Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-12-2024 22:14
Static task
static1
Behavioral task
behavioral1
Sample
04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe
Resource
win7-20240903-en
General
-
Target
04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe
-
Size
4.9MB
-
MD5
ad6f5a9d1be209b53e4ea1e256a259b0
-
SHA1
03da3df7b5d92d7c298e7c7fc9965f140f13000e
-
SHA256
04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3
-
SHA512
24bf284ce56fef4e52278ee6a4c85f27e6d754ff99c1858089c4c70fbca947bdc4e630b096ec29d74dc93eec4734bfc409a8d8837762c2754d8b665ab4258e88
-
SSDEEP
49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe -
resource yara_rule behavioral1/memory/2784-3-0x000000001B500000-0x000000001B62E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2752 powershell.exe 2916 powershell.exe 2816 powershell.exe 2228 powershell.exe 1496 powershell.exe 2724 powershell.exe 2600 powershell.exe 2884 powershell.exe 2744 powershell.exe 2740 powershell.exe 2800 powershell.exe 1524 powershell.exe -
Executes dropped EXE 8 IoCs
pid Process 696 sppsvc.exe 1072 sppsvc.exe 2476 sppsvc.exe 2324 sppsvc.exe 2036 sppsvc.exe 2204 sppsvc.exe 1688 sppsvc.exe 2884 sppsvc.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe -
Drops file in Program Files directory 20 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Program Files (x86)\Internet Explorer\04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Program Files\Windows Media Player\en-US\RCX90F7.tmp 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Program Files (x86)\Internet Explorer\a69157251761af 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6ccacd8608530f 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Program Files\Windows Media Player\en-US\cc11b995f2a76d 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Program Files\Windows Defender\it-IT\winlogon.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Program Files\Windows Media Player\en-US\winlogon.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Program Files (x86)\Internet Explorer\04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Program Files\Windows Defender\it-IT\RCX8EE3.tmp 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Program Files\Windows Media Player\en-US\winlogon.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX7F52.tmp 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Program Files (x86)\Internet Explorer\RCX836A.tmp 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX885B.tmp 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Program Files\Windows Defender\it-IT\winlogon.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\7a0fd90576e088 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Program Files\Windows Defender\it-IT\cc11b995f2a76d 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\ModemLogs\RCX8C63.tmp 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Windows\ModemLogs\sppsvc.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Windows\ModemLogs\sppsvc.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Windows\ModemLogs\0a1fd5f707cd16 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2316 schtasks.exe 1312 schtasks.exe 1592 schtasks.exe 3032 schtasks.exe 3040 schtasks.exe 2940 schtasks.exe 1584 schtasks.exe 2980 schtasks.exe 1640 schtasks.exe 2476 schtasks.exe 2592 schtasks.exe 2644 schtasks.exe 2172 schtasks.exe 2464 schtasks.exe 2428 schtasks.exe 1168 schtasks.exe 784 schtasks.exe 548 schtasks.exe 1244 schtasks.exe 560 schtasks.exe 332 schtasks.exe 2848 schtasks.exe 2836 schtasks.exe 2296 schtasks.exe 1072 schtasks.exe 2384 schtasks.exe 2372 schtasks.exe 3016 schtasks.exe 1620 schtasks.exe 1976 schtasks.exe 2628 schtasks.exe 2196 schtasks.exe 2248 schtasks.exe 2108 schtasks.exe 3024 schtasks.exe 1416 schtasks.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 696 sppsvc.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 1524 powershell.exe 2228 powershell.exe 2816 powershell.exe 2600 powershell.exe 2724 powershell.exe 2752 powershell.exe 2800 powershell.exe 2740 powershell.exe 2884 powershell.exe 2916 powershell.exe 1496 powershell.exe 2744 powershell.exe 696 sppsvc.exe 1072 sppsvc.exe 2476 sppsvc.exe 2324 sppsvc.exe 2036 sppsvc.exe 2204 sppsvc.exe 1688 sppsvc.exe 2884 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 2752 powershell.