Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 00:20
Static task
static1
Behavioral task
behavioral1
Sample
0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
Resource
win7-20240903-en
General
-
Target
0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
-
Size
4.9MB
-
MD5
613c17af7e79ea0696b12a8d2a4b99e0
-
SHA1
3c1fa83f993484fffb9def759879c320750d8ddc
-
SHA256
0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003
-
SHA512
3ccc372ca5dc7ca97f6050ae8b42c3b0d839bda5c8237b256a443e9246fa0fc36d256d6ae5b001d298f5e9253a98f68edce0c652d2a9f85bc7af542c00c52f15
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3984 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3364 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3448 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3808 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4656 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3468 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3440 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4636 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4060 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4108 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4420 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4424 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 3592 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 3592 schtasks.exe 81 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe -
resource yara_rule behavioral2/memory/3336-3-0x000000001B910000-0x000000001BA3E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1408 powershell.exe 3088 powershell.exe 2008 powershell.exe 4364 powershell.exe 4864 powershell.exe 1912 powershell.exe 2228 powershell.exe 4920 powershell.exe 2156 powershell.exe 4500 powershell.exe 4356 powershell.exe -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe -
Executes dropped EXE 35 IoCs
pid Process 1784 tmpBB34.tmp.exe 4700 tmpBB34.tmp.exe 2272 lsass.exe 4356 lsass.exe 3864 tmp1B43.tmp.exe 544 tmp1B43.tmp.exe 4368 lsass.exe 1332 tmp4BE9.tmp.exe 3820 tmp4BE9.tmp.exe 1244 tmp4BE9.tmp.exe 3144 lsass.exe 4780 tmp7C11.tmp.exe 3740 tmp7C11.tmp.exe 5116 tmp7C11.tmp.exe 5048 lsass.exe 1592 tmpACE5.tmp.exe 2316 tmpACE5.tmp.exe 3796 lsass.exe 5076 tmpCA02.tmp.exe 4708 tmpCA02.tmp.exe 1056 lsass.exe 1116 tmpFD37.tmp.exe 4728 tmpFD37.tmp.exe 3532 tmpFD37.tmp.exe 3720 tmpFD37.tmp.exe 4992 lsass.exe 544 tmp1BCB.tmp.exe 2832 tmp1BCB.tmp.exe 4320 lsass.exe 2308 tmp4B57.tmp.exe 1900 tmp4B57.tmp.exe 264 lsass.exe 5068 tmp67B9.tmp.exe 3408 tmp67B9.tmp.exe 456 lsass.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe -
Suspicious use of SetThreadContext 10 IoCs
description pid Process procid_target PID 1784 set thread context of 4700 1784 tmpBB34.tmp.exe 130 PID 3864 set thread context of 544 3864 tmp1B43.tmp.exe 170 PID 3820 set thread context of 1244 3820 tmp4BE9.tmp.exe 179 PID 3740 set thread context of 5116 3740 tmp7C11.tmp.exe 186 PID 1592 set thread context of 2316 1592 tmpACE5.tmp.exe 192 PID 5076 set thread context of 4708 5076 tmpCA02.tmp.exe 198 PID 3532 set thread context of 3720 3532 tmpFD37.tmp.exe 206 PID 544 set thread context of 2832 544 tmp1BCB.tmp.exe 212 PID 2308 set thread context of 1900 2308 tmp4B57.tmp.exe 218 PID 5068 set thread context of 3408 5068 tmp67B9.tmp.exe 224 -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files\Uninstall Information\5b884080fd4f94 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File created C:\Program Files\Windows Mail\taskhostw.exe 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File created C:\Program Files\Windows NT\Accessories\de-DE\upfc.exe 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File opened for modification C:\Program Files\Uninstall Information\fontdrvhost.exe 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File opened for modification C:\Program Files\Windows NT\Accessories\de-DE\RCXD0D9.tmp 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File created C:\Program Files\Uninstall Information\fontdrvhost.exe 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File created C:\Program Files\Windows Mail\ea9f0e6c9e2dcd 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File created C:\Program Files\Windows NT\Accessories\de-DE\ea1d8f6d871115 