Analysis
-
max time kernel
119s -
max time network
112s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 21:50
Static task
static1
Behavioral task
behavioral1
Sample
ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Resource
win10v2004-20241007-en
General
-
Target
ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
-
Size
1.5MB
-
MD5
8b94c19be340bab63211bf41f8cff84a
-
SHA1
3b11722edb38d3303fd7f55007750c8567b2bf85
-
SHA256
ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8
-
SHA512
2df90061b7ccfc658736807ed7b89b568ad790ca83748fbe07e659d31916c480f8892fab3a72d42674877e1dec8de6583f3b9e5643785b582bceb2b348f82959
-
SSDEEP
24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR6:EzhWhCXQFN+0IEuQgyiVKS
Malware Config
Signatures
-
DcRat 5 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 2604 schtasks.exe 1708 schtasks.exe 2328 schtasks.exe 1776 schtasks.exe -
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI1E0C\\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe\", \"C:\\Users\\All Users\\Favorites\\services.exe\", \"C:\\Windows\\System32\\regsvc\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\Idle.exe\"" ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI1E0C\\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe\"" ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI1E0C\\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe\", \"C:\\Users\\All Users\\Favorites\\services.exe\"" ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI1E0C\\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe\", \"C:\\Users\\All Users\\Favorites\\services.exe\", \"C:\\Windows\\System32\\regsvc\\wininit.exe\"" ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe -
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2596 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2596 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2596 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2596 schtasks.exe 30 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1068 powershell.exe 2204 powershell.exe 2320 powershell.exe 2580 powershell.exe 2136 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe -
Executes dropped EXE 10 IoCs
pid Process 2600 wininit.exe 2436 wininit.exe 2360 wininit.exe 2996 wininit.exe 2408 wininit.exe 1520 wininit.exe 2172 wininit.exe 1044 wininit.exe 872 wininit.exe 2692 wininit.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\All Users\\Favorites\\services.exe\"" ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\regsvc\\wininit.exe\"" ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\regsvc\\wininit.exe\"" ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\Idle.exe\"" ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\Idle.exe\"" ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI1E0C\\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe\"" ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI1E0C\\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe\"" ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\All Users\\Favorites\\services.exe\"" ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\System32\regsvc\wininit.exe ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe File created C:\Windows\System32\regsvc\56085415360792 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe File opened for modification C:\Windows\System32\regsvc\RCX64CE.tmp ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe File opened for modification C:\Windows\System32\regsvc\wininit.exe ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2604 schtasks.exe 1708 schtasks.exe 2328 schtasks.exe 1776 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 2320 powershell.exe 2204 powershell.exe 2136 powershell.exe 1068 powershell.exe 2580 powershell.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe 2600 wininit.