Overview
overview
10Static
static
3ec455e7827...ff.exe
windows7-x64
10ec455e7827...ff.exe
windows10-2004-x64
10ec455e7827...ff.exe
android-9-x86
ec455e7827...ff.exe
android-10-x64
ec455e7827...ff.exe
android-11-x64
ec455e7827...ff.exe
macos-10.15-amd64
ec455e7827...ff.exe
ubuntu-18.04-amd64
ec455e7827...ff.exe
debian-9-armhf
ec455e7827...ff.exe
debian-9-mips
ec455e7827...ff.exe
debian-9-mipsel
Analysis
-
max time kernel
900s -
max time network
898s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-01-2025 06:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
900 seconds
Behavioral task
behavioral2
Sample
ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
22 signatures
900 seconds
Behavioral task
behavioral3
Sample
ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Resource
android-x86-arm-20240624-en
android-9-x86
0 signatures
900 seconds
Behavioral task
behavioral4
Sample
ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Resource
android-x64-20240624-en
android-10-x64
0 signatures
900 seconds
Behavioral task
behavioral5
Sample
ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Resource
android-x64-arm64-20240624-en
android-11-x64
0 signatures
900 seconds
Behavioral task
behavioral6
Sample
ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Resource
macos-20241101-en
macos-10.15-amd64
0 signatures
900 seconds
Behavioral task
behavioral7
Sample
ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Resource
ubuntu1804-amd64-20240508-en
ubuntu-18.04-amd64
0 signatures
900 seconds
Behavioral task
behavioral8
Sample
ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Resource
debian9-armhf-20240611-en
debian-9-armhf
0 signatures
900 seconds
Behavioral task
behavioral9
Sample
ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Resource
debian9-mipsbe-20240729-en
debian-9-mips
0 signatures
900 seconds
Behavioral task
behavioral10
Sample
ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Resource
debian9-mipsel-20240418-en
debian-9-mipsel
0 signatures
900 seconds
General
-
Target
ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
-
Size
1.5MB
-
MD5
207f37be38ccbb0fe77bda8d4ab69187
-
SHA1
97a4aa79a700e336ca8450bfbf38d7e18215173b
-
SHA256
ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff
-
SHA512
34350185b31d087e3d9027bdaa382497c061d68fd9d30a201d2563598fdaf2ef05dc8f08f27bc13af0303fc5694f2fea997e1ef042168e705cc83c3f23f6c93e
-
SSDEEP
24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRK:kzhWhCXQFN+0IEuQgyiVKS
Malware Config
Signatures
-
DcRat 15 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 2516 schtasks.exe 592 schtasks.exe 2668 schtasks.exe 2980 schtasks.exe 2628 schtasks.exe 2996 schtasks.exe 2084 schtasks.exe 896 schtasks.exe 1868 schtasks.exe 2420 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 548 schtasks.exe 1084 schtasks.exe 820 schtasks.exe 2324 schtasks.exe -
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\lsm.exe\", \"C:\\Windows\\System32\\lz32\\lsm.exe\", \"C:\\Windows\\System32\\winload\\winlogon.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\lsm.exe\", \"C:\\Windows\\System32\\lz32\\lsm.exe\", \"C:\\Windows\\System32\\winload\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\dwm.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\lsm.exe\", \"C:\\Windows\\System32\\lz32\\lsm.exe\", \"C:\\Windows\\System32\\winload\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\dwm.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\PerfLogs\\Admin\\lsass.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\lsm.exe\", \"C:\\Windows\\System32\\lz32\\lsm.exe\", \"C:\\Windows\\System32\\winload\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\dwm.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\PerfLogs\\Admin\\lsass.exe\", \"C:\\Program Files\\Windows Mail\\de-DE\\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\spoolsv.exe\", \"C:\\Documents and Settings\\services.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\lsm.exe\", \"C:\\Windows\\System32\\lz32\\lsm.exe\", \"C:\\Windows\\System32\\winload\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\dwm.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\PerfLogs\\Admin\\lsass.exe\", \"C:\\Program Files\\Windows Mail\\de-DE\\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\spoolsv.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\Windows\\System32\\PortableDeviceWiaCompat\\wininit.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\sppsvc.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\lsm.exe\", \"C:\\Windows\\System32\\lz32\\lsm.exe\", \"C:\\Windows\\System32\\winload\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\dwm.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\lsm.exe\", \"C:\\Windows\\System32\\lz32\\lsm.exe\", \"C:\\Windows\\System32\\winload\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\dwm.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\lsm.exe\", \"C:\\Windows\\System32\\lz32\\lsm.exe\", \"C:\\Windows\\System32\\winload\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\dwm.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\PerfLogs\\Admin\\lsass.exe\", \"C:\\Program Files\\Windows Mail\\de-DE\\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\spoolsv.