Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-11-2024 12:51
Static task
static1
Behavioral task
behavioral1
Sample
16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Resource
win7-20240903-en
General
-
Target
16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
-
Size
4.9MB
-
MD5
d6c32cc92aff05247e665fec5d1ca5ed
-
SHA1
864e040db2c99477669bbe45261d8d93ebdba021
-
SHA256
16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00
-
SHA512
b03a5e8bfa50e1c559d72f912168e56aa93f6d545554e84db723261744ed2c308cca6cb1602a731d00787a1319b44fd326fd5704ba207850a0981ea42fceef96
-
SSDEEP
49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8O:2
Malware Config
Signatures
-
DcRat 48 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 1320 schtasks.exe 2656 schtasks.exe 1724 schtasks.exe 1208 schtasks.exe 1832 schtasks.exe 2968 schtasks.exe File created C:\Windows\Prefetch\ReadyBoot\886983d96e3d3e 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 2808 schtasks.exe 2972 schtasks.exe 1924 schtasks.exe 1704 schtasks.exe 2292 schtasks.exe 2252 schtasks.exe 280 schtasks.exe 980 schtasks.exe 2160 schtasks.exe File created C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\48644afaaf39c9 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 1488 schtasks.exe 2712 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 2860 schtasks.exe 2664 schtasks.exe 2508 schtasks.exe 1152 schtasks.exe 2560 schtasks.exe 2432 schtasks.exe 1280 schtasks.exe File created C:\Program Files\Windows Mail\en-US\f3b6ecef712a24 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 2792 schtasks.exe 2288 schtasks.exe 1556 schtasks.exe 3016 schtasks.exe 2924 schtasks.exe 1288 schtasks.exe 2780 schtasks.exe 2640 schtasks.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\b75386f1303e64 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 1436 schtasks.exe 2604 schtasks.exe 2720 schtasks.exe 2856 schtasks.exe 2044 schtasks.exe 852 schtasks.exe 664 schtasks.exe 1676 schtasks.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\101b941d020240 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 2600 schtasks.exe 2612 schtasks.exe -
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 980 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 280 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2804 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2804 schtasks.exe 31 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe -
resource yara_rule behavioral1/memory/2672-3-0x000000001B440000-0x000000001B56E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1720 powershell.exe 1624 powershell.exe 564 powershell.exe 2720 powershell.exe 2884 powershell.exe 1684 powershell.exe 1648 powershell.exe 1596 powershell.exe 1604 powershell.exe 1756 powershell.exe 2800 powershell.exe 2904 powershell.exe 2932 powershell.exe 2768 powershell.exe 600 powershell.exe 2952 powershell.exe 1876 powershell.exe 924 powershell.exe 2360 powershell.exe 1616 powershell.exe 1844 powershell.exe 1120 powershell.exe 1488 powershell.exe 2880 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 1668 System.exe 2808 System.exe 812 System.exe 1520 System.exe 1472 System.exe 2912 System.exe 2200 System.exe 1756 System.exe 1480 System.exe 2076 System.exe 1908 System.exe 1004 System.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe -
Drops file in Program Files directory 19 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Mail\en-US\RCXFD5A.tmp 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File opened for modification C:\Program Files\Windows Mail\en-US\spoolsv.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\RCX162.tmp 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\taskhost.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\b75386f1303e64 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\48644afaaf39c9 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\101b941d020240 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\taskhost.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Program Files\Windows Mail\en-US\spoolsv.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\RCXF143.tmp 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\RCXF953.tmp 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\lsm.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Program Files\Windows Mail\en-US\f3b6ecef712a24 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\lsm.