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File opened for modification C:\Program Files\Uninstall Information\RCXC20E.tmp 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File opened for modification C:\Program Files\Windows Mail\RCXCABC.tmp 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File opened for modification C:\Program Files\Windows Mail\taskhostw.exe 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File opened for modification C:\Program Files\Windows NT\Accessories\de-DE\upfc.exe 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\apppatch\fr-FR\RCXC6A4.tmp 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File opened for modification C:\Windows\apppatch\fr-FR\fontdrvhost.exe 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File created C:\Windows\bcastdvr\TextInputHost.exe 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File created C:\Windows\DiagTrack\Settings\0a1fd5f707cd16 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File opened for modification C:\Windows\bcastdvr\TextInputHost.exe 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File created C:\Windows\apppatch\fr-FR\5b884080fd4f94 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File opened for modification C:\Windows\bcastdvr\RCXBDF5.tmp 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File opened for modification C:\Windows\DiagTrack\Settings\RCXC48F.tmp 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File opened for modification C:\Windows\DiagTrack\Settings\sppsvc.exe 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File created C:\Windows\bcastdvr\22eafd247d37c3 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File created C:\Windows\DiagTrack\Settings\sppsvc.exe 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe File created C:\Windows\apppatch\fr-FR\fontdrvhost.exe 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4BE9.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpACE5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpCA02.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFD37.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4B57.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7C11.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7C11.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFD37.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp1BCB.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpBB34.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp1B43.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4BE9.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFD37.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp67B9.tmp.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings lsass.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 860 schtasks.exe 3984 schtasks.exe 3940 schtasks.exe 3448 schtasks.exe 4448 schtasks.exe 1116 schtasks.exe 8 schtasks.exe 4656 schtasks.exe 2748 schtasks.exe 3364 schtasks.exe 2260 schtasks.exe 1076 schtasks.exe 2104 schtasks.exe 964 schtasks.exe 4636 schtasks.exe 1956 schtasks.exe 2816 schtasks.exe 2360 schtasks.exe 2316 schtasks.exe 2080 schtasks.exe 1220 schtasks.exe 3440 schtasks.exe 1864 schtasks.exe 2164 schtasks.exe 1244 schtasks.exe 916 schtasks.exe 3808 schtasks.exe 3468 schtasks.exe 4420 schtasks.exe 4424 schtasks.exe 4536 schtasks.exe 2088 schtasks.exe 3016 schtasks.exe 2432 schtasks.exe 1924 schtasks.exe 1900 schtasks.exe 2444 schtasks.exe 4108 schtasks.exe 1872 schtasks.exe 544 schtasks.exe 4060 schtasks.exe 1960 schtasks.exe 1008 schtasks.exe 1292 schtasks.exe 1964 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 1912 powershell.exe 1912 powershell.exe 3088 powershell.exe 3088 powershell.exe 4364 powershell.exe 4364 powershell.exe 4356 powershell.exe 4356 powershell.exe 4864 powershell.exe 4864 powershell.exe 2156 powershell.exe 2156 powershell.exe 4500 powershell.exe 4500 powershell.exe 1408 powershell.exe 1408 powershell.exe 4920 powershell.exe 4920 powershell.exe 2008 powershell.exe 2008 powershell.exe 4356 powershell.exe 2008 powershell.exe 1912 powershell.exe 1912 powershell.exe 3088 powershell.exe 2156 powershell.exe 4364 powershell.exe 1408 powershell.exe 4500 powershell.exe 4864 powershell.exe 4920 powershell.exe 2272 lsass.exe 4356 lsass.exe 4368 lsass.exe 3144 lsass.exe 5048 lsass.exe 3796 lsass.exe 1056 lsass.exe 4992 lsass.exe 4320 lsass.exe 264 lsass.exe 456 lsass.