Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 06:20
Static task
static1
Behavioral task
behavioral1
Sample
8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe
Resource
win7-20240903-en
General
-
Target
8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe
-
Size
4.9MB
-
MD5
bfb301610f83af1d4383ee8816d436c0
-
SHA1
843d1c6fcb394dd8c1d66352fb4d188440604d9d
-
SHA256
8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2
-
SHA512
dd736c99af88d44e86d09fc43a42feadce506c37633ff531fe19bc2a402f3eaa4a1f5cdb22bc9858a73b7f711382df174cc6c42a16924d0baa251bcdb427b6e6
-
SSDEEP
49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri family
-
DcRat 62 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process File created C:\Windows\TAPI\ee2ad38f3d4382 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 1364 schtasks.exe 3464 schtasks.exe 1120 schtasks.exe 2428 schtasks.exe 4964 schtasks.exe 4660 schtasks.exe 3604 schtasks.exe 3360 schtasks.exe 5008 schtasks.exe File created C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 3112 schtasks.exe 3236 schtasks.exe 1632 schtasks.exe 4140 schtasks.exe 868 schtasks.exe 1484 schtasks.exe 5116 schtasks.exe 688 schtasks.exe 4740 schtasks.exe 2000 schtasks.exe 1664 schtasks.exe 3176 schtasks.exe 1668 schtasks.exe 1120 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2548 schtasks.exe 4452 schtasks.exe 640 schtasks.exe 1660 schtasks.exe 1064 schtasks.exe 4388 schtasks.exe 4644 schtasks.exe 4868 schtasks.exe 1520 schtasks.exe 2332 schtasks.exe 3916 schtasks.exe 2260 schtasks.exe 2560 schtasks.exe 3948 schtasks.exe 1600 schtasks.exe 2724 schtasks.exe 3956 schtasks.exe 4144 schtasks.exe 3176 schtasks.exe 4488 schtasks.exe 3288 schtasks.exe 3208 schtasks.exe 4504 schtasks.exe 2988 schtasks.exe 3896 schtasks.exe File created C:\Windows\es-ES\5b884080fd4f94 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 3012 schtasks.exe 1712 schtasks.exe 3108 schtasks.exe 3864 schtasks.exe 1300 schtasks.exe 3068 schtasks.exe 4140 schtasks.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\c5b4cb5e9653cc 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2348 schtasks.exe 3348 schtasks.exe -
Dcrat family
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4740 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5008 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3236 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3208 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3360 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3112 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5116 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3916 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4644 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4452 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4140 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4504 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3176 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3956 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3948 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4868 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3464 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3108 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3864 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4140 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3348 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3604 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3176 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3288 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3896 320 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 320 schtasks.exe 83 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe -
resource yara_rule behavioral2/memory/2932-3-0x000000001B870000-0x000000001B99E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3404 powershell.exe 3084 powershell.exe 2228 powershell.exe 1768 powershell.exe 2344 powershell.exe 1668 powershell.exe 688 powershell.exe 2820 powershell.exe 4744 powershell.exe 536 powershell.exe 516 powershell.exe 5032 powershell.exe 2372 powershell.exe 1728 powershell.exe 3364 powershell.exe 3416 powershell.exe 4724 powershell.exe 4472 powershell.exe 1640 powershell.exe 2448 powershell.exe 4788 powershell.exe 4320 powershell.exe -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dwm.exe -
Executes dropped EXE 37 IoCs