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\lsm.exe\", \"C:\\Windows\\System32\\lz32\\lsm.exe\", \"C:\\Windows\\System32\\winload\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\dwm.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\PerfLogs\\Admin\\lsass.exe\", \"C:\\Program Files\\Windows Mail\\de-DE\\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\spoolsv.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\Windows\\System32\\PortableDeviceWiaCompat\\wininit.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\lsm.exe\", \"C:\\Windows\\System32\\lz32\\lsm.exe\", \"C:\\Windows\\System32\\winload\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\dwm.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\PerfLogs\\Admin\\lsass.exe\", \"C:\\Program Files\\Windows Mail\\de-DE\\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\spoolsv.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\Windows\\System32\\PortableDeviceWiaCompat\\wininit.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\lsm.exe\", \"C:\\Windows\\System32\\lz32\\lsm.exe\", \"C:\\Windows\\System32\\winload\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\dwm.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\PerfLogs\\Admin\\lsass.exe\", \"C:\\Program Files\\Windows Mail\\de-DE\\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\spoolsv.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\Windows\\System32\\PortableDeviceWiaCompat\\wininit.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\audiodg.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\lsm.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\lsm.exe\", \"C:\\Windows\\System32\\lz32\\lsm.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\lsm.exe\", \"C:\\Windows\\System32\\lz32\\lsm.exe\", \"C:\\Windows\\System32\\winload\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\dwm.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\PerfLogs\\Admin\\lsass.exe\", \"C:\\Program Files\\Windows Mail\\de-DE\\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe -
Process spawned unexpected child process 14 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 1764 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 1764 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 1764 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 1764 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 1764 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 1764 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 1764 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 1764 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 1764 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 1764 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 1764 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 1764 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 1764 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 1764 schtasks.exe 30 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2256 powershell.exe 1324 powershell.exe 856 powershell.exe 2356 powershell.exe 1288 powershell.exe 2604 powershell.exe 1928 powershell.exe 1308 powershell.exe 820 powershell.exe 1736 powershell.exe 2936 powershell.exe 2520 powershell.exe 1060 powershell.exe 2360 powershell.exe 3024 powershell.exe 1980 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe -
Executes dropped EXE 64 IoCs
pid Process 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 1200 WmiPrvSE.exe 2692 WmiPrvSE.exe 2928 WmiPrvSE.exe 2488 WmiPrvSE.exe 1328 WmiPrvSE.exe 2672 WmiPrvSE.exe 2632 WmiPrvSE.exe 1632 WmiPrvSE.exe 688 WmiPrvSE.exe 1564 WmiPrvSE.exe 624 WmiPrvSE.exe 1656 WmiPrvSE.exe 3016 WmiPrvSE.exe 3052 WmiPrvSE.exe 1564 WmiPrvSE.exe 3036 WmiPrvSE.exe 2212 WmiPrvSE.exe 2220 WmiPrvSE.exe 1484 WmiPrvSE.exe 2504 WmiPrvSE.exe 2824 WmiPrvSE.exe 1524 WmiPrvSE.exe 932 WmiPrvSE.exe 1300 WmiPrvSE.exe 1488 WmiPrvSE.exe 1144 WmiPrvSE.exe 1788 WmiPrvSE.exe 1280 WmiPrvSE.exe 956 WmiPrvSE.exe 2848 WmiPrvSE.exe 1616 WmiPrvSE.exe 2468 WmiPrvSE.exe 2908 WmiPrvSE.exe 1864 WmiPrvSE.exe 2932 WmiPrvSE.exe 2872 WmiPrvSE.exe 2988 WmiPrvSE.exe 908 WmiPrvSE.exe 2736 WmiPrvSE.exe 1500 WmiPrvSE.exe 1632 WmiPrvSE.exe 1692 WmiPrvSE.exe 1496 WmiPrvSE.exe 2860 WmiPrvSE.exe 1288 WmiPrvSE.exe 2108 WmiPrvSE.exe 2180 WmiPrvSE.exe 960 WmiPrvSE.exe 2628 WmiPrvSE.exe 2232 WmiPrvSE.exe 1768 WmiPrvSE.exe 784 WmiPrvSE.exe 2676 WmiPrvSE.exe 2700 WmiPrvSE.exe 2068 WmiPrvSE.exe 2044 WmiPrvSE.exe 592 WmiPrvSE.exe 2124 WmiPrvSE.exe 2272 WmiPrvSE.exe 2684 WmiPrvSE.exe 1488 WmiPrvSE.exe 2352 WmiPrvSE.exe 2448 WmiPrvSE.exe -
