Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 06:20
Static task
static1
Behavioral task
behavioral1
Sample
8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe
Resource
win7-20240903-en
General
-
Target
8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe
-
Size
4.9MB
-
MD5
bfb301610f83af1d4383ee8816d436c0
-
SHA1
843d1c6fcb394dd8c1d66352fb4d188440604d9d
-
SHA256
8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2
-
SHA512
dd736c99af88d44e86d09fc43a42feadce506c37633ff531fe19bc2a402f3eaa4a1f5cdb22bc9858a73b7f711382df174cc6c42a16924d0baa251bcdb427b6e6
-
SSDEEP
49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 328 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 740 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1400 2364 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2364 schtasks.exe 31 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe -
resource yara_rule behavioral1/memory/944-3-0x000000001B5F0000-0x000000001B71E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2700 powershell.exe 2652 powershell.exe 2816 powershell.exe 2884 powershell.exe 2876 powershell.exe 2020 powershell.exe 1668 powershell.exe 2568 powershell.exe 2696 powershell.exe 2808 powershell.exe 2996 powershell.exe 2828 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 1436 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 1068 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2724 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2500 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2044 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2324 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2872 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 1724 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2464 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 1104 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 1432 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe -
Drops file in Program Files directory 20 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files\Windows Mail\es-ES\f3b6ecef712a24 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Program Files\Windows Portable Devices\sppsvc.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\56085415360792 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files\Windows Mail\es-ES\spoolsv.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Program Files\Windows Portable Devices\RCXFDA6.tmp 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Program Files\Windows Journal\es-ES\RCX2A8.tmp 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Program Files (x86)\Uninstall Information\RCXEBD.tmp 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX10D1.tmp 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Program Files\Windows Mail\es-ES\RCX12E4.tmp 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files\Windows Portable Devices\sppsvc.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files\Windows Portable Devices\0a1fd5f707cd16 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files\Windows Journal\es-ES\6edd140f7d4abb 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files (x86)\Uninstall Information\winlogon.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files (x86)\Uninstall Information\cc11b995f2a76d 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Program Files (x86)\Uninstall Information\winlogon.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Program Files\Windows Mail\es-ES\spoolsv.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\assembly\temp\sppsvc.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Windows\Web\RCXC3D.tmp 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Windows\Registration\CRMLog\1610b97d3ab4a7 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Windows\Web\csrss.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Windows\Web\886983d96e3d3e 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Windows\assembly\temp\RCX27.tmp 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Windows\Registration\CRMLog\RCX9BC.tmp 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Windows\assembly\temp\sppsvc.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Windows\assembly\temp\0a1fd5f707cd16 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Windows\Registration\CRMLog\OSPPSVC.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Windows\Registration\CRMLog\OSPPSVC.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Windows\Web\csrss.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2100 schtasks.exe 1936 schtasks.exe 1980 schtasks.exe 2800 schtasks.exe 2648 schtasks.exe 3000 schtasks.exe 328 schtasks.exe 1132 schtasks.exe 740 schtasks.exe 1532 schtasks.exe 2156 schtasks.exe 832 schtasks.exe 2208 schtasks.exe 2828 schtasks.exe 2840 schtasks.exe 2528 schtasks.exe 2760 schtasks.exe 3016 schtasks.exe 2768 schtasks.exe 896 schtasks.exe 2088 schtasks.exe 1876 schtasks.exe 1120 schtasks.exe 1956 schtasks.exe 2140 schtasks.exe 1600 schtasks.exe 1152 schtasks.exe 1692 schtasks.exe 2632 schtasks.exe 1816 schtasks.exe 2708 schtasks.exe 2664 schtasks.exe 2580 schtasks.exe 2384 schtasks.exe 2884 schtasks.exe 2036 schtasks.exe 1524 schtasks.exe 2872 schtasks.exe 1100 schtasks.exe 3008 schtasks.exe 1700 schtasks.exe 1400 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2996 