Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-11-2024 00:43
Static task
static1
Behavioral task
behavioral1
Sample
77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe
Resource
win7-20241010-en
General
-
Target
77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe
-
Size
4.9MB
-
MD5
5e69adf2beb7d1a8ef40e68fc56ca480
-
SHA1
0c7168362ba93f9b1eab9c7ff836dcd96331bdbb
-
SHA256
77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745
-
SHA512
549f8db5372aaa68e948865d5ac688d0db15b7f6c2234638bb17441c99e565756ecc88e9d8b1437ba8073bc1e314473d2107153a085988c778fe55bd29d49435
-
SSDEEP
49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 428 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 924 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 520 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 360 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 112 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2648 schtasks.exe 30 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe -
resource yara_rule behavioral1/memory/2728-3-0x000000001B4F0000-0x000000001B61E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2928 powershell.exe 2556 powershell.exe 2288 powershell.exe 2236 powershell.exe 2156 powershell.exe 2128 powershell.exe 520 powershell.exe 1384 powershell.exe 664 powershell.exe 852 powershell.exe 2364 powershell.exe 2144 powershell.exe -
Executes dropped EXE 8 IoCs
pid Process 3028 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 620 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 1576 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 552 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 1416 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 1632 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 2908 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 2940 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe -
Drops file in Program Files directory 24 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Windows Media Player\Network Sharing\RCX85E2.tmp 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File created C:\Program Files (x86)\Windows NT\Accessories\de-DE\24dbde2999530e 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File created C:\Program Files (x86)\Windows Media Player\Network Sharing\winlogon.exe 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File created C:\Program Files (x86)\Windows Media Player\Skins\0a1fd5f707cd16 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\de-DE\WmiPrvSE.exe 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File opened for modification C:\Program Files (x86)\Windows Defender\RCX7CD9.tmp 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\RCX811F.tmp 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Skins\sppsvc.exe 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File created C:\Program Files (x86)\Windows Defender\services.exe 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File created C:\Program Files (x86)\Windows Defender\c5b4cb5e9653cc 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File opened for modification C:\Program Files (x86)\Windows Defender\services.exe 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File created C:\Program Files (x86)\Windows NT\Accessories\de-DE\WmiPrvSE.exe 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\lsass.exe 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File created C:\Program Files (x86)\Windows Media Player\Network Sharing\cc11b995f2a76d 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\es-ES\RCX67FA.tmp 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Skins\RCX8805.tmp 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File created C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File created C:\Program Files\Microsoft Games\Purble Place\es-ES\57c267b0f476c4 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\6203df4a6bafc7 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File created C:\Program Files (x86)\Windows Media Player\Skins\sppsvc.exe 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\de-DE\RCX7AB6.tmp 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\lsass.exe 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Network Sharing\winlogon.exe 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Logs\DISM\taskhost.exe 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File created C:\Windows\Logs\DISM\b75386f1303e64 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File opened for modification C:\Windows\Logs\DISM\RCX6C5F.tmp 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File created C:\Windows\DigitalLocker\ja-JP\f3b6ecef712a24 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File created C:\Windows\en-US\Idle.exe 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File created C:\Windows\en-US\6ccacd8608530f 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File opened for modification C:\Windows\DigitalLocker\ja-JP\RCX7893.tmp 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File opened for modification