Adds Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\winload\\winlogon.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Documents and Settings\\services.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Uninstall Information\\audiodg.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\All Users\\Desktop\\lsm.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\All Users\\Desktop\\lsm.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\winload\\winlogon.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\PerfLogs\\Admin\\dwm.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff = "\"C:\\Program Files\\Windows Mail\\de-DE\\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\sppsvc.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\lz32\\lsm.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\spoolsv.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\PortableDeviceWiaCompat\\wininit.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\sppsvc.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Uninstall Information\\audiodg.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\PerfLogs\\Admin\\dwm.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\PerfLogs\\Admin\\lsass.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\bthprops\\csrss.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\spoolsv.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Documents and Settings\\services.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\PortableDeviceWiaCompat\\wininit.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\bthprops\\csrss.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\lz32\\lsm.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\PerfLogs\\Admin\\lsass.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff = "\"C:\\Program Files\\Windows Mail\\de-DE\\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe\"" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe -
Drops file in System32 directory 15 IoCs
description ioc Process File opened for modification C:\Windows\System32\bthprops\RCX7361.tmp ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File created C:\Windows\System32\lz32\101b941d020240 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File opened for modification C:\Windows\System32\lz32\RCX6D55.tmp ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File created C:\Windows\System32\lz32\lsm.exe ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File opened for modification C:\Windows\System32\winload\RCX6F59.tmp ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File opened for modification C:\Windows\System32\bthprops\csrss.exe ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File created C:\Windows\System32\PortableDeviceWiaCompat\wininit.exe ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File created C:\Windows\System32\PortableDeviceWiaCompat\56085415360792 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File opened for modification C:\Windows\System32\PortableDeviceWiaCompat\wininit.exe ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File created C:\Windows\System32\winload\winlogon.exe ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File created C:\Windows\System32\winload\cc11b995f2a76d ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File opened for modification C:\Windows\System32\lz32\lsm.exe ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File opened for modification C:\Windows\System32\winload\winlogon.exe ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File created C:\Windows\System32\bthprops\csrss.exe ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File created C:\Windows\System32\bthprops\886983d96e3d3e ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Windows Mail\de-DE\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File opened for modification C:\Program Files\Windows Mail\de-DE\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File created C:\Program Files\Windows Mail\de-DE\2f95cbfd2b9a7e ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File created C:\Program Files (x86)\Uninstall Information\audiodg.exe ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File created C:\Program Files (x86)\Uninstall Information\42af1c969fbb7b ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File opened for modification C:\Program Files (x86)\Uninstall Information\audiodg.exe ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Performance\WinSAT\DataStore\spoolsv.exe ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File created C:\Windows\Performance\WinSAT\DataStore\f3b6ecef712a24 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe File opened for modification C:\Windows\Performance\WinSAT\DataStore\spoolsv.exe ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2084 schtasks.exe 2980 schtasks.exe 2324 schtasks.exe 2668 schtasks.exe 1084 schtasks.exe 2420 schtasks.exe 896 schtasks.exe 592 schtasks.exe 548 schtasks.exe 1868 schtasks.exe 2516 schtasks.exe 2996 schtasks.exe 820 schtasks.exe 2628 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2356 powershell.exe 1060 powershell.exe 2360 powershell.exe 1288 powershell.exe 2256 powershell.exe 856 powershell.exe 1928 powershell.exe 1308 powershell.exe 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 2520 powershell.exe 1324 powershell.exe 820 powershell.exe 2604 powershell.exe 3024 powershell.exe 1736 powershell.exe 2936 powershell.exe 1980 powershell.exe 1200 WmiPrvSE.exe 1200 WmiPrvSE.exe 1200 WmiPrvSE.exe 1200 WmiPrvSE.exe 1200 WmiPrvSE.exe 1200 WmiPrvSE.exe 1200 WmiPrvSE.exe 1200 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Token: SeDebugPrivilege 2356 powershell.exe Token: SeDebugPrivilege 1060 powershell.exe Token: SeDebugPrivilege 2360 powershell.exe Token: SeDebugPrivilege 1288 powershell.exe Token: SeDebugPrivilege 2256 powershell.exe Token: SeDebugPrivilege 856 powershell.exe Token: SeDebugPrivilege 1928 powershell.exe Token: SeDebugPrivilege 1308 powershell.exe Token: SeDebugPrivilege 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 1324 powershell.exe Token: SeDebugPrivilege 820 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 1200 WmiPrvSE.exe Token: SeDebugPrivilege 2692 WmiPrvSE.exe Token: SeDebugPrivilege 2928 WmiPrvSE.exe Token: SeDebugPrivilege 2488 WmiPrvSE.exe Token: SeDebugPrivilege 1328 WmiPrvSE.exe Token: SeDebugPrivilege 2672 WmiPrvSE.exe Token: SeDebugPrivilege 2632 WmiPrvSE.exe Token: SeDebugPrivilege 1632 WmiPrvSE.exe Token: SeDebugPrivilege 688 WmiPrvSE.exe Token: SeDebugPrivilege 1564 WmiPrvSE.exe Token: SeDebugPrivilege 624 WmiPrvSE.exe Token: SeDebugPrivilege 1656 WmiPrvSE.exe Token: SeDebugPrivilege 3016 WmiPrvSE.exe Token: SeDebugPrivilege 3052 WmiPrvSE.exe Token: SeDebugPrivilege 1564 WmiPrvSE.exe Token: SeDebugPrivilege 3036 WmiPrvSE.exe Token: SeDebugPrivilege 2212 WmiPrvSE.exe Token: SeDebugPrivilege 2220 WmiPrvSE.exe Token: SeDebugPrivilege 1484 WmiPrvSE.exe Token: SeDebugPrivilege 2504 WmiPrvSE.exe Token: SeDebugPrivilege 2824 WmiPrvSE.exe Token: SeDebugPrivilege 1524 WmiPrvSE.exe Token: SeDebugPrivilege 932 WmiPrvSE.exe Token: SeDebugPrivilege 1300 WmiPrvSE.exe Token: SeDebugPrivilege 1488 WmiPrvSE.exe Token: SeDebugPrivilege 1144 WmiPrvSE.exe Token: SeDebugPrivilege 1788 WmiPrvSE.exe Token: SeDebugPrivilege 1280 WmiPrvSE.exe Token: SeDebugPrivilege 956 WmiPrvSE.exe Token: SeDebugPrivilege 2848 WmiPrvSE.exe Token: SeDebugPrivilege 1616 WmiPrvSE.exe Token: SeDebugPrivilege 2468 WmiPrvSE.exe Token: SeDebugPrivilege 2908 WmiPrvSE.exe Token: SeDebugPrivilege 1864 WmiPrvSE.exe Token: SeDebugPrivilege 2932 WmiPrvSE.exe Token: SeDebugPrivilege 2872 WmiPrvSE.exe Token: SeDebugPrivilege 2988 WmiPrvSE.exe Token: SeDebugPrivilege 908 WmiPrvSE.exe Token: SeDebugPrivilege 2736 WmiPrvSE.exe Token: SeDebugPrivilege 1500 WmiPrvSE.exe Token: SeDebugPrivilege 1632 WmiPrvSE.exe Token: SeDebugPrivilege 1692 WmiPrvSE.exe Token: SeDebugPrivilege 1496 WmiPrvSE.exe Token: SeDebugPrivilege 2860 WmiPrvSE.exe Token: SeDebugPrivilege 1288 WmiPrvSE.exe Token: SeDebugPrivilege 2108 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2036 wrote to memory of 856 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 39 PID 2036 wrote to memory of 856 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 39 PID 2036 wrote to memory of 856 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 39 PID 2036 wrote to memory of 1928 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 40 PID 2036 wrote to memory of 1928 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 40 PID 2036 wrote to memory of 1928 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 40 PID 2036 wrote to memory of 1288 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 41 PID 2036 wrote to memory of 1288 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 41 PID 2036 wrote to memory of 1288 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 41 PID 2036 wrote to memory of 1308 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 43 PID 2036 wrote to memory of 1308 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 43 PID 2036 wrote to memory of 1308 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 43 PID 2036 wrote to memory of 2256 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 45 PID 2036 wrote to memory of 2256 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 45 PID 2036 wrote to memory of 2256 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 45 PID 2036 wrote to memory of 2360 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 46 PID 2036 wrote to memory of 2360 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 46 PID 2036 wrote to memory of 2360 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 46 PID 2036 wrote to memory of 1060 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 47 PID 2036 wrote to memory of 1060 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 47 PID 2036 wrote to memory of 1060 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 47 PID 2036 wrote to memory of 2356 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 48 PID 2036 wrote to memory of 2356 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 48 PID 2036 wrote to memory of 2356 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 48 PID 2036 wrote to memory of 1484 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 55 PID 2036 wrote to memory of 1484 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 55 PID 2036 wrote to memory of 1484 2036 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 55 PID 1484 wrote to memory of 1704 1484 cmd.exe 57 PID 1484 wrote to memory of 1704 1484 cmd.exe 57 PID 1484 wrote to memory of 1704 1484 cmd.exe 57 PID 1484 wrote to memory of 2952 1484 cmd.exe 58 PID 1484 wrote to memory of 2952 1484 cmd.exe 58 PID 1484 wrote to memory of 2952 1484 cmd.exe 58 PID 2952 wrote to memory of 820 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 66 PID 2952 wrote to memory of 820 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 