pid Process 2868 tmpD6FA.tmp.exe 2376 tmpD6FA.tmp.exe 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 4996 tmpF712.tmp.exe 4260 tmpF712.tmp.exe 628 dwm.exe 892 tmp2E4E.tmp.exe 4964 tmp2E4E.tmp.exe 3312 dwm.exe 4960 dwm.exe 4644 tmp7BC3.tmp.exe 3996 tmp7BC3.tmp.exe 3404 tmp7BC3.tmp.exe 1936 tmp7BC3.tmp.exe 3408 dwm.exe 2000 tmpAC1A.tmp.exe 1852 tmpAC1A.tmp.exe 1120 dwm.exe 4704 tmpDD3C.tmp.exe 452 tmpDD3C.tmp.exe 60 tmpDD3C.tmp.exe 4768 dwm.exe 812 tmpFA97.tmp.exe 1688 tmpFA97.tmp.exe 1588 dwm.exe 3384 tmp15D0.tmp.exe 1332 tmp15D0.tmp.exe 228 tmp15D0.tmp.exe 1264 dwm.exe 688 tmp4646.tmp.exe 5028 tmp4646.tmp.exe 3492 dwm.exe 704 tmp620C.tmp.exe 3596 tmp620C.tmp.exe 3992 dwm.exe 3016 tmp7E1F.tmp.exe 4504 tmp7E1F.tmp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe -
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 2868 set thread context of 2376 2868 tmpD6FA.tmp.exe 110 PID 4996 set thread context of 4260 4996 tmpF712.tmp.exe 177 PID 892 set thread context of 4964 892 tmp2E4E.tmp.exe 215 PID 3404 set thread context of 1936 3404 tmp7BC3.tmp.exe 235 PID 2000 set thread context of 1852 2000 tmpAC1A.tmp.exe 244 PID 452 set thread context of 60 452 tmpDD3C.tmp.exe 254 PID 812 set thread context of 1688 812 tmpFA97.tmp.exe 264 PID 1332 set thread context of 228 1332 tmp15D0.tmp.exe 274 PID 688 set thread context of 5028 688 tmp4646.tmp.exe 282 PID 704 set thread context of 3596 704 tmp620C.tmp.exe 292 PID 3016 set thread context of 4504 3016 tmp7E1F.tmp.exe 302 -
Drops file in Program Files directory 23 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\services.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Program Files (x86)\Common Files\System\fr-FR\powershell.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Program Files\Windows Multimedia Platform\lsass.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files (x86)\Windows Defender\csrss.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\c5b4cb5e9653cc 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files (x86)\Common Files\System\fr-FR\e978f868350d50 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files (x86)\Windows Mail\e6c9b481da804f 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files\Windows Multimedia Platform\6203df4a6bafc7 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXDD75.tmp 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCXE20B.tmp 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files (x86)\Windows Defender\886983d96e3d3e 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Program Files (x86)\Internet Explorer\System.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files (x86)\Internet Explorer\27d1bcfc3c54e0 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Program Files (x86)\Windows Defender\csrss.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\services.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files (x86)\Common Files\System\fr-FR\powershell.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files\Windows Multimedia Platform\lsass.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Program Files (x86)\Internet Explorer\System.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\es-ES\5b884080fd4f94 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Windows\es-ES\RCXD8DF.tmp 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Windows\Web\4K\Wallpaper\dwm.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Windows\Web\4K\Wallpaper\dwm.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Windows\TAPI\Registry.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Windows\TAPI\Registry.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Windows\TAPI\ee2ad38f3d4382 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Windows\es-ES\fontdrvhost.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Windows\TAPI\RCXD4A6.tmp 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File opened for modification C:\Windows\es-ES\fontdrvhost.exe 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe File created C:\Windows\Web\4K\Wallpaper\6cb0b6c459d5d3 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpD6FA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFA97.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp15D0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7E1F.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpF712.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7BC3.