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\69ddcba757bf72 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\Prefetch\ReadyBoot\csrss.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Windows\Prefetch\ReadyBoot\886983d96e3d3e 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File opened for modification C:\Windows\Prefetch\ReadyBoot\RCXF346.tmp 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File opened for modification C:\Windows\Prefetch\ReadyBoot\csrss.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Windows\system\System.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Windows\system\27d1bcfc3c54e0 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File opened for modification C:\Windows\system\System.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2604 schtasks.exe 2288 schtasks.exe 2508 schtasks.exe 2612 schtasks.exe 280 schtasks.exe 2560 schtasks.exe 2664 schtasks.exe 2860 schtasks.exe 852 schtasks.exe 2160 schtasks.exe 2720 schtasks.exe 1280 schtasks.exe 2640 schtasks.exe 2972 schtasks.exe 980 schtasks.exe 1924 schtasks.exe 2924 schtasks.exe 1488 schtasks.exe 1288 schtasks.exe 2780 schtasks.exe 1556 schtasks.exe 2252 schtasks.exe 1208 schtasks.exe 2808 schtasks.exe 1436 schtasks.exe 1832 schtasks.exe 2292 schtasks.exe 1152 schtasks.exe 2432 schtasks.exe 2792 schtasks.exe 2856 schtasks.exe 1676 schtasks.exe 2656 schtasks.exe 1724 schtasks.exe 3016 schtasks.exe 1704 schtasks.exe 1320 schtasks.exe 2044 schtasks.exe 2968 schtasks.exe 2712 schtasks.exe 2600 schtasks.exe 664 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 1120 powershell.exe 1684 powershell.exe 1596 powershell.exe 1720 powershell.exe 1604 powershell.exe 2952 powershell.exe 1616 powershell.exe 1648 powershell.exe 1844 powershell.exe 1624 powershell.exe 564 powershell.exe 600 powershell.exe 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 2932 powershell.exe 2800 powershell.exe 2884 powershell.exe 1876 powershell.exe 2880 powershell.exe 2360 powershell.exe 2720 powershell.exe 1756 powershell.exe 1488 powershell.exe 924 powershell.exe 2904 powershell.exe 2768 powershell.exe 1668 System.exe 2808 System.exe 812 System.exe 1520 System.exe 1472 System.exe 2912 System.exe 2200 System.exe 1756 System.exe 1480 System.exe 2076 System.exe 1908 System.exe 1004 System.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeDebugPrivilege 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Token: SeDebugPrivilege 1120 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 1720 powershell.exe Token: SeDebugPrivilege 1604 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 1616 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 564 powershell.exe Token: SeDebugPrivilege 600 powershell.exe Token: SeDebugPrivilege 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeDebugPrivilege 1876 powershell.exe Token: SeDebugPrivilege 2880 powershell.exe Token: SeDebugPrivilege 2360 powershell.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 1756 powershell.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeDebugPrivilege 924 powershell.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 1668 System.exe Token: SeDebugPrivilege 2808 System.exe Token: SeDebugPrivilege 812 System.exe Token: SeDebugPrivilege 1520 System.exe Token: SeDebugPrivilege 1472 System.exe Token: SeDebugPrivilege 2912 System.exe Token: SeDebugPrivilege 2200 System.exe Token: SeDebugPrivilege 1756 System.exe Token: SeDebugPrivilege 1480 System.exe Token: SeDebugPrivilege 2076 System.exe Token: SeDebugPrivilege 1908 System.exe Token: SeDebugPrivilege 1004 System.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2672 wrote to memory of 1684 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 59 PID 2672 wrote to memory of 1684 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 59 PID 2672 wrote to memory of 1684 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 59 PID 2672 wrote to memory of 1648 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 60 PID 2672 wrote to memory of 1648 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 60 PID 2672 wrote to memory of 1648 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 60 PID 2672 wrote to memory of 1720 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 61 PID 2672 wrote to memory of 1720 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 61 PID 2672 wrote to memory of 1720 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 61 PID 2672 wrote to memory of 1624 