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 3088 powershell.exe Token: SeDebugPrivilege 4364 powershell.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeDebugPrivilege 4356 powershell.exe Token: SeDebugPrivilege 4864 powershell.exe Token: SeDebugPrivilege 4500 powershell.exe Token: SeDebugPrivilege 1408 powershell.exe Token: SeDebugPrivilege 4920 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 2272 lsass.exe Token: SeDebugPrivilege 4356 lsass.exe Token: SeDebugPrivilege 4368 lsass.exe Token: SeDebugPrivilege 3144 lsass.exe Token: SeDebugPrivilege 5048 lsass.exe Token: SeDebugPrivilege 3796 lsass.exe Token: SeDebugPrivilege 1056 lsass.exe Token: SeDebugPrivilege 4992 lsass.exe Token: SeDebugPrivilege 4320 lsass.exe Token: SeDebugPrivilege 264 lsass.exe Token: SeDebugPrivilege 456 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3336 wrote to memory of 1784 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 128 PID 3336 wrote to memory of 1784 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 128 PID 3336 wrote to memory of 1784 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 128 PID 1784 wrote to memory of 4700 1784 tmpBB34.tmp.exe 130 PID 1784 wrote to memory of 4700 1784 tmpBB34.tmp.exe 130 PID 1784 wrote to memory of 4700 1784 tmpBB34.tmp.exe 130 PID 1784 wrote to memory of 4700 1784 tmpBB34.tmp.exe 130 PID 1784 wrote to memory of 4700 1784 tmpBB34.tmp.exe 130 PID 1784 wrote to memory of 4700 1784 tmpBB34.tmp.exe 130 PID 1784 wrote to memory of 4700 1784 tmpBB34.tmp.exe 130 PID 3336 wrote to memory of 2008 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 133 PID 3336 wrote to memory of 2008 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 133 PID 3336 wrote to memory of 3088 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 134 PID 3336 wrote to memory of 3088 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 134 PID 3336 wrote to memory of 2228 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 135 PID 3336 wrote to memory of 2228 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 135 PID 3336 wrote to memory of 4364 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 136 PID 3336 wrote to memory of 4364 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 136 PID 3336 wrote to memory of 4356 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 137 PID 3336 wrote to memory of 4356 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 137 PID 3336 wrote to memory of 1408 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 138 PID 3336 wrote to memory of 1408 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 138 PID 3336 wrote to memory of 4500 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 141 PID 3336 wrote to memory of 4500 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 141 PID 3336 wrote to memory of 2156 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 142 PID 3336 wrote to memory of 2156 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 142 PID 3336 wrote to memory of 4920 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 144 PID 3336 wrote to memory of 4920 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 144 PID 3336 wrote to memory of 1912 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 145 PID 3336 wrote to memory of 1912 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 145 PID 3336 wrote to memory of 4864 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 146 PID 3336 wrote to memory of 4864 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 146 PID 3336 wrote to memory of 3156 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 154 PID 3336 wrote to memory of 3156 3336 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe 154 PID 3156 wrote to memory of 4112 3156 cmd.exe 157 PID 3156 wrote to memory of 4112 3156 cmd.exe 157 PID 3156 wrote to memory of 2272 3156 cmd.exe 160 PID 3156 wrote to memory of 2272 3156 cmd.exe 160 PID 2272 wrote to memory of 2736 2272 lsass.exe 161 PID 2272 wrote to memory of 2736 2272 lsass.exe 161 PID 2272 wrote to memory of 4100 2272 lsass.exe 162 PID 2272 wrote to memory of 