Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 08:06
Behavioral task
behavioral1
Sample
48c2137034bee9bdfc2c9df1e71e9e04.exe
Resource
win7-20240419-en
General
-
Target
48c2137034bee9bdfc2c9df1e71e9e04.exe
-
Size
1.3MB
-
MD5
48c2137034bee9bdfc2c9df1e71e9e04
-
SHA1
573e8453bc08e2b4e8e65b8560d81b150a9acdd8
-
SHA256
54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88
-
SHA512
5c854bfa2b963039db83cf764ea0ddb513c612896c325acdd944bbb115858153cac15addbf18da208cf8753b60f774e7a61e0540fd82445f29f9d47a31c2b247
-
SSDEEP
24576:q0bcg1vqd25Gl35KcbOwGqq+AZbPxtDSk5/FX5vDlIXNQdS:qGy/3dSnEYFJvxS
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5040 1412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4356 1412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 1412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 1412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4628 1412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 1412 schtasks.exe -
Processes:
explorer.exe48c2137034bee9bdfc2c9df1e71e9e04.exeexplorer.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 48c2137034bee9bdfc2c9df1e71e9e04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48c2137034bee9bdfc2c9df1e71e9e04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 48c2137034bee9bdfc2c9df1e71e9e04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Processes:
resource yara_rule behavioral2/memory/1652-1-0x0000000000310000-0x0000000000466000-memory.dmp dcrat C:\Recovery\WindowsRE\explorer.exe dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 4212 powershell.exe 2412 powershell.exe 4696 powershell.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
48c2137034bee9bdfc2c9df1e71e9e04.exeexplorer.exeexplorer.exeexplorer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 48c2137034bee9bdfc2c9df1e71e9e04.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation explorer.exe -
Executes dropped EXE 7 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 448 explorer.exe 4448 explorer.exe 3888 explorer.exe 3664 explorer.exe 3056 explorer.exe 3020 explorer.exe 3512 explorer.exe -
Processes:
explorer.exeexplorer.exe48c2137034bee9bdfc2c9df1e71e9e04.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 48c2137034bee9bdfc2c9df1e71e9e04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48c2137034bee9bdfc2c9df1e71e9e04.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Drops file in Program Files directory 2 IoCs
Processes:
48c2137034bee9bdfc2c9df1e71e9e04.exedescription ioc process File created C:\Program Files\Windows Photo Viewer\fr-FR\lsass.exe 48c2137034bee9bdfc2c9df1e71e9e04.exe File created C:\Program Files\Windows Photo Viewer\fr-FR\6203df4a6bafc7 48c2137034bee9bdfc2c9df1e71e9e04.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4356 schtasks.exe 2832 schtasks.exe 4648 schtasks.exe 4628 schtasks.exe 1524 schtasks.exe 5040 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
48c2137034bee9bdfc2c9df1e71e9e04.exepowershell.exepowershell.exepowershell.exeexplorer.exeexplorer.exeexplorer.exepid process 1652 48c2137034bee9bdfc2c9df1e71e9e04.exe 4212 powershell.exe 2412 powershell.exe 2412 powershell.exe 4696 powershell.exe 4696 powershell.exe 4696 powershell.exe 4212 powershell.exe 4212 powershell.exe 448 explorer.exe 448 explorer.exe 4448 explorer.exe 4448 explorer.exe 3664 explorer.exe 3664 explorer.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
48c2137034bee9bdfc2c9df1e71e9e04.exepowershell.exepowershell.exeexplorer.exepowershell.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1652 48c2137034bee9bdfc2c9df1e71e9e04.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 4212 powershell.exe Token: SeDebugPrivilege 448 explorer.exe Token: SeDebugPrivilege 4696 powershell.exe Token: SeDebugPrivilege 4448 explorer.exe Token: SeDebugPrivilege 3888 explorer.exe Token: SeDebugPrivilege 3664 explorer.exe Token: SeDebugPrivilege 3056 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3512 explorer.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
48c2137034bee9bdfc2c9df1e71e9e04.exeexplorer.execmd.exeWScript.exeexplorer.execmd.exeWScript.exeexplorer.execmd.exeWScript.exedescription pid process target process PID 1652 wrote to memory of 4696 1652 48c2137034bee9bdfc2c9df1e71e9e04.exe powershell.exe PID 1652 wrote to memory of 4696 1652 48c2137034bee9bdfc2c9df1e71e9e04.exe powershell.exe PID 1652 wrote to memory of 2412 1652 48c2137034bee9bdfc2c9df1e71e9e04.exe powershell.exe PID 1652 wrote to memory of 2412 1652 48c2137034bee9bdfc2c9df1e71e9e04.exe powershell.exe PID 1652 wrote to memory of 4212 1652 48c2137034bee9bdfc2c9df1e71e9e04.exe powershell.exe PID 1652 wrote to memory of 4212 1652 48c2137034bee9bdfc2c9df1e71e9e04.exe powershell.exe PID 1652 wrote