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 1496 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 696 sppsvc.exe Token: SeDebugPrivilege 1072 sppsvc.exe Token: SeDebugPrivilege 2476 sppsvc.exe Token: SeDebugPrivilege 2324 sppsvc.exe Token: SeDebugPrivilege 2036 sppsvc.exe Token: SeDebugPrivilege 2204 sppsvc.exe Token: SeDebugPrivilege 1688 sppsvc.exe Token: SeDebugPrivilege 2884 sppsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2784 wrote to memory of 1496 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 68 PID 2784 wrote to memory of 1496 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 68 PID 2784 wrote to memory of 1496 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 68 PID 2784 wrote to memory of 1524 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 69 PID 2784 wrote to memory of 1524 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 69 PID 2784 wrote to memory of 1524 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 69 PID 2784 wrote to memory of 2228 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 70 PID 2784 wrote to memory of 2228 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 70 PID 2784 wrote to memory of 2228 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 70 PID 2784 wrote to memory of 2816 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 72 PID 2784 wrote to memory of 2816 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 72 PID 2784 wrote to memory of 2816 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 72 PID 2784 wrote to memory of 2800 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 73 PID 2784 wrote to memory of 2800 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 73 PID 2784 wrote to memory of 2800 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 73 PID 2784 wrote to memory of 2740 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 74 PID 2784 wrote to memory of 2740 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 74 PID 2784 wrote to memory of 2740 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 74 PID 2784 wrote to memory of 2916 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 103 PID 2784 wrote to memory of 2916 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 103 PID 2784 wrote to memory of 2916 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 103 PID 2784 wrote to memory of 2744 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 77 PID 2784 wrote to memory of 2744 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 77 PID 2784 wrote to memory of 2744 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 77 PID 2784 wrote to memory of 2884 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 78 PID 2784 wrote to memory of 2884 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 78 PID 2784 wrote to memory of 2884 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 78 PID 2784 wrote to memory of 2752 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 80 PID 2784 wrote to memory of 2752 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 80 PID 2784 wrote to memory of 2752 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 80 PID 2784 wrote to memory of 2600 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 81 PID 2784 wrote to memory of 2600 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 81 PID 2784 wrote to memory of 2600 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 81 PID 2784 wrote to memory of 2724 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 84 PID 2784 wrote to memory of 2724 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 84 PID 2784 wrote to memory of 2724 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 84 PID 2784 wrote to memory of 2664 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 92 PID 2784 wrote to memory of 2664 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 92 PID 2784 wrote to memory of 2664 2784 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 92 PID 2664 wrote to memory of 952 2664 cmd.exe 94 PID 2664 wrote to memory of 952 2664 cmd.exe 94 PID 2664 wrote to memory of 952 2664 cmd.exe 94 PID 2664 wrote to memory of 696 2664 cmd.exe 95 PID 2664 wrote to memory of 696 2664 cmd.exe 95 PID 2664 wrote to memory of 696 2664 cmd.exe 95 PID 2664 wrote to memory of 696 2664 cmd.exe 95 PID 2664 wrote to memory of 696 2664 cmd.exe 95 PID 696 wrote to memory of 1752 696 sppsvc.exe 96 