66 PID 2952 wrote to memory of 820 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 66 PID 2952 wrote to memory of 1736 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 67 PID 2952 wrote to memory of 1736 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 67 PID 2952 wrote to memory of 1736 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 67 PID 2952 wrote to memory of 2604 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 69 PID 2952 wrote to memory of 2604 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 69 PID 2952 wrote to memory of 2604 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 69 PID 2952 wrote to memory of 2520 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 70 PID 2952 wrote to memory of 2520 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 70 PID 2952 wrote to memory of 2520 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 70 PID 2952 wrote to memory of 1324 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 71 PID 2952 wrote to memory of 1324 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 71 PID 2952 wrote to memory of 1324 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 71 PID 2952 wrote to memory of 2936 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 73 PID 2952 wrote to memory of 2936 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 73 PID 2952 wrote to memory of 2936 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 73 PID 2952 wrote to memory of 1980 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 74 PID 2952 wrote to memory of 1980 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 74 PID 2952 wrote to memory of 1980 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 74 PID 2952 wrote to memory of 3024 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 76 PID 2952 wrote to memory of 3024 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 76 PID 2952 wrote to memory of 3024 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 76 PID 2952 wrote to memory of 1532 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 82 PID 2952 wrote to memory of 1532 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 82 PID 2952 wrote to memory of 1532 2952 ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe 82 PID 1532 wrote to memory of 2280 1532 cmd.exe 84 PID 1532 wrote to memory of 2280 1532 cmd.exe 84 PID 1532 wrote to memory of 2280 1532 cmd.exe 84 PID 1532 wrote to memory of 1200 1532 cmd.exe 85 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exeC:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2036 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\lsm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\lz32\lsm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\winload\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\bthprops\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pz54l4hn7h.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1704
-
-
C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe"C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2952 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\de-DE\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\spoolsv.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\services.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\PortableDeviceWiaCompat\wininit.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\audiodg.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D2nBQS9KNh.bat"4⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵PID:2280
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1200 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14aac92b-1a3d-490e-abfa-d1470bd0e252.vbs"6⤵PID:3000
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e581f7a-a26d-4827-bf37-41f28aa734b6.vbs"8⤵PID:2664
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2928 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e8bb6fc-aaaf-4d41-b589-64e7dadb7b1c.vbs"10⤵PID:2200
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2488 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c01cf770-fbc8-4c3c-b3fd-f670bb2aa132.vbs"12⤵PID:1564
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"13⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1328 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79d9bb9e-5630-47d5-939a-81bdd3c6da06.vbs"14⤵PID:1532
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2672 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f076f326-fc17-4cbe-ac48-d915160e5e49.vbs"16⤵PID:2504
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2632 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31e796bf-3d83-4555-8da0-408ce95f7199.vbs"18⤵PID:568
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dd67e95-d470-4149-b9bd-e90a8599c7bd.vbs"20⤵PID:1256
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"21⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:688 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46e73f8e-a85d-4f39-9a4e-a800329e3beb.vbs"22⤵PID:1700
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"23⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1564 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62bb5bfc-90dc-4ce1-a8e2-c6dc6b9526f3.vbs"24⤵PID:2256