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 2136 powershell.exe Token: SeDebugPrivilege 1068 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 2600 wininit.exe Token: SeDebugPrivilege 2436 wininit.exe Token: SeDebugPrivilege 2360 wininit.exe Token: SeDebugPrivilege 2996 wininit.exe Token: SeDebugPrivilege 2408 wininit.exe Token: SeDebugPrivilege 1520 wininit.exe Token: SeDebugPrivilege 2172 wininit.exe Token: SeDebugPrivilege 1044 wininit.exe Token: SeDebugPrivilege 872 wininit.exe Token: SeDebugPrivilege 2692 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2400 wrote to memory of 1068 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 35 PID 2400 wrote to memory of 1068 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 35 PID 2400 wrote to memory of 1068 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 35 PID 2400 wrote to memory of 2204 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 36 PID 2400 wrote to memory of 2204 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 36 PID 2400 wrote to memory of 2204 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 36 PID 2400 wrote to memory of 2320 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 37 PID 2400 wrote to memory of 2320 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 37 PID 2400 wrote to memory of 2320 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 37 PID 2400 wrote to memory of 2580 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 38 PID 2400 wrote to memory of 2580 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 38 PID 2400 wrote to memory of 2580 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 38 PID 2400 wrote to memory of 2136 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 39 PID 2400 wrote to memory of 2136 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 39 PID 2400 wrote to memory of 2136 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 39 PID 2400 wrote to memory of 2600 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 45 PID 2400 wrote to memory of 2600 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 45 PID 2400 wrote to memory of 2600 2400 ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe 45 PID 2600 wrote to memory of 2876 2600 wininit.exe 46 PID 2600 wrote to memory of 2876 2600 wininit.exe 46 PID 2600 wrote to memory of 2876 2600 wininit.exe 46 PID 2600 wrote to memory of 1760 2600 wininit.exe 47 PID 2600 wrote to memory of 1760 2600 wininit.exe 47 PID 2600 wrote to memory of 1760 2600 wininit.exe 47 PID 2876 wrote to memory of 2436 2876 WScript.exe 48 PID 2876 wrote to memory of 2436 2876 WScript.exe 48 PID 2876 wrote to memory of 2436 2876 WScript.exe 48 PID 2436 wrote to memory of 2280 2436 wininit.exe 49 PID 2436 wrote to memory of 2280 2436 wininit.exe 49 PID 2436 wrote to memory of 2280 2436 wininit.exe 49 PID 2436 wrote to memory of 884 2436 wininit.exe 50 PID 2436 wrote to memory of 884 2436 wininit.exe 50 PID 2436 wrote to memory of 884 2436 wininit.exe 50 PID 2280 wrote to memory of 2360 2280 WScript.exe 51 PID 2280 wrote to memory of 2360 2280 WScript.exe 51 PID 2280 wrote to memory of 2360 2280 WScript.exe 51 PID 2360 wrote to memory of 2604 2360 wininit.exe 52 PID 2360 wrote to memory of 2604 2360 wininit.exe 52 PID 2360 wrote to memory of 2604 2360 wininit.exe 52 PID 2360 wrote to memory of 1332 2360 wininit.exe 53 PID 2360 wrote to memory of 1332 2360 wininit.exe 53 PID 2360 wrote to memory of 1332 2360 wininit.exe 53 PID 2604 wrote to memory of 2996 2604 WScript.exe 54 PID 2604 wrote to memory of 2996 2604 WScript.exe 54 PID 2604 wrote to memory of 2996 2604 WScript.exe 54 PID 2996 wrote to memory of 3068 2996 wininit.exe 55 PID 2996 wrote to memory of 3068 2996 wininit.exe 55 PID 2996 wrote to memory of 3068 2996 wininit.exe 55 PID 2996 wrote to memory of 2684 2996 wininit.exe 56 PID 2996 wrote to memory of 2684 2996 wininit.exe 56 PID 2996 wrote to memory of 2684 2996 wininit.exe 56 PID 3068 wrote to memory of 2408 3068 WScript.exe 57 PID 3068 wrote to memory of 2408 3068 WScript.exe 57 PID 3068 wrote to memory of 2408 3068 WScript.exe 57 PID 2408 wrote to memory of 448 2408 wininit.exe 58 PID 2408 wrote to memory of 448 2408 wininit.exe 58 PID 2408 wrote to memory of 448 2408 wininit.exe 58 PID 2408 wrote to memory of 2336 2408 wininit.exe 59 PID 2408 wrote to memory of 2336 2408 wininit.exe 59 PID 2408 wrote to memory of 2336 2408 wininit.exe 59 PID 448 wrote to memory of 1520 448 WScript.exe 60 PID 448 wrote to memory of 1520 448 WScript.exe 60 PID 448 wrote to memory of 1520 448 WScript.exe 60 PID 1520 wrote to memory of 1088 1520 wininit.exe 61 -