4100 2272 lsass.exe 162 PID 2736 wrote to memory of 4356 2736 WScript.exe 165 PID 2736 wrote to memory of 4356 2736 WScript.exe 165 PID 4356 wrote to memory of 348 4356 lsass.exe 166 PID 4356 wrote to memory of 348 4356 lsass.exe 166 PID 4356 wrote to memory of 2096 4356 lsass.exe 167 PID 4356 wrote to memory of 2096 4356 lsass.exe 167 PID 4356 wrote to memory of 3864 4356 lsass.exe 168 PID 4356 wrote to memory of 3864 4356 lsass.exe 168 PID 4356 wrote to memory of 3864 4356 lsass.exe 168 PID 3864 wrote to memory of 544 3864 tmp1B43.tmp.exe 170 PID 3864 wrote to memory of 544 3864 tmp1B43.tmp.exe 170 PID 3864 wrote to memory of 544 3864 tmp1B43.tmp.exe 170 PID 3864 wrote to memory of 544 3864 tmp1B43.tmp.exe 170 PID 3864 wrote to memory of 544 3864 tmp1B43.tmp.exe 170 PID 3864 wrote to memory of 544 3864 tmp1B43.tmp.exe 170 PID 3864 wrote to memory of 544 3864 tmp1B43.tmp.exe 170 PID 348 wrote to memory of 4368 348 WScript.exe 172 PID 348 wrote to memory of 4368 348 WScript.exe 172 PID 4368 wrote to memory of 3376 4368 lsass.exe 174 PID 4368 wrote to memory of 3376 4368 lsass.exe 174 PID 4368 wrote to memory of 1424 4368 lsass.exe 175 PID 4368 wrote to memory of 1424 4368 lsass.exe 175 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe"C:\Users\Admin\AppData\Local\Temp\0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3336 -
C:\Users\Admin\AppData\Local\Temp\tmpBB34.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBB34.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\tmpBB34.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBB34.tmp.exe"3⤵
- Executes dropped EXE
PID:4700
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
PID:2228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ea0WjfTxms.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4112
-
-
C:\Recovery\WindowsRE\lsass.exe"C:\Recovery\WindowsRE\lsass.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2272 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\735e11f6-66fb-4bff-a033-7547699e771a.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Recovery\WindowsRE\lsass.exeC:\Recovery\WindowsRE\lsass.exe5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4356 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d294a61-6e22-47e1-b804-0a1cabd4ba5d.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Recovery\WindowsRE\lsass.exeC:\Recovery\WindowsRE\lsass.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4368 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d2a3620-5b96-47e8-b1c5-1f51cce7d551.vbs"8⤵PID:3376
-
C:\Recovery\WindowsRE\lsass.exeC:\Recovery\WindowsRE\lsass.exe9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3144 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de05ee62-26b6-49fa-99a1-107ccb2716bc.vbs"10⤵PID:1344
-
C:\Recovery\WindowsRE\lsass.exeC:\Recovery\WindowsRE\lsass.exe11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5048 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\362eddf0-7a99-4455-a0c3-f3d71693446a.vbs"12⤵PID:3112
-
C:\Recovery\WindowsRE\lsass.exeC:\Recovery\WindowsRE\lsass.exe13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3796 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c899c4d6-41dc-4516-b5f1-51341737afa7.vbs"14⤵PID:1016
-
C:\Recovery\WindowsRE\lsass.exeC:\Recovery\WindowsRE\lsass.exe15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1056 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f92a4fc7-1fa4-4aff-b106-38992476ad44.vbs"16⤵PID:4512
-
C:\Recovery\WindowsRE\lsass.exeC:\Recovery\WindowsRE\lsass.exe17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4992 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\447eca8a-0dc3-480b-b5cb-fac2b57fb8e9.vbs"18⤵PID:2220
-
C:\Recovery\WindowsRE\lsass.exeC:\Recovery\WindowsRE\lsass.exe19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4320 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3deb626b-b484-4677-9800-11cb48502f2f.vbs"20⤵PID:2204
-
C:\Recovery\WindowsRE\lsass.exeC:\Recovery\WindowsRE\lsass.exe21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:264 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e32438b-cc64-4709-b4fb-424176e6b1cf.vbs"22⤵PID:3620
-