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"25⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:624 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eec580d3-44d2-4339-a9d7-e0a61d8a2114.vbs"26⤵PID:2212
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"27⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1656 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9117b2b-6810-404d-ad7e-15f8a505ec09.vbs"28⤵PID:1108
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fddd899-d2f3-407d-badd-905b61b22d97.vbs"30⤵PID:1680
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"31⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a346505-58f5-4429-b0ec-eb44368c6aab.vbs"32⤵PID:2204
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"33⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1564 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\432bc2f3-6454-4dca-8551-a4ca636fb28a.vbs"34⤵PID:2832
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"35⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3036 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd3de68e-6bb0-428f-8464-879aaf6b25d3.vbs"36⤵PID:2780
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"37⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2212 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fee0c42c-d171-4d17-84b4-e5462a2661bd.vbs"38⤵PID:308
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"39⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89805a98-6c12-4a69-8db7-7983ab96f65d.vbs"40⤵PID:1160
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"41⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1484 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3dbc889-7b28-4cd8-81a9-0532b07be37a.vbs"42⤵PID:1932
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"43⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2504 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6b641d4-fa3e-4b1e-ae4c-411df0e4cce2.vbs"44⤵PID:2832
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"45⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cee6b21c-47ee-47fa-a6e7-8c00c841e0cf.vbs"46⤵PID:1264
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"47⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1524 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5234141-b553-4dc1-aa33-72d813a47bc3.vbs"48⤵PID:688
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"49⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:932 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63bd1024-0b27-4681-8255-a5a94e9b1a92.vbs"50⤵PID:2740
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"51⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1300 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fee43dbf-d03c-4683-bca2-a4de436fcf6d.vbs"52⤵PID:1856
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"53⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1488 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9735fe81-ab78-4bd6-85e2-8a3989529f1d.vbs"54⤵PID:1404
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"55⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1144 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e9013eb-2cce-4cb7-810c-dce5f71d598c.vbs"56⤵PID:1564
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"57⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1788 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1bc04a9-4ffc-45d2-9a9d-4838fe11613f.vbs"58⤵PID:624
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"59⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1280 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e021129f-0511-4fe2-b98e-1a5bda91e78d.vbs"60⤵PID:2884
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:956 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\999f9d9d-7930-44d0-a7d1-e6d5244c5fee.vbs"62⤵PID:1612
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"63⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2848 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61f33e59-a056-48ad-a855-8858bc000876.vbs"64⤵PID:932
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"65⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1616 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37407dac-650d-4943-9bb6-f5ff95d13a58.vbs"66⤵PID:2932
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"67⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2468 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f645760a-5718-486d-b4db-cd3d07561b86.vbs"68⤵PID:1264
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"69⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2908 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe8f03ba-da76-4492-b617-f2ffccce78fb.vbs"70⤵PID:3060
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"71⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1864 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ed5d80e-77fb-4c1c-9d56-894841b40e3b.vbs"72⤵PID:2776
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"73⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2932 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e19012a9-7652-423f-883a-f23553861872.vbs"74⤵PID:2536