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7BC3.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDD3C.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp2E4E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7BC3.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAC1A.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDD3C.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp620C.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp15D0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4646.tmp.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dwm.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1632 schtasks.exe 3012 schtasks.exe 2332 schtasks.exe 1064 schtasks.exe 1600 schtasks.exe 4488 schtasks.exe 3108 schtasks.exe 4140 schtasks.exe 3896 schtasks.exe 3208 schtasks.exe 4504 schtasks.exe 1664 schtasks.exe 1660 schtasks.exe 4452 schtasks.exe 2724 schtasks.exe 1120 schtasks.exe 3288 schtasks.exe 3956 schtasks.exe 4868 schtasks.exe 640 schtasks.exe 2988 schtasks.exe 3464 schtasks.exe 2428 schtasks.exe 5116 schtasks.exe 1712 schtasks.exe 1120 schtasks.exe 4964 schtasks.exe 3948 schtasks.exe 2000 schtasks.exe 3112 schtasks.exe 2560 schtasks.exe 3864 schtasks.exe 3068 schtasks.exe 3348 schtasks.exe 4388 schtasks.exe 2348 schtasks.exe 1484 schtasks.exe 2548 schtasks.exe 3360 schtasks.exe 3916 schtasks.exe 688 schtasks.exe 4644 schtasks.exe 2260 schtasks.exe 1364 schtasks.exe 3604 schtasks.exe 3236 schtasks.exe 4144 schtasks.exe 1300 schtasks.exe 5008 schtasks.exe 3176 schtasks.exe 4740 schtasks.exe 4140 schtasks.exe 3176 schtasks.exe 1520 schtasks.exe 4660 schtasks.exe 868 schtasks.exe 1668 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 3404 powershell.exe 3404 powershell.exe 2448 powershell.exe 2448 powershell.exe 4472 powershell.exe 4724 powershell.exe 4724 powershell.exe 4472 powershell.exe 3084 powershell.exe 3084 powershell.exe 1640 powershell.exe 1640 powershell.exe 2372 powershell.exe 2372 powershell.exe 2820 powershell.exe 2820 powershell.exe 2228 powershell.exe 2228 powershell.exe 3416 powershell.exe 3416 powershell.exe 2344 powershell.exe 2344 powershell.exe 2372 powershell.exe 3404 powershell.exe 2448 powershell.exe 2344 powershell.exe 4472 powershell.exe 3084 powershell.exe 4724 powershell.exe 2228 powershell.exe 3416 powershell.exe 1640 powershell.exe 2820 powershell.exe 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 1668 powershell.exe 1668 powershell.exe 4320 powershell.exe 4320 powershell.exe 688 powershell.exe 688 powershell.exe 5032 powershell.exe 5032 powershell.exe 4788 powershell.exe 4788 powershell.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeDebugPrivilege 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Token: SeDebugPrivilege 3404 powershell.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 4472 powershell.exe Token: SeDebugPrivilege 4724 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 3084 powershell.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 3416 powershell.exe Token: SeDebugPrivilege 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 4320 powershell.exe Token: SeDebugPrivilege 688 powershell.exe Token: SeDebugPrivilege 5032 powershell.exe Token: SeDebugPrivilege 4788 powershell.exe Token: SeDebugPrivilege 3364 powershell.exe Token: SeDebugPrivilege 4744 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 516 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 628 dwm.exe Token: SeDebugPrivilege 3312 dwm.exe Token: SeDebugPrivilege 4960 dwm.exe Token: SeDebugPrivilege 3408 dwm.exe Token: SeDebugPrivilege 1120 dwm.exe Token: SeDebugPrivilege 4768 dwm.exe Token: SeDebugPrivilege 1588 dwm.exe Token: SeDebugPrivilege 1264 dwm.exe Token: SeDebugPrivilege 3492 dwm.exe Token: SeDebugPrivilege 3992 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2932 wrote to memory of 2868 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 108 PID 2932 wrote to memory of 2868 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 108 PID 2932 wrote to memory of 2868 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 108 PID 2868 wrote to memory of 2376 2868 tmpD6FA.tmp.exe 110 PID 2868 wrote to memory of 2376 2868 tmpD6FA.tmp.exe 110 PID 2868 wrote to memory of 2376 2868 tmpD6FA.tmp.exe 110 PID 2868 wrote to memory of 2376 2868 tmpD6FA.tmp.exe 110 PID 2868 wrote to memory of 2376 2868 tmpD6FA.tmp.exe 110 PID 2868 wrote to