System policy modification 1 TTPs 33 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe"C:\Users\Admin\AppData\Local\Temp\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2400 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1E0C\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\regsvc\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Windows\System32\regsvc\wininit.exe"C:\Windows\System32\regsvc\wininit.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2600 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b02b6b2b-fa40-432b-9c44-29ba5553274e.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\System32\regsvc\wininit.exeC:\Windows\System32\regsvc\wininit.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2436 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfa438a8-40d2-4a37-8b17-fbd9f2b39155.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\System32\regsvc\wininit.exeC:\Windows\System32\regsvc\wininit.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2360 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\664a515f-6d95-4621-b285-d1783615ba40.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\System32\regsvc\wininit.exeC:\Windows\System32\regsvc\wininit.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2996 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d25e8705-b6e4-49c5-a662-b005c6a65e56.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\System32\regsvc\wininit.exeC:\Windows\System32\regsvc\wininit.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2408 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48977c0e-56c7-4b11-b20a-11b6b42c2c4c.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\System32\regsvc\wininit.exeC:\Windows\System32\regsvc\wininit.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1520 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7adfeea4-bb31-4712-bfc6-e6d641ca5a75.vbs"13⤵PID:1088
-
C:\Windows\System32\regsvc\wininit.exeC:\Windows\System32\regsvc\wininit.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2172 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48b7f245-b0e4-48f2-99ba-187f710b2c24.vbs"15⤵PID:2236
-
C:\Windows\System32\regsvc\wininit.exeC:\Windows\System32\regsvc\wininit.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1044 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c213a9ad-3336-460f-96d1-d1e3f183e457.vbs"17⤵PID:3000
-
C:\Windows\System32\regsvc\wininit.exeC:\Windows\System32\regsvc\wininit.exe18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:872 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1cfeb820-53ad-45c0-ac9e-0108a9202647.vbs"19⤵PID:2508
-
C:\Windows\System32\regsvc\wininit.exeC:\Windows\System32\regsvc\wininit.exe20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2692 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\939b9795-7040-4236-8d8b-e675fe0b9ca0.vbs"21⤵PID:2232
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\314acb3d-32e0-4681-a24f-f1e0171b339f.vbs"21⤵PID:2352
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\654c2718-2d21-4200-9f83-d5dcad74f119.vbs"19⤵PID:2324
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37270240-1f1d-4e2d-b419-de0c942a315a.vbs"17⤵PID:2812
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68e0a1d2-53a8-4ab8-9ff3-0b78fbfc9980.vbs"15⤵PID:2696
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b196f90f-37d1-44a9-906f-715b12827950.vbs"13⤵PID:1748
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c3d37d0-96dd-4bdd-8d33-599f73270094.vbs"11⤵PID:2336
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4923294-6fd8-4753-b66d-96091d5832ef.vbs"9⤵PID:2684
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\426f5474-7e9d-416e-a9f8-1ec1e055d798.vbs"7⤵PID:1332
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b1bca84-ad4c-41c3-89ee-ad78af7be4b1.vbs"5⤵PID:884
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d3fc413-503b-46d8-b2fb-08ba686a8ee3.vbs"3⤵PID:1760