powershell.exe 2568 powershell.exe 2808 powershell.exe 2816 powershell.exe 1668 powershell.exe 2696 powershell.exe 2700 powershell.exe 2884 powershell.exe 2876 powershell.exe 2020 powershell.exe 2828 powershell.exe 2652 powershell.exe 1436 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 1068 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2724 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2500 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2044 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2324 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2872 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 1724 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2464 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 1104 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Token: SeDebugPrivilege 2996 powershell.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeDebugPrivilege 2876 powershell.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 1436 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Token: SeDebugPrivilege 1068 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Token: SeDebugPrivilege 2724 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Token: SeDebugPrivilege 2500 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Token: SeDebugPrivilege 2044 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Token: SeDebugPrivilege 2324 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Token: SeDebugPrivilege 2872 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Token: SeDebugPrivilege 1724 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Token: SeDebugPrivilege 2464 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Token: SeDebugPrivilege 1104 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 944 wrote to memory of 2568 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 74 PID 944 wrote to memory of 2568 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 74 PID 944 wrote to memory of 2568 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 74 PID 944 wrote to memory of 2696 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 75 PID 944 wrote to memory of 2696 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 75 PID 944 wrote to memory of 2696 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 75 PID 944 wrote to memory of 2808 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 77 PID 944 wrote to memory of 2808 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 77 PID 944 wrote to memory of 2808 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 77 PID 944 wrote to memory of 1668 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 78 PID 944 wrote to memory of 1668 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 78 PID 944 wrote to memory of 1668 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 78 PID 944 wrote to memory of 2876 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 80 PID 944 wrote to memory of 2876 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 80 PID 944 wrote to memory of 2876 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 80 PID 944 wrote to memory of 2884 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 81 PID 944 wrote to memory of 2884 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 81 PID 944 wrote to memory of 2884 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 81 PID 944 wrote to memory of 2700 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 83 PID 944 wrote to memory of 2700 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 83 PID 944 wrote to memory of 2700 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 83 PID 944 wrote to memory of 2652 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 84 PID 944 wrote to memory of 2652 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 84 PID 944 wrote to memory of 2652 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 84 PID 944 wrote to memory of 2996 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 85 PID 944 wrote to memory of 2996 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 85 PID 944 wrote to memory of 2996 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 85 PID 944 wrote to memory of 2816 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 86 PID 944 wrote to memory of 2816 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 86 PID 944 wrote to memory of 2816 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 86 PID 944 wrote to memory of 2828 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 87 PID 944 wrote to memory of 2828 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 87 PID 944 wrote to memory of 2828 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 87 PID 944 wrote to memory of 2020 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 88 PID 944 wrote to memory of 2020 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 88 PID 944 wrote to memory of 2020 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 88 PID 944 wrote to memory of 2620 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 98 PID 944 wrote to memory of 2620 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 98 PID 944 wrote to memory of 2620 944 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 98 PID 2620 wrote to