C:\Windows\DigitalLocker\ja-JP\spoolsv.exe 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File opened for modification C:\Windows\en-US\RCX83BF.tmp 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File created C:\Windows\Logs\DISM\taskhost.exe 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File created C:\Windows\DigitalLocker\ja-JP\spoolsv.exe 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe File opened for modification C:\Windows\en-US\Idle.exe 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2320 schtasks.exe 1816 schtasks.exe 1972 schtasks.exe 2512 schtasks.exe 1476 schtasks.exe 556 schtasks.exe 2416 schtasks.exe 664 schtasks.exe 1160 schtasks.exe 2468 schtasks.exe 1768 schtasks.exe 1056 schtasks.exe 1656 schtasks.exe 2028 schtasks.exe 2600 schtasks.exe 1240 schtasks.exe 2124 schtasks.exe 112 schtasks.exe 572 schtasks.exe 2368 schtasks.exe 1396 schtasks.exe 2040 schtasks.exe 2080 schtasks.exe 428 schtasks.exe 2508 schtasks.exe 940 schtasks.exe 2020 schtasks.exe 1292 schtasks.exe 2480 schtasks.exe 1596 schtasks.exe 2732 schtasks.exe 924 schtasks.exe 1776 schtasks.exe 360 schtasks.exe 1788 schtasks.exe 2584 schtasks.exe 2024 schtasks.exe 2184 schtasks.exe 1728 schtasks.exe 520 schtasks.exe 2956 schtasks.exe 1908 schtasks.exe 1580 schtasks.exe 1328 schtasks.exe 3048 schtasks.exe 2632 schtasks.exe 2664 schtasks.exe 2492 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 2156 powershell.exe 2236 powershell.exe 2128 powershell.exe 2144 powershell.exe 2556 powershell.exe 2364 powershell.exe 2928 powershell.exe 520 powershell.exe 1384 powershell.exe 664 powershell.exe 852 powershell.exe 2288 powershell.exe 3028 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 620 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 1576 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 552 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 1416 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 1632 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 2908 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 2940 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeDebugPrivilege 2236 powershell.exe Token: SeDebugPrivilege 2128 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 520 powershell.exe Token: SeDebugPrivilege 1384 powershell.exe Token: SeDebugPrivilege 664 powershell.exe Token: SeDebugPrivilege 852 powershell.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 3028 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Token: SeDebugPrivilege 620 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Token: SeDebugPrivilege 1576 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Token: SeDebugPrivilege 552 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Token: SeDebugPrivilege 1416 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Token: SeDebugPrivilege 1632 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Token: SeDebugPrivilege 2908 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Token: SeDebugPrivilege 2940 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2728 wrote to memory of 2144 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 79 PID 2728 wrote to memory of 2144 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 79 PID 2728 wrote to memory of 2144 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 79 PID 2728 wrote to memory of 2128 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 80 PID 2728 wrote to memory of 2128 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 80 PID 2728 wrote to memory of 2128 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 80 PID 2728 wrote to memory of 2236 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 81 PID 2728 wrote to memory of 2236 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 81 PID 2728 wrote to memory of 2236 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 81 PID 2728 wrote to memory of 2364 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 82 PID 2728 wrote to memory of 2364 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 82 PID 2728 wrote to memory of 2364 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 82 PID 2728 wrote to memory of 520 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 84 PID 2728 wrote to memory of 520 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 84 PID 2728 wrote to memory of 520 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 84 PID 2728 wrote to memory of 2288 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 85 PID 2728 wrote to memory of 2288 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 85 PID 2728 wrote to memory of 2288 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 85 PID 2728 wrote to memory of 2556 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 86 PID 2728 wrote to memory of 2556 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 86 PID 2728 wrote to memory of 2556 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 86 PID 2728 wrote to memory of 852 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 87 PID 2728 wrote