memory of 2376 2868 tmpD6FA.tmp.exe 110 PID 2868 wrote to memory of 2376 2868 tmpD6FA.tmp.exe 110 PID 2932 wrote to memory of 3416 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 117 PID 2932 wrote to memory of 3416 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 117 PID 2932 wrote to memory of 3404 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 118 PID 2932 wrote to memory of 3404 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 118 PID 2932 wrote to memory of 4724 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 119 PID 2932 wrote to memory of 4724 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 119 PID 2932 wrote to memory of 3084 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 120 PID 2932 wrote to memory of 3084 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 120 PID 2932 wrote to memory of 2820 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 121 PID 2932 wrote to memory of 2820 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 121 PID 2932 wrote to memory of 4472 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 122 PID 2932 wrote to memory of 4472 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 122 PID 2932 wrote to memory of 2228 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 123 PID 2932 wrote to memory of 2228 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 123 PID 2932 wrote to memory of 1640 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 124 PID 2932 wrote to memory of 1640 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 124 PID 2932 wrote to memory of 2448 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 125 PID 2932 wrote to memory of 2448 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 125 PID 2932 wrote to memory of 2344 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 126 PID 2932 wrote to memory of 2344 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 126 PID 2932 wrote to memory of 2372 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 127 PID 2932 wrote to memory of 2372 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 127 PID 2932 wrote to memory of 2956 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 139 PID 2932 wrote to memory of 2956 2932 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 139 PID 2956 wrote to memory of 4996 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 175 PID 2956 wrote to memory of 4996 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 175 PID 2956 wrote to memory of 4996 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 175 PID 4996 wrote to memory of 4260 4996 tmpF712.tmp.exe 177 PID 4996 wrote to memory of 4260 4996 tmpF712.tmp.exe 177 PID 4996 wrote to memory of 4260 4996 tmpF712.tmp.exe 177 PID 4996 wrote to memory of 4260 4996 tmpF712.tmp.exe 177 PID 4996 wrote to memory of 4260 4996 tmpF712.tmp.exe 177 PID 4996 wrote to memory of 4260 4996 tmpF712.tmp.exe 177 PID 4996 wrote to memory of 4260 4996 tmpF712.tmp.exe 177 PID 2956 wrote to memory of 1728 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 183 PID 2956 wrote to memory of 1728 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 183 PID 2956 wrote to memory of 4744 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 184 PID 2956 wrote to memory of 4744 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 184 PID 2956 wrote to memory of 1668 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 185 PID 2956 wrote to memory of 1668 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 185 PID 2956 wrote to memory of 536 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 186 PID 2956 wrote to memory of 536 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 186 PID 2956 wrote to memory of 516 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 187 PID 2956 wrote to memory of 516 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 187 PID 2956 wrote to memory of 3364 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 188 PID 2956 wrote to memory of 3364 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 188 PID 2956 wrote to memory of 1768 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 189 PID 2956 wrote to memory of 1768 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 189 PID 2956 wrote to memory of 5032 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 190 PID 2956 wrote to memory of 5032 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 190 PID 2956 wrote to memory of 4788 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 191 PID 2956 wrote to memory of 4788 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 191 PID 2956 wrote to memory of 688 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 192 PID 2956 wrote to memory of 688 2956 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe 192 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"C:\Users\Admin\AppData\Local\Temp\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\tmpD6FA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD6FA.