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"75⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2872 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62bb405c-1fda-47a6-b330-9d8088fb0474.vbs"76⤵PID:2276
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"77⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2988 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\033926ac-d838-4812-8039-fd3fe2d2c07f.vbs"78⤵PID:3056
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"79⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:908 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49047656-0279-4861-be8d-947802999ed1.vbs"80⤵PID:1948
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"81⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf416218-f9f3-461a-a7aa-a53a0ecaccd7.vbs"82⤵PID:1964
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"83⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1500 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\665c5b70-c08f-4128-8f3b-00f01be8dd0e.vbs"84⤵PID:2044
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"85⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1632 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\774df207-493f-4833-a6b3-5e26ea90a592.vbs"86⤵PID:3064
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"87⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1692 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cac2a0da-258d-4f63-b9e6-debf25792870.vbs"88⤵PID:2424
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"89⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1496 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa8cf5e9-ab56-4a69-9e0e-a7b7e0dcc074.vbs"90⤵PID:1948
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"91⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2860 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ec2ed92-fff6-4201-8df7-877b5cf4ab16.vbs"92⤵PID:1880
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"93⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1288 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c8395ad-1cbe-4d20-bfc5-8fa105d31d21.vbs"94⤵PID:1632
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"95⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2108 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\528857b3-9262-4e17-a0d7-22214f515281.vbs"96⤵PID:1436
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"97⤵
- Executes dropped EXE
- System policy modification
PID:2180 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1e8a6b5-99ab-4e2a-bf57-e474ac935d9f.vbs"98⤵PID:2828
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"99⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:960 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26b48590-9db9-4ddd-8b13-3aa30c9256c2.vbs"100⤵PID:1496
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"101⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:2628 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1903b9df-4ba4-4eae-bdc1-8cb110328c52.vbs"102⤵PID:1300
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"103⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:2232 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b4fe274-239b-4ac3-ac55-2d0a5518b9a1.vbs"104⤵PID:2108
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"105⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1768 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\900921cb-13a7-4fb2-a814-ba871e2a8732.vbs"106⤵PID:3028
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"107⤵
- UAC bypass
- Executes dropped EXE
PID:784 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c26a7ee0-b990-496d-88fc-55a7ed9d2d6d.vbs"108⤵PID:820
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"109⤵
- UAC bypass
- Executes dropped EXE
- System policy modification
PID:2676 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\034f485e-9c56-4b0a-a76f-bc47973fc0cf.vbs"110⤵PID:3064
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"111⤵
- Executes dropped EXE
- System policy modification
PID:2700 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a9768b0-2cab-434b-984c-35e6b863b67b.vbs"112⤵PID:2040
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"113⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2068 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\341f06a5-6ac7-4c03-bdbb-f81287acd23c.vbs"114⤵PID:2276
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"115⤵
- UAC bypass
- Executes dropped EXE
- System policy modification
PID:2044 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a45264d7-eec8-4ce5-abab-4d44e25c8f25.vbs"116⤵PID:1368
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"117⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
PID:592 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1008b6f2-e1be-471e-bee8-9185f88d6311.vbs"118⤵PID:3000
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"119⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2124 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df4ca946-8800-4677-bb29-0bdae11b535d.vbs"120⤵PID:2752
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"121⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:2272
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-