memory of 2768 2620 cmd.exe 100 PID 2620 wrote to memory of 2768 2620 cmd.exe 100 PID 2620 wrote to memory of 2768 2620 cmd.exe 100 PID 2620 wrote to memory of 1436 2620 cmd.exe 101 PID 2620 wrote to memory of 1436 2620 cmd.exe 101 PID 2620 wrote to memory of 1436 2620 cmd.exe 101 PID 1436 wrote to memory of 2336 1436 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 102 PID 1436 wrote to memory of 2336 1436 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 102 PID 1436 wrote to memory of 2336 1436 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 102 PID 1436 wrote to memory of 2248 1436 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 103 PID 1436 wrote to memory of 2248 1436 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 103 PID 1436 wrote to memory of 2248 1436 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 103 PID 2336 wrote to memory of 1068 2336 WScript.exe 104 PID 2336 wrote to memory of 1068 2336 WScript.exe 104 PID 2336 wrote to memory of 1068 2336 WScript.exe 104 PID 1068 wrote to memory of 1064 1068 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 105 PID 1068 wrote to memory of 1064 1068 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 105 PID 1068 wrote to memory of 1064 1068 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 105 PID 1068 wrote to memory of 2784 1068 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 106 PID 1068 wrote to memory of 2784 1068 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 106 PID 1068 wrote to memory of 2784 1068 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 106 PID 1064 wrote to memory of 2724 1064 WScript.exe 107 PID 1064 wrote to memory of 2724 1064 WScript.exe 107 PID 1064 wrote to memory of 2724 1064 WScript.exe 107 PID 2724 wrote to memory of 832 2724 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 108 -
System policy modification 1 TTPs 33 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"C:\Users\Admin\AppData\Local\Temp\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:944 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H1xDWFpPgM.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2768
-
-
C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1436 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33a3f094-8cfc-4d80-84ec-bc4e955b9f26.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1068 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ca940d7-d2c8-48d6-ab5e-2332bde7eaa8.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2724 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9e4da4d-c3ed-48d7-9123-475e1148d2cd.vbs"8⤵PID:832
-
C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2500 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eae690de-b2c9-4ded-9219-e43552c0c551.vbs"10⤵PID:2848
-
C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2044 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\631786d4-7a45-46ed-9a06-b3b354d5dfd7.vbs"12⤵PID:1288
-
C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2324 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c9ea6f4-1175-493f-bae7-c4cb53535351.vbs"14⤵PID:2760
-
C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2872 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06db582b-2ffd-4de5-8460-3b9d11746644.vbs"16⤵PID:1204
-
C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1724 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c714bfb3-8b7e-475c-9b92-6ab611bec6e9.vbs"18⤵PID:2296
-
C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2464 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\777d416a-296e-4f19-92b4-6d7f329d886e.vbs"20⤵PID:920
-
C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1104 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30d0444a-5751-41c8-9534-4d0d9d21e13d.vbs"22⤵PID:2420
-
C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"23⤵
- Executes dropped EXE
PID:1432
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28481d43-24ac-461c-b451-5513e2c0c399.vbs"22⤵PID:3040
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9b84c42-fdad-433e-9757-9846a0619617.vbs"20⤵PID:1232
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8e71716-f8d3-40e1-a835-bac904e7999c.vbs"18⤵PID:2020
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\051583a4-5d67-4619-8273-cae5594bb4f5.vbs"16⤵PID:2040
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47eda0a3-062f-4d5f-a070-2a3137c65789.vbs"14⤵PID:444
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0f711c9-0a0f-44b8-b949-71f6f7404d88.vbs"12⤵PID:1000
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35f5e290-795a-4187-8ec8-11c5c287c68a.vbs"10⤵PID:1636
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c22bf86-ac73-4b4a-8ea7-5bda142e9d89.vbs"8⤵PID:2880
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f633b09c-40f2-4c44-aea9-67f31127f094.vbs"6⤵PID:2784
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c108fb07-23c4-44d2-acde-33a2248931f9.vbs"4⤵PID:2248
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N8" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N" /sc ONLOGON /tr "'C:\Users\All Users\Templates\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N8" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Desktop\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Desktop\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\temp\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\assembly\temp\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\temp\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N8" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N8" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Web\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe
Filesize4.9MB
MD585f45fa26825b3bcc991f391678aa3bd
SHA1bdf94e35afb71f4f958414c00787d8886c44eac8
SHA2566779fd042294e63dfea78d1094e53a37acdd91fe2b716c9199f4bb808b338471
SHA512236e85631aa533951c39c5af4fc598839a0bbebcacfb8fb0e878c15f8b01f75068896bbf22686d810245ac9a00c42acea52865092c566356cd87177e29d9c0ee
-
Filesize
4.9MB
MD5bfb301610f83af1d4383ee8816d436c0
SHA1843d1c6fcb394dd8c1d66352fb4d188440604d9d
SHA2568d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2
SHA512dd736c99af88d44e86d09fc43a42feadce506c37633ff531fe19bc2a402f3eaa4a1f5cdb22bc9858a73b7f711382df174cc6c42a16924d0baa251bcdb427b6e6
-
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\RCX519.tmp
Filesize4.9MB
MD52512d0ed4575ffac200e5cd14209d52a
SHA19f465649b38502304c9a218b9ec0e0998ced93ae
SHA25684a2fb7c927489cf3972fcbc4583e2ed39365a9d6916ddf81322fc7341618b04
SHA5128cdbcf339a8032398a489afa54cf10325dd8f01a95bdc5476f4d628782c6da32fc4246c396279a4ab5c628081397a257ca4c3ca370392dcfee2bbc96133858fa
-
Filesize
784B
MD5abab78725777e9fb21f378a355997d6c
SHA1b046d58a73745e03e6bba1f959f7afe1bc468213
SHA256d0632ebcd48e2010a64da2906bf83c296039b5ee4742788c36fa0b2f3027e253
SHA512659cc0ccd6a48d281a59dc6258b69032067871cca63ebfce3854b67daa4b00565ecc9a24652e76795d114f14a90442bbe41f843772e2c6df95713f9813007f6d
-
Filesize
784B
MD5e06df2bcd01697fc80962f6112b41714
SHA1480d70bf5464f7846fb7f5213b0a8e9084dc3cf2
SHA256557348dbcf2e6b7a2c16959ddcdd1b1988f104f99d83cf3c3a66ccbd7bcfc9ba
SHA512ce82f1cf222ea2f514816bd874325178596863481f371cc8b193760e5167c1146afa1092af95f0bbb987eae56efccd21bcec667104a2c531bae0845cd87faf01
-
Filesize
784B
MD527a74800634a2d7f5eebaceb6d876156
SHA1b64d9da2e15ce3e9d983b31fe24ccee4272ce6c0
SHA25696c601944c0cec55f0652d7d4184ff95661775c41ddcc9f23dcf375b00aba24d
SHA5129a55cccf1e8b456b1436bddb50d120588bf0dbcfd14991bbee5e2e861a8e900d627c4376141187c535aa8d4d1e31406f7148be7e8daabeb41e3449f467ae4f74
-
Filesize
784B
MD55d4b7294da5731fe21696a376473f614
SHA134e7c31eeaef4e5ca14774722b84696852582236
SHA256a8c08283edb6212e01ff4426e602dc3238a23cc6792fcdf01565ce23afc7f025
SHA51249dff034c8f738f5c4802eff42808c3daf1d1f55f6572b8a516abed2ec635f59c16d27163d173acb30347a5bcbd9e6aa19b55bab490e88d3afbe122cd384406e
-
Filesize
784B
MD575093faad1a4eb2986c14e02ec6c4feb
SHA161b494400e978b645ca6ec79df906d53b649dc3b
SHA256e69e5b6b77130f1897fd9abffbf83689677cd4f0761069aefea33a91ca5ddee2
SHA5128c0b7202842a51f88912e3d7a0102680c3181cb8ee63066b099d419b702c4c85079eb00c3dc9f1f0cc2c33ec2806ca104f0b053b3ba2ad6ca14e101cd7bb76b2
-
Filesize
784B
MD52eaed77efe6a5d38543b2903ae8d9da4
SHA1dc0a4fc7b8b6a96341e8ab62b092eea566fc706a
SHA256c258cacfab09309730e83fbdd8f3ed516debf44b4f9b9da945e0996381078d21
SHA512733a19a4dc75f1def4757fed375ab59588f655b127f00d7d8be21a2a47c5f7fd7548eb614bc7c9df21e276043eb44b509577f9e800888cf56204c57914bef6d8
-
Filesize
784B
MD5346de1535a3344d888ac1a8e08e28f17
SHA1e52b7f7a3a9fee2cd242e3c28546ba9918682e6e
SHA256f86095dee1a6dc573d52d8a86a39004e2596e3161f711f354edfdab72271a398
SHA5128e4d580494c076e7e7fe7b7d0e9635d3ff753dc4d63b262e238e6f2031803830661dc240dc4c0b93774393b6de8829ccb2f15c1da0e24d49fdfae4f5028a175d
-
Filesize
273B
MD58fd0bd8b49db6e3529e2fa824d830221
SHA130332ff27da55a93f000cde88d912fbff8c3d25f
SHA256c30603cee65981073326321f4053aa8e67a3e16811b7c805d9f51515bd160199
SHA51232021b7d8283d1a9a1e02d6b46f811185650ef5aed450ad079e0791b79c475e8231899d2603f0d82e4222f7e82a2f200a248daa2214a0898493720f7bc237a09
-
Filesize
784B
MD5db4f9bad4095d9e22eb003bf9b30f58b
SHA1596c6fe96651095537e622fc0086543823e10167
SHA256e2797a1dd32e1431659c77977b9df59343d2f1f0163d0824affdf0ec94df9fe0
SHA5123adcea8e8e2be368fe67a8666cc23fd49f0516e8275af8e8bec2e6294155fe0b451741a4a37c0a71637e3b61fb0450514216ce1c47e7a1153ee70394d26169eb
-
Filesize
560B
MD5d7189f212eee1f58a13963abe20dffd3
SHA13e3fd4d940e6398af1ccd05e6ffa495eb2403a27
SHA256747c446f20e5f6fb9052eba3da711eeac38bc8001d85bdc42bb9d450c87ff55f
SHA5124c491f0bbfb87a7698ad91db9162cd9950c4bc073c405474f377bca657a01161b1b8d14f983bac6875dbfcadd0149d002f8efa098efa7bcf9115be812479d280
-
Filesize
784B
MD56e94e25ae8fa920735ac4ecddea70135
SHA1ee8949b707c05bff6ffa13c48e256bd1491752dc
SHA25696455200afd06094821d046d7b3d9e21dbe53c9b335e9ca02e01ac7816a24ab0
SHA5121b82a15654dfc342690e17e51a55eb685d8f7230631381d561b36fbab0b4f56fcf336abcb1918ca8ec4f80489e2141b8bdab83d8e69d10dbd711a63236a7ca57
-
Filesize
784B
MD5c6cd2fb39509ec03817a622322dac1ce
SHA10ddd17e6ca08ce017fd8ccf982451f2558d41c3a
SHA2563914d90c1dd3a50fe32c9bde957345dbf2807db23cabc904692c08a22683a247
SHA51294b0765ed3b388bffa2bba613474697582cba46bba563358067e846b6df3598fb44764424ac7bf1cfc3bdc7da52b095813af5cda4006a6f66e8172af9a60ad90
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD506f07e5c9b68307033a93413eee2b680
SHA1a89130353fe29778c737cb86a71727d2a08e790d
SHA2563b5f9938222b77843fa9d00440466f4943fe3d4aaf028543cc35d70e892af8a7
SHA51290f2a33177ed4dae31dc9c070d89954fab3144056a7e93eea44851a6d46a02d347a031d7cc963d9d084fea52ee1c59999b3ce4a5e486bc532bf77ada0bbd93ca