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 62 PID 2672 wrote to memory of 1624 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 62 PID 2672 wrote to memory of 1624 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 62 PID 2672 wrote to memory of 1596 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 63 PID 2672 wrote to memory of 1596 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 63 PID 2672 wrote to memory of 1596 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 63 PID 2672 wrote to memory of 1616 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 64 PID 2672 wrote to memory of 1616 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 64 PID 2672 wrote to memory of 1616 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 64 PID 2672 wrote to memory of 1604 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 65 PID 2672 wrote to memory of 1604 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 65 PID 2672 wrote to memory of 1604 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 65 PID 2672 wrote to memory of 1844 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 66 PID 2672 wrote to memory of 1844 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 66 PID 2672 wrote to memory of 1844 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 66 PID 2672 wrote to memory of 1120 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 67 PID 2672 wrote to memory of 1120 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 67 PID 2672 wrote to memory of 1120 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 67 PID 2672 wrote to memory of 600 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 68 PID 2672 wrote to memory of 600 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 68 PID 2672 wrote to memory of 600 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 68 PID 2672 wrote to memory of 2952 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 69 PID 2672 wrote to memory of 2952 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 69 PID 2672 wrote to memory of 2952 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 69 PID 2672 wrote to memory of 564 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 70 PID 2672 wrote to memory of 564 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 70 PID 2672 wrote to memory of 564 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 70 PID 2672 wrote to memory of 1000 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 83 PID 2672 wrote to memory of 1000 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 83 PID 2672 wrote to memory of 1000 2672 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 83 PID 1000 wrote to memory of 1756 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 99 PID 1000 wrote to memory of 1756 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 99 PID 1000 wrote to memory of 1756 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 99 PID 1000 wrote to memory of 1876 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 100 PID 1000 wrote to memory of 1876 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 100 PID 1000 wrote to memory of 1876 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 100 PID 1000 wrote to memory of 2880 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 101 PID 1000 wrote to memory of 2880 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 101 PID 1000 wrote to memory of 2880 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 101 PID 1000 wrote to memory of 2884 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 102 PID 1000 wrote to memory of 2884 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 102 PID 1000 wrote to memory of 2884 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 102 PID 1000 wrote to memory of 2360 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 104 PID 1000 wrote to memory of 2360 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 104 PID 1000 wrote to memory of 2360 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 104 PID 1000 wrote to memory of 2768 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 105 PID 1000 wrote to memory of 2768 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 105 PID 1000 wrote to memory of 2768 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 105 PID 1000 wrote to memory of 2932 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 107 PID 1000 wrote to memory of 2932 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 107 PID 1000 wrote to memory of 2932 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 107 PID 1000 wrote to memory of 2800 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 109 PID 1000 wrote to memory of 2800 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 109 PID 1000 wrote to memory of 2800 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 109 PID 1000 wrote to memory of 2720 1000 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 110 -