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1E0C\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\regsvc\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
713B
MD51e5a9b158ff55558b0b58763c553362d
SHA199df696fae2a0ceb64f9d9e893c6f4f185d918df
SHA256fef16127072ec1a843cd31057bb917e83d91aed4af714afe52451c96c13ca519
SHA51210673613854dfe3e7531baf7732917fae161c47e7a730ec578408fade330a5b4723eac2b6127b22077102fbf96facd4c85c9b8b6c18d4ae5093215a0a9469789
-
Filesize
490B
MD5f184ece9fa00cee548304838df2117f4
SHA1fdc02a4c818bffa0345d40c04b5ce72cef517b96
SHA256e57d460b35c25010bf2de0b3efdd8de9797b343d71607b11ac80d08adc92de84
SHA5123436cc5b539e8e77f9d54bd2d582f3f9ed3a0e1440a1ed83120d0d3f7b7d27be5380f5673b15996e2d4068043be010bf9e6bffc0cda2041477782578414d5bc7
-
Filesize
714B
MD5f4ec03321de4b81e713993be355e5998
SHA1d815139440d5145e17bdf0640fb3a3bc45c046e7
SHA256035be9d6e022ddf4714bb79f7556386af4fec1891f098a148c6d7163266d5aa8
SHA512a147bcb83a29ff4b65171ee4a1b94d3f60f6b8279cb7ab026e0b62088f620808744c02740ea1edcef2e801198e3a4def3ba11eda48001e431e21ca682e61811c
-
Filesize
714B
MD5a016129c67bba890b3c01c2a731bd20b
SHA1405fb51f9718f0cf94a957986c69f24917d498fb
SHA256803af001fc4b3ba58e411855b164cddee324465b0f3ea6876289260014185ad1
SHA512f1ccf5b3be6e32aff643d0756e1384752abbc90456decbd2ffe35919ef6bd9dd34729f24abd002e902b49921a74a2743667de61b797d62cb8d75835183f46edd
-
Filesize
714B
MD50cffe37a026493824a6d43b2f317eac8
SHA16f067c6e8a690c892f315bf422a3a9b7ed065bf9
SHA256944b574772de5cbfed9cb310cc62b212fad4dc15ce0083a04b484d63fea60910
SHA512475111058d9437212f6608dc655d99bdd453148c0f7098c4ebee3e13fce23cb258004229e885463376e5a42edeecd0ee9232b8efbcafe1331ad9b42da71fe539
-
Filesize
714B
MD597a8b82bcf05923e1bebf458e8227c0b
SHA114628ccf51f7a9f34c5dd0f3ed1d6c2af3f48566
SHA256164822c223ad53da9dad98f4981a88e025e93da882681d23caacab25b35a40e3
SHA51202c033c914730df40103fa0d072a71546e16070ad63d32352ad87ce455fa74da28fc29101d6b7161bef836f6fc78259b663f5bce6b78c23b5efceafe455a71ec
-
Filesize
714B
MD5b08738a6a8ecf95224353ed3d4774170
SHA148587543fa31be9a5130c4e9a1169bfdc456db43
SHA256e34165be6a01f53652bf72f56f247c97827468992e8edcb447d32a335347265f
SHA5126c42123890a03cb1cfa9b7e6dbc9d813ca24ccfa2cf90f19e1595271eb62ff22579d30ea6bad9ec60262e28376bdf398fd72bb95b341ceee2a522d343865b617
-
Filesize
714B
MD5f06eb762c59145211505f6771dc45f7e
SHA1eb8dde61e4975ba50355062bfb6350f592ae80d9
SHA25673c33a4b5fb191ed02195bfb5bc4408ea032b09d303d34c7bbda9362405d9ba4
SHA51296c8900a5a485a4e66bcd7063ef6b5316de4231e968839ac3c1daa86c2b11558618ce4e20257b45afe0910c6140412b3f449a96a54abadbac9a27b8a93ea8d0c
-
Filesize
714B
MD56b05a154b2bd80312f90aa9df11b11ed
SHA1ce1387851971302a1e65ad03ff853912cc3f1218
SHA25679f9d1dd5dc1cc041fbc54a4066cad9fc3f72e3f39aa69723482d25ef0ae9ff9
SHA5120b5c775d07e9dc9ab1d0d718f277d601679697cb616712e5461f23cac9a0914eee4eccfef186f70daf0c1b489c874398a17b2d21e4b22f1a4f1c05a1fab6d089
-
Filesize
714B
MD552fce861bb9e9e4c4a64c7337116df41
SHA18e139e45821cae3f183470d489a65a6008587ff4
SHA2560e070b6235b76d1d660108c6c2bd2118c7c51c15ceb429e50208c20813436126
SHA512490266fdb5cbd55bbc6e2766f6768b9b4e9b27946eb4ffc8a0a700ca8e5e7996514824f9e0758f7eb46ac6e296cad79e7d8b3713f0057df9977c593016638f53
-
Filesize
714B
MD53ae46012033ada0e873ef48627149b1d
SHA156dcc8f78a90f3030dfcdc2fc724c00660119acb
SHA25678a5fc606633e5ec992278008afafc6f7225c4b26121d97bd024833de0afc806
SHA512aa1a34b5faae24859c8b8847aab356c42b61e99138c8321867206aa39042a4a2aafaf85e513eb78ce508711754244becc256d380f579a6fc0433b85542e42926
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1E0C\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Filesize1.5MB
MD58b94c19be340bab63211bf41f8cff84a
SHA13b11722edb38d3303fd7f55007750c8567b2bf85
SHA256ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8
SHA5122df90061b7ccfc658736807ed7b89b568ad790ca83748fbe07e659d31916c480f8892fab3a72d42674877e1dec8de6583f3b9e5643785b582bceb2b348f82959
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD58e5af74a4e6322ded1b27b219f51fed2
SHA11db78d54a7643f8bab66409b3f8ebfc187ec9124
SHA2560c47d639078d4bb67f18e70ec1dda4e0810bf1b36f5e1350e9fbb3f46a00fb59
SHA512b84d3e645460ba83ffa4704ed0696750f79f8a87dd49ba561db83df06bab1bbec619a45eee0449868613b52944b1f58e2bddf48488943320f45fab19e7e5287a