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\tmpD6FA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD6FA.tmp.exe"3⤵
- Executes dropped EXE
PID:2376
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Users\Admin\AppData\Local\Temp\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"C:\Users\Admin\AppData\Local\Temp\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\tmpF712.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF712.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\tmpF712.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF712.tmp.exe"4⤵
- Executes dropped EXE
PID:4260
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PRQTW9ZyiV.bat"3⤵PID:3592
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵PID:3416
-
-
C:\Windows\Web\4K\Wallpaper\dwm.exe"C:\Windows\Web\4K\Wallpaper\dwm.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:628 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7d27ed3-35a7-40bf-b9e2-1717c9b03b31.vbs"5⤵PID:4972
-
C:\Windows\Web\4K\Wallpaper\dwm.exeC:\Windows\Web\4K\Wallpaper\dwm.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3312 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cab284ef-c050-4547-b3ed-7bd4702a770f.vbs"7⤵PID:2736
-
C:\Windows\Web\4K\Wallpaper\dwm.exeC:\Windows\Web\4K\Wallpaper\dwm.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4960 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f0424ec-c55a-40b5-86a4-5fb498f230aa.vbs"9⤵PID:2044
-
C:\Windows\Web\4K\Wallpaper\dwm.exeC:\Windows\Web\4K\Wallpaper\dwm.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3408 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13be4c06-cb03-4c2f-b871-61c1ae7f8b7d.vbs"11⤵PID:1660
-
C:\Windows\Web\4K\Wallpaper\dwm.exeC:\Windows\Web\4K\Wallpaper\dwm.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1120 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31a7f40a-ac8b-4621-8173-344ad915dac3.vbs"13⤵PID:3132
-
C:\Windows\Web\4K\Wallpaper\dwm.exeC:\Windows\Web\4K\Wallpaper\dwm.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4768 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78fedef7-1880-4f1b-9e63-f2a5df2fe855.vbs"15⤵PID:4696
-
C:\Windows\Web\4K\Wallpaper\dwm.exeC:\Windows\Web\4K\Wallpaper\dwm.exe16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1588 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d9305ca-b1b4-46dc-ab78-7ed21f913f45.vbs"17⤵PID:2324
-
C:\Windows\Web\4K\Wallpaper\dwm.exeC:\Windows\Web\4K\Wallpaper\dwm.exe18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1264 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b12301d-6232-424e-a4ea-b76b3c783f0d.vbs"19⤵PID:4704
-
C:\Windows\Web\4K\Wallpaper\dwm.exeC:\Windows\Web\4K\Wallpaper\dwm.exe20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3492 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e1c21b6-53a0-4977-bf12-357d2b596da9.vbs"21⤵PID:3944
-
C:\Windows\Web\4K\Wallpaper\dwm.exeC:\Windows\Web\4K\Wallpaper\dwm.exe22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3992 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06ba3e76-8074-4058-bfb6-75b6b7a61f4a.vbs"23⤵PID:3384
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c8e8059-673f-4b37-8f7b-72b0a83fdea4.vbs"23⤵PID:4216
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7E1F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7E1F.tmp.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\tmp7E1F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7E1F.tmp.exe"24⤵
- Executes dropped EXE
PID:4504
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2485a653-14dc-4aef-b6cc-8b2667890e05.vbs"21⤵PID:2580
-
-
C:\Users\Admin\AppData\Local\Temp\tmp620C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp620C.tmp.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:704 -
C:\Users\Admin\AppData\Local\Temp\tmp620C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp620C.tmp.exe"22⤵