PID 696 wrote to memory of 1752 696 sppsvc.exe 96 PID 696 wrote to memory of 1752 696 sppsvc.exe 96 PID 696 wrote to memory of 772 696 sppsvc.exe 97 PID 696 wrote to memory of 772 696 sppsvc.exe 97 PID 696 wrote to memory of 772 696 sppsvc.exe 97 PID 1752 wrote to memory of 1072 1752 WScript.exe 99 PID 1752 wrote to memory of 1072 1752 WScript.exe 99 PID 1752 wrote to memory of 1072 1752 WScript.exe 99 PID 1752 wrote to memory of 1072 1752 WScript.exe 99 PID 1752 wrote to memory of 1072 1752 WScript.exe 99 PID 1072 wrote to memory of 1312 1072 sppsvc.exe 100 PID 1072 wrote to memory of 1312 1072 sppsvc.exe 100 PID 1072 wrote to memory of 1312 1072 sppsvc.exe 100 PID 1072 wrote to memory of 3040 1072 sppsvc.exe 101 PID 1072 wrote to memory of 3040 1072 sppsvc.exe 101 PID 1072 wrote to memory of 3040 1072 sppsvc.exe 101 -
System policy modification 1 TTPs 27 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe"C:\Users\Admin\AppData\Local\Temp\04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UDcpHa0YgN.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:952
-
-
C:\Users\Admin\Downloads\sppsvc.exe"C:\Users\Admin\Downloads\sppsvc.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:696 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9d5fb54-84f3-4902-a68f-1f5846ab4211.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\Downloads\sppsvc.exeC:\Users\Admin\Downloads\sppsvc.exe5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1072 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e74207d-f7c8-4abb-a0c5-c3240e7894b7.vbs"6⤵PID:1312
-
C:\Users\Admin\Downloads\sppsvc.exeC:\Users\Admin\Downloads\sppsvc.exe7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2476 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c64755a-7df3-4da1-a7ef-544ddc49c165.vbs"8⤵PID:2916
-
C:\Users\Admin\Downloads\sppsvc.exeC:\Users\Admin\Downloads\sppsvc.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2324 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb33ab54-0383-4620-aebc-e1ce35f55c10.vbs"10⤵PID:2752
-
C:\Users\Admin\Downloads\sppsvc.exeC:\Users\Admin\Downloads\sppsvc.exe11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2036 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afe69088-bef3-4092-8fae-df1c0eee2603.vbs"12⤵PID:2424
-
C:\Users\Admin\Downloads\sppsvc.exeC:\Users\Admin\Downloads\sppsvc.exe13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2204 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\648e675a-8bd2-4bc3-a1d3-22199241953b.vbs"14⤵PID:2152
-
C:\Users\Admin\Downloads\sppsvc.exeC:\Users\Admin\Downloads\sppsvc.exe15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1688 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab848bcb-3a1c-4f77-b23c-443d988c69f8.vbs"16⤵PID:1192
-
C:\Users\Admin\Downloads\sppsvc.exeC:\Users\Admin\Downloads\sppsvc.exe17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2884 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79a9795a-76db-4a6f-88ba-2808ee5b262b.vbs"18⤵PID:1616
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbd7b182-b31e-4bc1-97bf-1a6e4b26f95c.vbs"18⤵PID:2028
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8771af0-e8f4-4e4a-a2c5-ce467911f210.vbs"16⤵PID:2836
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e74953d-62db-4aad-9136-8857f43251e0.vbs"14⤵PID:1084
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff5562a8-6e77-4c37-b7db-085690ccc87a.vbs"12⤵PID:2856
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a26fe279-fb3a-4d6d-947a-a3edd53a81b4.vbs"10⤵PID:2740
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d616968a-26af-40e9-ae0c-7bb35882edc2.vbs"8⤵PID:2108
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c9cb7fa-a7fe-401c-80bb-c7d781ec072d.vbs"6⤵PID:3040
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a15ec85-3acd-4068-bb2a-4ee8cb055850.vbs"4⤵PID:772