to memory of 852 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 87 PID 2728 wrote to memory of 852 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 87 PID 2728 wrote to memory of 2928 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 90 PID 2728 wrote to memory of 2928 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 90 PID 2728 wrote to memory of 2928 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 90 PID 2728 wrote to memory of 664 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 91 PID 2728 wrote to memory of 664 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 91 PID 2728 wrote to memory of 664 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 91 PID 2728 wrote to memory of 1384 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 93 PID 2728 wrote to memory of 1384 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 93 PID 2728 wrote to memory of 1384 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 93 PID 2728 wrote to memory of 2156 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 94 PID 2728 wrote to memory of 2156 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 94 PID 2728 wrote to memory of 2156 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 94 PID 2728 wrote to memory of 3032 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 99 PID 2728 wrote to memory of 3032 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 99 PID 2728 wrote to memory of 3032 2728 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 99 PID 3032 wrote to memory of 1684 3032 cmd.exe 105 PID 3032 wrote to memory of 1684 3032 cmd.exe 105 PID 3032 wrote to memory of 1684 3032 cmd.exe 105 PID 3032 wrote to memory of 3028 3032 cmd.exe 106 PID 3032 wrote to memory of 3028 3032 cmd.exe 106 PID 3032 wrote to memory of 3028 3032 cmd.exe 106 PID 3028 wrote to memory of 2652 3028 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 107 PID 3028 wrote to memory of 2652 3028 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 107 PID 3028 wrote to memory of 2652 3028 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 107 PID 3028 wrote to memory of 2464 3028 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 108 PID 3028 wrote to memory of 2464 3028 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 108 PID 3028 wrote to memory of 2464 3028 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 108 PID 2652 wrote to memory of 620 2652 WScript.exe 109 PID 2652 wrote to memory of 620 2652 WScript.exe 109 PID 2652 wrote to memory of 620 2652 WScript.exe 109 PID 620 wrote to memory of 3048 620 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 110 PID 620 wrote to memory of 3048 620 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 110 PID 620 wrote to memory of 3048 620 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 110 PID 620 wrote to memory of 2848 620 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 111 PID 620 wrote to memory of 2848 620 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 111 PID 620 wrote to memory of 2848 620 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 111 PID 3048 wrote to memory of 1576 3048 WScript.exe 112 PID 3048 wrote to memory of 1576 3048 WScript.exe 112 PID 3048 wrote to memory of 1576 3048 WScript.exe 112 PID 1576 wrote to memory of 2352 1576 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe 113 -
System policy modification 1 TTPs 27 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"C:\Users\Admin\AppData\Local\Temp\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qhBZ49x50.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1684
-
-
C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3028 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cf55efb-0e91-4b71-98f9-05109ee922eb.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:620 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\deff6f75-f45d-4d34-9bba-f06a9e7df8bc.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1576 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1b104d9-e253-4b42-b42e-e5090ad57cac.vbs"8⤵PID:2352
-
C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:552 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87d1419a-a200-4d3e-92c5-640ba1ec601d.vbs"10⤵PID:924
-
C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1416 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e36fb4c-7569-4b84-94de-71be27ae3725.vbs"12⤵PID:2936
-
C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1632 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d691490d-96dd-4495-922c-fdb6c432e31a.vbs"14⤵PID:2124
-
C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2908 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9463ab25-8e6c-4089-a669-f4de3451a852.vbs"16⤵PID:1548
-
C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2940 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e3562cb-13b9-49bb-bedf-6f36715a3692.vbs"18⤵PID:1672
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6b01d28-74e0-43ec-ac44-6cd42b7012c9.vbs"18⤵PID:2000