C:\Recovery\WindowsRE\lsass.exeC:\Recovery\WindowsRE\lsass.exe23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:456 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dd82df5-9681-4967-b1f8-92de9f6a5723.vbs"24⤵PID:960
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\966531c4-cac1-4ee5-be69-9ffbda875664.vbs"24⤵PID:2076
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c29feab-69bb-4bd1-9c0b-aa690202d12c.vbs"22⤵PID:880
-
-
C:\Users\Admin\AppData\Local\Temp\tmp67B9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp67B9.tmp.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\tmp67B9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp67B9.tmp.exe"23⤵
- Executes dropped EXE
PID:3408
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fb28ce3-b143-40fc-a510-a1d3edeb31de.vbs"20⤵PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4B57.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4B57.tmp.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\tmp4B57.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4B57.tmp.exe"21⤵
- Executes dropped EXE
PID:1900
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99295fbc-1619-4582-9b88-b305fe0471ae.vbs"18⤵PID:3876
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1BCB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1BCB.tmp.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:544 -
C:\Users\Admin\AppData\Local\Temp\tmp1BCB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1BCB.tmp.exe"19⤵
- Executes dropped EXE
PID:2832
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32948f4d-020b-4d25-8fdb-94abbdca5aca.vbs"16⤵PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\tmpFD37.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFD37.tmp.exe"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\tmpFD37.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFD37.tmp.exe"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\tmpFD37.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFD37.tmp.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\tmpFD37.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFD37.tmp.exe"19⤵
- Executes dropped EXE
PID:3720
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cdbb34b-c81e-4199-b8f8-71c87dd97542.vbs"14⤵PID:776
-
-
C:\Users\Admin\AppData\Local\Temp\tmpCA02.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCA02.tmp.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\tmpCA02.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCA02.tmp.exe"15⤵
- Executes dropped EXE
PID:4708
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7f9728d-9a0b-4daf-beaa-82d09d8498c9.vbs"12⤵PID:1872
-
-
C:\Users\Admin\AppData\Local\Temp\tmpACE5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpACE5.tmp.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\tmpACE5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpACE5.tmp.exe"13⤵
- Executes dropped EXE
PID:2316
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f171edc-12a1-4e57-b8f6-9b9c66af86f5.vbs"10⤵PID:4984
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7C11.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7C11.tmp.exe"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\tmp7C11.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7C11.tmp.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\tmp7C11.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7C11.tmp.exe"12⤵
- Executes dropped EXE
PID:5116
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51a0cd33-7e7e-4f6e-aeaa-bcc1a5c8d775.vbs"8⤵PID:1424
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4BE9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4BE9.tmp.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\tmp4BE9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4BE9.tmp.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3820 -
C:\Users\Admin\AppData\Local\Temp\tmp4BE9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4BE9.tmp.exe"10⤵
- Executes dropped EXE
PID:1244
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fea913cc-b264-44e5-9852-2416ccc72c2f.vbs"6⤵PID:2096
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp.exe"7⤵
- Executes dropped EXE
PID:544
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82abfab3-bf5d-484b-9224-97b41603300c.vbs"4⤵PID:4100