System policy modification 1 TTPs 42 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe"C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe"1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2672 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564
-
-
C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe"C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1000 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zseo6rLH0D.bat"3⤵PID:348
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵PID:996
-
-
C:\Windows\system\System.exe"C:\Windows\system\System.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1668 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d964f881-43c7-4e1e-9d3d-6d416a322991.vbs"5⤵PID:2968
-
C:\Windows\system\System.exeC:\Windows\system\System.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2808 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b82b552-8929-4464-a7f2-05f79c5e87d7.vbs"7⤵PID:2908
-
C:\Windows\system\System.exeC:\Windows\system\System.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:812 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc3374cd-9d99-4fca-b19b-c3040f5f7323.vbs"9⤵PID:1924
-
C:\Windows\system\System.exeC:\Windows\system\System.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1520 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9016b773-8dac-4084-9f7b-36ccae39f18f.vbs"11⤵PID:832
-
C:\Windows\system\System.exeC:\Windows\system\System.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1472 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5c96c5c-b6f5-422f-81dc-7609fe4006ce.vbs"13⤵PID:1236
-
C:\Windows\system\System.exeC:\Windows\system\System.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2912 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d79e3463-723a-42bf-8a09-7a72c8ee771c.vbs"15⤵PID:2528
-
C:\Windows\system\System.exeC:\Windows\system\System.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2200 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\615da95f-f0a6-44f1-818e-c7940c037c5a.vbs"17⤵PID:2960
-
C:\Windows\system\System.exeC:\Windows\system\System.exe18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1756 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcd2c6cd-1c47-4e0d-90fa-4cfdbb9c92a3.vbs"19⤵PID:1428
-
C:\Windows\system\System.exeC:\Windows\system\System.exe20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1480 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b7ef1e7-6829-4a70-8a01-0731db8fcaec.vbs"21⤵PID:1408
-
C:\Windows\system\System.exeC:\Windows\system\System.exe22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2076 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bef9a72-5224-4907-86eb-2abcb3c387da.vbs"23⤵PID:1508
-
C:\Windows\system\System.exeC:\Windows\system\System.exe24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1908 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fca0a575-c099-4431-9fed-8c0572abb7ca.vbs"25⤵PID:1172
-
C:\Windows\system\System.exeC:\Windows\system\System.exe26⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1004 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90423d8e-7225-45d4-98ea-05435d97a731.vbs"27⤵PID:2216
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66ac1c5e-26b6-4754-bb50-3afd81f3e3a9.vbs"27⤵PID:1520
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2558fc9-7ea6-4676-b752-67a0340e09dd.vbs"25⤵PID:2340
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d195a985-2102-4ede-8a4a-c311ae03f60e.vbs"23⤵PID:1212
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa8fc0df-d739-422b-ad79-fabf6fdaa8c0.vbs"21⤵PID:1176
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8402ffd3-29eb-4354-8fa6-4fe67ca8eb1b.vbs"19⤵PID:328
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56bddca7-0a4c-4497-bf5a-2307cbba1a88.vbs"17⤵PID:1648
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\239e3e40-870d-423e-aa8e-af18ff8c3be6.vbs"15⤵PID:2396
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\278cfcee-9ff2-4605-b307-85eca6330a24.vbs"13⤵PID:2612