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d99d1eac-bc03-4288-8ab1-69b5b97481e6.vbs"16⤵PID:2404
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a6d866c-06ca-4cfc-862c-09fda5fdce60.vbs"14⤵PID:2468
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c4a3163-a875-4128-ac05-284182cda200.vbs"12⤵PID:2316
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89e421d0-3a25-4cba-8b91-e33282f358a5.vbs"10⤵PID:852
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a29bec6-3f81-4320-8d99-a6fda73ab1bc.vbs"8⤵PID:2356
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60ab0e79-b3c8-4a2d-acca-971022ce81eb.vbs"6⤵PID:2848
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1a4fd2c-6e7b-4721-8173-d36979ccd80f.vbs"4⤵PID:2464
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N7" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N7" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\DISM\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Logs\DISM\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\DISM\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\DigitalLocker\ja-JP\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD54047837ec637eb87b0319264a16d5990
SHA132b05ccd048f55fe844f3ab32d657c57c925e572
SHA256dc2e53b22c363c0e308be660d2c7ca886997d7ebace63d1baed70dae3b4347f1
SHA5128e643879580823dc1eddffdd3c23419eaa24e772e6d925124df945c569a42721b1cc17d3e74efbfd271c7118d7b57ec49dcbff8d746b2f20a4ec363ae6d9eb73
-
Filesize
4.9MB
MD55e69adf2beb7d1a8ef40e68fc56ca480
SHA10c7168362ba93f9b1eab9c7ff836dcd96331bdbb
SHA25677dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745
SHA512549f8db5372aaa68e948865d5ac688d0db15b7f6c2234638bb17441c99e565756ecc88e9d8b1437ba8073bc1e314473d2107153a085988c778fe55bd29d49435
-
Filesize
797B
MD5abd21ffbe9fbfa3909117a407e7db87e
SHA1bd82fb488bbe3ac562b51946ad270199eb64e17b
SHA256f0574fb1d1ead651fe8453b2aeb97d7b45c09c84a15520f70d8dc8f23476dfea
SHA512b74c88532feb37137162279ce3d2395e69f3b6bce9853d7668cee2f88c5fa6094302399c33b09071e3a9f82951fc74070e4b38594955977fd26ace3e237b6e72
-
Filesize
797B
MD5c038f923346bc8232e9497c5d9bc9f2e
SHA17a91cf31eed0ade1d5f08a3ef4cbd9419cef9251
SHA25619d9d10c37c57eb42c586ef0288476004aa1bae301b61fc558d6be71c360e6cb
SHA512086310831be07e131cc3ac922d79219a6801b83cbd6bb7a50a67e1499b550345445874fc23bf91363854b94340b84c401a4c32ca149927bddff272dd7fcddb17
-
Filesize
286B
MD5b9a08b55ac64fd827ecb887b2a820a3d
SHA156669a5cfcada434639db61b1a38232664a225dd
SHA256c4a2809820ce2e5c7695e5e0100245ccf9f31d4bed2fcfb1eaee90561950c3cc
SHA5126dcc254af79f0f41abe884d3ae841c168f9856356c83da46762bc89775917ceb0f3ae9de591d9d88676ce9307ed2888fee6872a2f38cdf57bdd6d6c7f69d233e
-
Filesize
797B
MD5ed169682cf45aa30bfa3c7a19246f40f
SHA1e3904493b78df9fe9ead0a00979405348303e4aa
SHA256032e6202a048dc70d4592bb79e4723a941e8e0d0737586a421833c44d8fcf0e7
SHA512454e1242677922caf4a416d22808a6d36dc21bd1366019599fc58f518be5b9c9591500174768457abb9c9341f2852c7ae8440e38586503de3746930d840deafb
-
Filesize
796B
MD50571051d538074f6a1c737961816cc08
SHA1167074f4f49dd0b73e01e09ecd44dca3d4fdf0f6
SHA25691cfa9e3b6d9e6d56f5dea7b297efdb8cc01902e88e5292b787901beb3c65e26
SHA512e2fc76be67507666f6f242a77df37be439f82209fb56cfc78a9864ae69b48b3ec071a7955de3bd9db9ee1801a553170c1d4ff2a1016baf35e1bcf9a09aac31ff
-
Filesize
797B
MD59d62e2d5a9ffbe01d1ec7bf3c8663af4
SHA1e522ccd48fe74b55d541e4556d9a11f27603e8d6
SHA2568f40cd8e29526669ea6b640de0630ab48c1c373d7336d9f58cfe9458c1a67002
SHA51262dc865099ddf920ed75732d6056b4338eb01540b24627f6523a05becd67fc5a397357339c97df584624ad173e7097b9467e7db455d14b890947e37f0b1860c1
-
Filesize
573B
MD5e4c727501f53be3ad0664e7009973a92
SHA10cdc51f58285456858ffbe51afa4ac80d5fdb580
SHA2568a62054a2da0f5c9e89a940f5fee0b1818ce7ce11cb6cebeb246e228b1882edc
SHA512d3c97322408b0359372bf4c7418ecd3aaf5c47549fad0e8e264e03dfd6ca936198b54a744195c71ceaf8a13b8bb8223e61742493c5612eaf6c47bc3ff20700e6
-
Filesize
797B
MD52a45807e755b024b69070aea2bcfb4fc
SHA13d429729983072a8166b567e0592ce09551e1530
SHA25667c0ab16a7054a5d4f05cfdbead22ff27bca768b6bd06c6266b309d4cbb33fcf
SHA5128a157ce924042da56daf9784070f4cb3b81f4aa552c87062a3cb4dc6ca669ca376cfee007c93602e32228e8098356d9efe02ac88363e4ab59e731bc072df03f0
-
Filesize
797B
MD57f3e7a437fc0eeca90931c5af79f99fd
SHA1c69d345d2753ab725e162011a904035f5b7f4e01
SHA256593b9975396592b4736bb92b87a370e2c04fc819c9faed04ee7f6c8d0320a9e9
SHA512904fd286c992aa1836171b0768e1d9393e540a11ee92b632f5fbb835152c252975f464a04d3fb1db26ede9361efd219b12c3593a401bdf4191da8d2036ed852e
-
Filesize
796B
MD550bfa69d80ac0addac4be9b0a04e6d65
SHA191fb740cbed299222a761596ab75ecf80b863c2d
SHA256a5f7c7bbbd68578d4032dbf0e18b4c5bd726b5e3032f62531ff6e5c624d41d04
SHA5122a77cdb8c9791bcebb593c1772ff9b93a84be413ff82157d347df14d08a9ec28a4cd19dea4e69f56b1ed9abdcfe72fd272000c95193636ffebb52627812e07a6
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54ea31ac0d90cb08187429d4fcd1db697
SHA1cfa63bffbaca94d47cfe9ed684de805d154a680c
SHA2560764f9d2e2251e88e3df3ca5ff2e4fcd165cbcb3d3fe7bb6ce33651b39acdb8e
SHA5129906d7403c6b640752d2fc3c4e2c4d6be67a4a9a41cae7c80ec97fa51d75313c203bf5d740db7efbb6ef319eac8069cf1e2f8c3bcc989ae1c22e0da9c9602981