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Public\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\bcastdvr\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Setup\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Setup\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\DiagTrack\Settings\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\DiagTrack\Settings\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\apppatch\fr-FR\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\apppatch\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\apppatch\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\de-DE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5613c17af7e79ea0696b12a8d2a4b99e0
SHA13c1fa83f993484fffb9def759879c320750d8ddc
SHA2560a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003
SHA5123ccc372ca5dc7ca97f6050ae8b42c3b0d839bda5c8237b256a443e9246fa0fc36d256d6ae5b001d298f5e9253a98f68edce0c652d2a9f85bc7af542c00c52f15
-
Filesize
4.9MB
MD55a62035a719393b7968caaf00eedfce5
SHA1c576dbeb5148c36e91f3b7cd298c9fe653126d2e
SHA256da91f7c05196161f23bd2cd1b8d240865a6fcb54429bf5035bed55b4acc2060e
SHA512590ba575cb196b48505709d9f68a0ed9e0e14e9789cd8b140f2447b01cd4d4fd92dd67805b0ab5b68b32b094acc6ec473c84e31991ac6b799893ea659e1bd128
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD52979eabc783eaca50de7be23dd4eafcf
SHA1d709ce5f3a06b7958a67e20870bfd95b83cad2ea
SHA256006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903
SHA51292bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba
-
Filesize
707B
MD582de90cb0948617c85dcd98c3e47ade9
SHA1e8ff4e2400ecdb1e6f8483c303f97137ae0d705b
SHA2562cf81159fbdf5e1f5626921d2652eb591333725c90d193ced53084fa406d9ee8
SHA512a6927e68b1f6239fb6834fa1565570e08dff5d18bd0f1f5040528da55e454b551f1477adbcf1e8ce03864a21f65f3bc78e5e74fc473f6a95d90b0ff33fb7149a
-
Filesize
707B
MD56343382e15a7c6cb5c034b72dae12ddf
SHA1640fabd53aaca5b4280f728b38e8b5f06486ec48
SHA256c8fe53c4421dfe72a7e465921d992c67286d738c4ebc1bf8e1ecf2fb41f42a22
SHA5128dc74152e1c863e71d6a52315f02f01db1ca67377160fa33ffacf44e63cd2946347de9900b7792967ae7916efbca14c58e8e3ac48cf5bea6fdb833a20edf650d
-
Filesize
707B
MD5ee2c21e1f77e5eb24fcb17b0d20411a2
SHA1e23209fbe6af1cbd0045c23cf240218f14ce0a1e
SHA256c2be726cb69684eff2828bd36911ac13a195a9f7ed7b451f8e3c822a8956c0b1
SHA5127e097e0d19108e13f14de126ca465da93d3ffd84b300edb7d7077284fb9f657ecc5a6a1e51abe372960e94cb33cda2f1c880d44e015077137b5479b822547bdf
-
Filesize
707B
MD5953305571b3375660614284764b683f3
SHA19cb5ffeba44df580a8f8e7e92da18b04d6d88a4f
SHA25638ec24b841acded5938a83ab274add067580a09f8c341226fed6ebb2050e2d9a
SHA512f6cce6aedd356ab55209a0aca2e97d54592f722f8d2d24ef33865cd27000ddbb30d80f8ea5f86ae10a93c480ab035d3db0ad82e67dac607405976926d15dc185
-
Filesize
483B
MD5e82bafe350c40719f70922558e21d393
SHA137acaaefd8156463a6553f747e392198bb65f94c
SHA256be935a3aa0b7b7b35f1eb9ad5fc9e1095390e570ce72c1c9c2db19db2bd2cbac
SHA5122675735a6dbefccde87b9fd6903eb8fd92550aa009bdb9478a8fb1c518f3054465d6c57744674ec058a88450b15c6b5e451572d8e5920ce907a8d5e19e6d0191
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
707B
MD57025f7a28355e21a21198db0dce39bdb
SHA19c63d4dfd7ea82f66fc9749a5ebb6f51b1d08265
SHA25608a38ed9c36de15caf02f76935c11d7be0698c3019c4738f9aa8a6c479d5914d
SHA5129eb3cd5e429738c992e15db78201ecf2dfbbb9abda5e7fffc1faa72d9db23731e6a3b7abbf348252e797a96f73ecada83f8299041b2527e444b358aaba0d5647
-
Filesize
707B
MD5c6e85080747adb0eacbe680b59b689cd
SHA10831e4b50ff970f674f0cdf1144a16f6e1800d7e
SHA256b8f1b7f99c6fee90eda96c57ba915b82194abff6e76a5574b0b3f10b642f9964
SHA512179dc5a82eff73c80d66928637f6e8bd17803ae14509ffd91f14252a3acbc286bca2639d95f42f4eeca48a00c52972ae9d884716b3c11001249d387d6e917f69
-
Filesize
196B
MD5053735cbc277bcbe02ef3ade8ea02c58
SHA1b593e748e3743fcff2d35bf31a5d32d6ef7159a7
SHA256b2c82aeb27ef28379472c628496072e88faa5ca35bd5fd127a2e77cc383f62c9
SHA5129be1da1fda45d78ece63d7a9c9a4c6ea0e67a7a1fd15d324e458985cdf21cc2534758c52d60cdfbf4a5623f0afae261db76ed39ee93924eca084c852f50817d2
-
Filesize
707B
MD5a010fed23ef738b78c67a9c5a55815fa
SHA1d7691da43cb2114babeb465f269d60632c5f41e3
SHA256999efcee5efc3ace07afec1f9ab94139ccaf8e860ecdda1316b930a3cdddeece
SHA5125d40f8bdc1ff659b82c5cdfa90ce5d50b7ac1eef85305cd83e3e2d691d54e22f5b1e3d237abfcee1d77ed5aca11fb1ad940787f53f50c1c39e49ea4c73eb2145
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2