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\sppsvc.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\sppsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Downloads\sppsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\winlogon.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\winlogon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\winlogon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Desktop\WmiPrvSE.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N0" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N0" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Music\Idle.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\Idle.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Music\Idle.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\it-IT\winlogon.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\winlogon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\it-IT\winlogon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\en-US\winlogon.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\winlogon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\en-US\winlogon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2464
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5ad6f5a9d1be209b53e4ea1e256a259b0
SHA103da3df7b5d92d7c298e7c7fc9965f140f13000e
SHA25604b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3
SHA51224bf284ce56fef4e52278ee6a4c85f27e6d754ff99c1858089c4c70fbca947bdc4e630b096ec29d74dc93eec4734bfc409a8d8837762c2754d8b665ab4258e88
-
Filesize
711B
MD563f2dd07e787cefde9a3cc6eb526ccf2
SHA1a80f304b44f5cf0c743c723904c1a92d90f1b1cb
SHA256b196181c284f6126df1b5b2d607cedbf52915b15a306098a7c7411dde4d085ee
SHA5129a1304b19a63450bf28fade95b5be53534077b2d417e74c5961f30515bea9da9259e9f0a1f07c6d01e8657af5f7b66cc8cfd4f45f82cf31c60cceb964cab54f0
-
Filesize
487B
MD5b1e2955ff1bdf3c4d35e913243fa4867
SHA105907beb83c195f8b35449a53facadb030aebaf6
SHA256f1995baacf36e3cdf41bd5b9631dcb3374069d173417e3eea3c63e7d36a95263
SHA5123e2c306490b8c4a31f73a25946e86fd6bdb66f68fd89e45f1aa480420593f9bc904a4f0becf3eeed21db4a15f183b1a60fad1b4827cf95b9d94e76b309ee84c8
-
Filesize
711B
MD5dbc2cce0be033eb1f8c44082f47d3019
SHA14f20e811db39024378916ee7f67416c7c79df405
SHA25663bc92d827adeb8b493059426b2618263ecc2b25b02cfe9f60b5d5055f338800
SHA512973763255ed00a741b358faa70427e8820063d93f8afe33152f2845314bb61c3be7aaa59f0d93ef6e9f5a2dee027d01c5df8d8bc46949960796e4e2b23334b06
-
Filesize
711B
MD5912f125ae1aafcf80e310d32040478c2
SHA1b3a4d400bcaa69757684fc6efa283b623f474f98
SHA25601dc6a12dd38823233220fcbef4ef0812112e3d8469331f57334ea5bb162e0c5
SHA5124b801e255f4b6b38087316fc26006f99c5b5126fc386d20190b57c6eb662947d23c6c82582dcf48ea9b6844d492395affcb2b8396d27b05f7ec74a180a9ae9c5
-
Filesize
711B
MD5e21d49538579b667b18f6430ee1ac9ab
SHA19cdce9596d69f81da8f5a3c5fbe4c89ad17da897
SHA2567672b0584ed917ddeb2fcee8332f79650cf28775a40b2efdf05f76e995b7a609
SHA512017cba86858ae230c806083499bc1bd207dd407b59cae2c25025dca928e527ee49ea96e22a79511bd9ff0e5fb9b9a90bdfc4247f3e64bffaa88ff995cf309287
-
Filesize
200B
MD5bc543e2f97cd584ad7b728fe30ac2bc8
SHA166664d1728ad3803c58d0fd80d3848a82e5ac265
SHA256f881300ef03ba2c79af859a581f2b6fb6d106832714b4ce5e403c367f022fb02
SHA512a097f371304d67f79b170e47bdb5216bb8df976dd875f75c689d474fd63588ed9eebeb666a5f97612e09fc320e17233d0f6e5d79b2057c741a65f9fe3fdea171
-
Filesize
710B
MD5657f7a3867ef4e5059a8b79f1ab120cd
SHA1d6a0aaf32741d158357da6e3cbb3aa6669c6b684
SHA256ff0b8dd2b65ecd40cb938549fc4ae5a4de3069e19e4f0013e28f8c199e95f67f
SHA51239320c7a132f757d6eea29b161ccae6d251b7be803e47cdda878d2beae41861aacf4f31a834451c6618e09734f02390c0a7ebcee2d85bef2b967ee3188068958
-
Filesize
711B
MD50221dc7bca504618016de20b77693920
SHA199276e261624bf1e02500d2229584f419865a9d8
SHA2567dd12f2b7aef7f51ac56b2fcd3911b91d41b6a67a62a8fbb78f422f03b8e3aff
SHA512cade7f1c1297791ecb92e29241cb1a7fe29e79155e8b898f88b0d06e6de2d02271eee84232c4bc55b9f15fe49212f80cbe95d80a62249b81cc09fdd006be8703
-
Filesize
711B
MD5e36142803179d73eee3bdf88f234e3f8
SHA189e387a9543c78b0043e714c37302c695672927c
SHA256887b45b6c8b0895b38f9a7322e4e830f89661aa388c6c90dcbf1579933a1b10e
SHA5125da7cd5596b2fc146ca2978309999c3679de8cbfc216cf712d4ff85eea01b4e7d2d5700c4c1456d1da8dfb4ebb8372bb6159861512508a7a31d5da9987941b87
-
Filesize
711B
MD5c2df367f50c64a65a8db8ce8a7f8407e
SHA147ea62922b31733d6e84c0183b3bec5adb6e7853
SHA2563606ecaf0ecac1cc96f55b3888f951dd966e57c3cba717ed2e6eefb7f20ce8a7
SHA512815a94eb60f1742b7bdc58031ca6faa6cd374c674c706bac7cb753f1bb4a6b4b5a549e4661293fbd533dde9dbec2731fe341ca6380bfe21d63a2a68ff2d5ca78
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50204930c47ef6888cb7680a4350fba32
SHA147f37189735fae7307f84b52d1d7db7cf250d4df
SHA256a1ec322f91d0508c80f76447b37aa961b41d2de326837df704bb7aecb0d7c9f5
SHA512379a83ba43be0f71223a5b58a2803512904a3d62fc92c51525bcc575339ee145bb0ce26237174ba90312920951c43e62d81168f3bba25b376876bbdf226674b6