- Executes dropped EXE
PID:3596
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\432fcdd0-c89f-400a-b359-11a427c4d116.vbs"19⤵PID:1520
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4646.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4646.tmp.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:688 -
C:\Users\Admin\AppData\Local\Temp\tmp4646.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4646.tmp.exe"20⤵
- Executes dropped EXE
PID:5028
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd385558-71a8-4d53-a33b-05f9ab4c55aa.vbs"17⤵PID:3412
-
-
C:\Users\Admin\AppData\Local\Temp\tmp15D0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp15D0.tmp.exe"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3384 -
C:\Users\Admin\AppData\Local\Temp\tmp15D0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp15D0.tmp.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\tmp15D0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp15D0.tmp.exe"19⤵
- Executes dropped EXE
PID:228
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4aee2a43-4bc6-4a45-93ce-36fd7d878fea.vbs"15⤵PID:4512
-
-
C:\Users\Admin\AppData\Local\Temp\tmpFA97.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFA97.tmp.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:812 -
C:\Users\Admin\AppData\Local\Temp\tmpFA97.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFA97.tmp.exe"16⤵
- Executes dropped EXE
PID:1688
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a70418a-554d-42f3-a555-918ec85680a1.vbs"13⤵PID:4224
-
-
C:\Users\Admin\AppData\Local\Temp\tmpDD3C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDD3C.tmp.exe"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\tmpDD3C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDD3C.tmp.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:452 -
C:\Users\Admin\AppData\Local\Temp\tmpDD3C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDD3C.tmp.exe"15⤵
- Executes dropped EXE
PID:60
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1816f967-ec44-46fd-acfa-fe8b8718c415.vbs"11⤵PID:4152
-
-
C:\Users\Admin\AppData\Local\Temp\tmpAC1A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAC1A.tmp.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\tmpAC1A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAC1A.tmp.exe"12⤵
- Executes dropped EXE
PID:1852
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8040f140-27dd-4ad6-9d04-d5d4a3ad8b9f.vbs"9⤵PID:3600
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7BC3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7BC3.tmp.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\tmp7BC3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7BC3.tmp.exe"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\tmp7BC3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7BC3.tmp.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\tmp7BC3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7BC3.tmp.exe"12⤵
- Executes dropped EXE
PID:1936
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df093272-041f-48e9-a357-094ff410b5fb.vbs"7⤵PID:836
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8c33e9f-308a-47a7-9d1a-3e67a13f75db.vbs"5⤵PID:3536
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2E4E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2E4E.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:892 -
C:\Users\Admin\AppData\Local\Temp\tmp2E4E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2E4E.tmp.exe"6⤵
- Executes dropped EXE
PID:4964
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\TAPI\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Desktop\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Desktop\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Desktop\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Desktop\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\System\fr-FR\powershell.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\fr-FR\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\System\fr-FR\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Oracle\Java\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Oracle\Java\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Libraries\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\4K\Wallpaper\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Web\4K\Wallpaper\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\4K\Wallpaper\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\PrintHood\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5bfb301610f83af1d4383ee8816d436c0
