SHA5129e1ce5946b9811e0d0914087445c758911970a44b0907a467f03e3ae6da42d95860e78d0f7d15b336b80ae1bfe5264276a56e65b1e873d03091501d59f7c9136
-
Filesize
4.9MB
MD54e3ae6b4f8ea1c5d2fb3a8bc008e2fff
SHA122329e6ce220cce52f7dde6e03c082d31f27bbae
SHA256ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847
SHA5126394d0a6883e478bf7f196ef1c829ff7d579ebfde1ddbdd5c59a57eb40ba82c5c15f41f71bfa4f31227198c8d722c5872c0aa01d5e750dd19523a8237db5b655