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b12fcb2-274b-4932-9ce5-cf531c70a3e3.vbs"11⤵PID:904
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\267fef69-9f61-43f3-81a7-88054fd3eb85.vbs"9⤵PID:956
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59f00af7-d24b-49fd-b5d5-47bf5511d8fc.vbs"7⤵PID:1300
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20228fc4-6781-4e22-98f1-8680358c9330.vbs"5⤵PID:1084
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f001" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f001" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\system\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\system\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\system\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Filesize4.9MB
MD5d6c32cc92aff05247e665fec5d1ca5ed
SHA1864e040db2c99477669bbe45261d8d93ebdba021
SHA25616f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00
SHA512b03a5e8bfa50e1c559d72f912168e56aa93f6d545554e84db723261744ed2c308cca6cb1602a731d00787a1319b44fd326fd5704ba207850a0981ea42fceef96
-
Filesize
480B
MD5c11a2cf2d5748e26333b33e37d192bed
SHA137f19a87edb0a236dbb0cfe33adc04e88f518507
SHA256a6de142c5714b9b3963e7f7e7220911e4999cb703641c7382c7b0a12a1965288
SHA5123f5cf295a540344344ba7b46c8dd87ba19d1edbde037472e461fa18ddc07d80e63adaf13d7d378e7e9d9b1370ccd7b9966f3689100fc2cdf4d5c945f92baad2c
-
Filesize
704B
MD51527a951113213e35166d93616b9b266
SHA14f0bd3dd05131d5a50aa78179bcc26d71ea10c56
SHA256824ec3326221b604a03de51a54d2d583e5b8cf428f93f14cf980322b0f06e9b3
SHA512551dae181274c9793b94d42a465c0082b19d183999592a38f8348495474977cf25df9f32a7d84b553a364ada77719d613518d4d62ca59f50715dd7bdb6919f65
-
Filesize
704B
MD552a93e2c4f1847566d50f4807f80cecf
SHA10a2e0b43e1d6ecb5432e6c17af125731a87c04c2
SHA256c39ed50d7a8511db80d3353e0bf9cf33bc777a8dc421199e4779cce2bf9978fc
SHA51286bde4abe0521a49be7d36408b94c650a66f0329314776c40165902a198e6a8202fbd0910e4f229619dcecd028e383b6e7265f1c58200cbeb7a207575e209714
-
Filesize
704B
MD59aeac4d0d31630b544d7ff67d8e56344
SHA1fb77664f8123cf7a0fb738aa4799870eb9af505b
SHA256e8e2ade9246f45d2796c7b3f5d7171ed263229e7adbc37a43603269a36340d54
SHA5120a2b39813afee2a91a71cfdd610219bc85325c04c34ffd778cae20864b02254e07ef20ff3d8cff84b4433a23449dc596d9b06e80cbf4f859283b784d28db9213
-
Filesize
703B
MD5afdafe86756f82e77f75d430764f963f
SHA17160d49ec20fd00d9371f7f316105db97c1a7621
SHA256c29bb08155259533ea58a611119b49aa21cbae5e83307348c945763a4a64c357
SHA512ad89b2dae3651db5ae4c57aeeacc02d93778f527c26d56bfb898588e426a34b9e4e62e3050e01d2b10899908603763612bbfbd00d87d7af9f3920e677ca752bc
-
Filesize
704B
MD5ac91d37f2257d2446fb71206bde6cb48
SHA174facf62a3b0bd2c28476f9ac95c198bc2a2eef8
SHA25620a37eaf4c1907af62280ac54fa61c9059c22eab0ede5117f09b4481182d2e6f
SHA5121cac4caa29099613142008bddeb6467d103501db88f6cea03dc7b5493b47930f9ec6de708e0fe04d288fac254471bebd51985ff22d6795cd3d90ed69215615b6
-
Filesize
704B
MD584a8e9912076e4b98a352a90b3cc24f4
SHA12777aed06ac94fbe03dddfd261ac60effe7fe4b5
SHA25606689cedf020ba37cd6aed05bc9026dec44a03cb34e4cafefd78a30b7d7af3f8
SHA512ad692aeca547adae4a8fa8435664014a8c2ee20a7f7aaf9c9092e254ddc7d5311f155581d32f69d77a6dc3a650f2fc0d2e3a10d2c4f4a594db8cf3238ca1769b
-
Filesize
704B
MD50f82d3ecfcb94695910b58b0c72cb664
SHA17e612260d370742b1a20a3b125b5c806d52561f3
SHA256a504356cd4db9e015c034c9b1cfa19bbc89423879d03f3c432627e403043ee0c
SHA512ef49cebce988b3d41f1fc622dee522f3e28b9d2b9ff6e9c9ed9d0d00b0bd473775292f8a63a9c2fa51441841054417c6888080df4536d0d38176e5c8902d69f3
-
Filesize
704B
MD511a220ed8d6dd101a154344d0fcad3b1
SHA177cb09e47f4a22ea96159c703cb3e90e81f7aa2a
SHA2563b30b4381c7f5850a256bfd6566441a4d1357263c1fa262e3a4327f19b75e514
SHA5123d70da94899c97a47614701a99ab7f98b31db062c99a49aa98cb5705eb26cc2b8cfaa9fc54c7ee57ece95fc4389b9978ec4a5a298480ddb8c13080648a53c4ed
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
193B
MD53e3dd542a5016e66ca4c098ea93a1fcc
SHA1a515a8de7dc3ebb8f8f03b9c053eecb93c15793c
SHA2564a500988e2e85294f603fdfa84bdd309b4f614fd43c70f5298a7bd40a8c233da
SHA51254969334ce745ac49b2b00f44b6d39b0c3197e968e153311e7d2cc461068be33881afc830ddd9257f926e5fd35a652896301e6591dd89c4dda60cd08ebdeb8c3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d6dafa34c562c157d8179d04894e77ab
SHA1f3f571d0531c2baa2abb0b382e639fa7f7834713
SHA256f96e0761b37b28c78d804f4e4aeccf5b6802126cb00b80ec9bf207431c7dc0a6
SHA51294db6281b7bf90f2033514556ab48c2c9a7f2849ea841b1f9773be533718d86e629a7014ddddaa7517c09a668e962fc974b603829367fe8fa314a97de19a582a