SHA1843d1c6fcb394dd8c1d66352fb4d188440604d9d
SHA2568d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2
SHA512dd736c99af88d44e86d09fc43a42feadce506c37633ff531fe19bc2a402f3eaa4a1f5cdb22bc9858a73b7f711382df174cc6c42a16924d0baa251bcdb427b6e6
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe.log
Filesize1KB
MD5bbb951a34b516b66451218a3ec3b0ae1
SHA17393835a2476ae655916e0a9687eeaba3ee876e9
SHA256eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA51263bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD53bdf0f0bc4de32a6f32ecb8a32ba5df1
SHA1900c6a905984e5e16f3efe01ce2b2cc725fc64f1
SHA256c893092af552e973c44e0596d1509605a393896a0c1eae64f11456dc956ba40e
SHA512680d8f42fd4cb1fffa52e1f7cc483e8afc79c8f3e25ebfe5324c7c277d88499cc58324313599e307e47ba3ee4004de7554192203413cb061a29170cd9bc889c3
-
Filesize
944B
MD5e59140d6693b6a0f6a8617b45bdef9fe
SHA17157a22b2533d10fe8ed91d2c5782b44c79bbcde
SHA256baeb07292d7c8d7ba665a29178999ea08d4b26e8d05bb29c6dee8b8dad8de27e
SHA512117494cb9415e968827ec38ff11fe6eb4781a76476a2a580f08c5f2d5d4f7ccac425dfd81c16536342a32b42a7b3dffdf471dd2666b1a11ded9f57108c6df7b7
-
Filesize
944B
MD5a672fcf7facce635c83caf7b195d0bf8
SHA1fec2f6c2456efe713ba08fa692a4a356f2f37ba8
SHA25671945453f618f8cf9c2ddb24132d7e0522643e13ce42a59ff65476938f56082c
SHA51212713a140e8a73c9dd8b3bc309e3ff1256c16ecd019d1ded31ab47c71651b11dcdcf48ef889805e5bc87bdeb323c5663ff34313cc41170d2d9b45051107dc31f
-
Filesize
944B
MD59405862a3b15dc34824f6a0e5f077f4f
SHA1bbe0000e06be94fa61d6e223fb38b1289908723d
SHA2560a0869426bca171c080316948a4638a7152018ea5e07de97b2d51e0d90905210
SHA512fc7ae988b81dec5b13ae9878350cd9d063538bfb2bc14f099087836ed54cd77a36bc7c4276fa075a80a3cd20e7620fa2ba5a8b5b7bf98698b10752749187148d
-
Filesize
944B
MD5cf79136142125a14a0d763b303b2effd
SHA120c496b9c84ddb9c365d6c59823660768c9dfdf7
SHA25638297561076f05a1d94b8c6273098acc6866a563466e6a62e1c75846210715e3
SHA51237e871507b221658b17bc7b1e100a695ed2ddcd5fa39176dc0ee858c7ef78d279699cd493532e1c95774f3b8a869d6a1d8fa3096314ba17025ec0041e2033522
-
Filesize
711B
MD5b5f139471136320a686019f876f8b4d9
SHA149599c9e6c0857d8b53f8ed6d3730bbb6ccf96dd
SHA256a7d09edcf1f035a30113d0db4ecf290c76afa02bc891c95942a3d34c4320e70a
SHA5125b6e786f72d13f0fa224f3bd26190521452a6cb179dd3bdbfbc3e998db3661303380bc38b7888d23723061cb7493d1e5329b7a2b2da5971f9d0123386fb7d62f
-
Filesize
711B
MD516f10c97e6224a9e7484a799049ca585
SHA1d12aeb70df11efb73091027422f9f7bbd2b4d1ee
SHA25617034a944130723d4598b14c2679e8ba54ab3523f01c8ce5f2b16ff046e43f47
SHA51227c650f5075c1cd5243255d97ff8a2ecee1d140654abc0f06e7a37224529f3612b87dfdbc0c6dbeed8290d18b69c789a40b49dc772c28180c902ef09fb6ca7fd
-
Filesize
711B
MD50315d16b94b9186c1cc0cda42ddb0487
SHA155f2c8ebe09ea6406d4151f4cd24baaf94f2427e
SHA256427e23f1bba8846271caabb4ee62338a3e2a56154e315e2c53c9834f580e1bbb
SHA5127288361484fff6aa123847b66b9e6b3e862c6392eb916d6ded8873d282ecb37360bd6e745d19d7343b65a06a8f7cc9351c55b9128a3e534fad439b5eacbeb2af
-
Filesize
200B
MD58fe61c396a0e680e36fa933934531db5
SHA1b8808b1621b03a20280cbbc7e810cced6de14929
SHA2567d189cc0f32920798f3c2f8de37e4850b0660032b4ebfa5a8df6182e55241195
SHA512cfa47757cc07a51be981feaef3add3c8078e0041fef98f899cc5f920e5a120a0eb74750cd4eff248ffcbb0700a87eb33bfb05e836a112dbed9f9d054edeff5ff
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
710B
MD51f2d7c3e05cd7c8fa8787efc2b85b7fa
SHA1ecd479b1c6ec1d80e80e188e7fa8608f9dd7b09d
SHA256939ed8a38fd8d8288c5c08326c553e2c7c71820dd8ddc5fd998277fe06727bff
SHA512e48096479026e676f76ee953e2e88640e44dd2ca60f2e76f01bf6e5e12c91b281e2c8d0cec714deb838aa46983c6198d2f6ee28b4f0c9c51a1ca02ebfef04b01
-
Filesize
711B
MD58af67dc5ff02655af573ccb73f4e9309
SHA17483cd85b02df8b9348cbd8ff4f433846ec5a762
SHA256d726866c61bdf0303bb5b192e528ba1033e8d6032548a1a6abb66344a150ffd0
SHA51279c1eb83fd74dda67242c1b83e5112e686368438313a09b6f4ec29a4ab0781bcb9df7c0504d81baaa3df94f3bc9e84b9a0ffd75920950415fcc33007023ebbb9
-
Filesize
487B
MD5dcaea975968834c372afb33b6a9524a6
SHA13a7effe577310d1b8794bad6f603e5ad946fbbcc
SHA2560fead66fa9364890ec94e3046902b047cae057a95eaa0016d0c8d6e7a8e5003a
SHA51288413ed638dfd09240b9dfca7d46b4363bcf6a3d4d98484a2f1dafa3751a54ecbbec477deceea5cf9cfab8936103321abda018b40857017629e79c764476eb02
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2