to memory of 448 1652 48c2137034bee9bdfc2c9df1e71e9e04.exe explorer.exe PID 1652 wrote to memory of 448 1652 48c2137034bee9bdfc2c9df1e71e9e04.exe explorer.exe PID 448 wrote to memory of 4496 448 explorer.exe WScript.exe PID 448 wrote to memory of 4496 448 explorer.exe WScript.exe PID 448 wrote to memory of 3168 448 explorer.exe WScript.exe PID 448 wrote to memory of 3168 448 explorer.exe WScript.exe PID 448 wrote to memory of 116 448 explorer.exe cmd.exe PID 448 wrote to memory of 116 448 explorer.exe cmd.exe PID 116 wrote to memory of 2636 116 cmd.exe w32tm.exe PID 116 wrote to memory of 2636 116 cmd.exe w32tm.exe PID 4496 wrote to memory of 4448 4496 WScript.exe explorer.exe PID 4496 wrote to memory of 4448 4496 WScript.exe explorer.exe PID 116 wrote to memory of 3888 116 cmd.exe explorer.exe PID 116 wrote to memory of 3888 116 cmd.exe explorer.exe PID 4448 wrote to memory of 544 4448 explorer.exe WScript.exe PID 4448 wrote to memory of 544 4448 explorer.exe WScript.exe PID 4448 wrote to memory of 2320 4448 explorer.exe WScript.exe PID 4448 wrote to memory of 2320 4448 explorer.exe WScript.exe PID 4448 wrote to memory of 2692 4448 explorer.exe cmd.exe PID 4448 wrote to memory of 2692 4448 explorer.exe cmd.exe PID 2692 wrote to memory of 3128 2692 cmd.exe w32tm.exe PID 2692 wrote to memory of 3128 2692 cmd.exe w32tm.exe PID 544 wrote to memory of 3664 544 WScript.exe explorer.exe PID 544 wrote to memory of 3664 544 WScript.exe explorer.exe PID 2692 wrote to memory of 3056 2692 cmd.exe explorer.exe PID 2692 wrote to memory of 3056 2692 cmd.exe explorer.exe PID 3664 wrote to memory of 2388 3664 explorer.exe WScript.exe PID 3664 wrote to memory of 2388 3664 explorer.exe WScript.exe PID 3664 wrote to memory of 3204 3664 explorer.exe WScript.exe PID 3664 wrote to memory of 3204 3664 explorer.exe WScript.exe PID 3664 wrote to memory of 4060 3664 explorer.exe cmd.exe PID 3664 wrote to memory of 4060 3664 explorer.exe cmd.exe PID 4060 wrote to memory of 2280 4060 cmd.exe w32tm.exe PID 4060 wrote to memory of 2280 4060 cmd.exe w32tm.exe PID 2388 wrote to memory of 3020 2388 WScript.exe explorer.exe PID 2388 wrote to memory of 3020 2388 WScript.exe explorer.exe PID 4060 wrote to memory of 3512 4060 cmd.exe explorer.exe PID 4060 wrote to memory of 3512 4060 cmd.exe explorer.exe -
System policy modification 1 TTPs 12 IoCs
Processes:
explorer.exe48c2137034bee9bdfc2c9df1e71e9e04.exeexplorer.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48c2137034bee9bdfc2c9df1e71e9e04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 48c2137034bee9bdfc2c9df1e71e9e04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 48c2137034bee9bdfc2c9df1e71e9e04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\48c2137034bee9bdfc2c9df1e71e9e04.exe"C:\Users\Admin\AppData\Local\Temp\48c2137034bee9bdfc2c9df1e71e9e04.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\48c2137034bee9bdfc2c9df1e71e9e04.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ecc5a11-4dee-4f2c-b4d1-b99cd6c41738.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2be315b3-41af-43da-86da-c0e0b845765d.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b021da26-ee32-4000-8de4-34afaaf8178a.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2052c42b-72e6-43a5-9167-770290a41603.vbs"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0ad6e41-4a38-41ad-ac7d-2bdf6ee06494.vbs"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7b12a73-5ed3-4b52-99df-e2e678033c4a.vbs"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4160,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=1288 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\WindowsRE\explorer.exeFilesize
1.3MB
MD548c2137034bee9bdfc2c9df1e71e9e04
SHA1573e8453bc08e2b4e8e65b8560d81b150a9acdd8
SHA25654559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88
SHA5125c854bfa2b963039db83cf764ea0ddb513c612896c325acdd944bbb115858153cac15addbf18da208cf8753b60f774e7a61e0540fd82445f29f9d47a31c2b247
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.logFilesize
1KB
MD53690a1c3b695227a38625dcf27bd6dac
SHA1c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA2562ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA51215ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Temp\2be315b3-41af-43da-86da-c0e0b845765d.vbsFilesize
710B
MD586d8649f32deeaac699e4ff69912ff1e
SHA1f96ef379c6564b65251135dfa2c1c5e79b8b330e
SHA256afe08928fa189a3a6bbab5d1f138c71db14e45133a8914a5734b72fd2ab84d42
SHA5127b7cd06958350fa0fb513a9ce142a6063cdf381fdf9b2d8d34f83253ac389c848b9bcad36c81c39ac80081a029200c1947f0ead4a0a8d9079f72424d8aa9291c
-
C:\Users\Admin\AppData\Local\Temp\5ecc5a11-4dee-4f2c-b4d1-b99cd6c41738.vbsFilesize
709B
MD55ac687d8612f40b773abbfccdaa260f7
SHA1c0bbe58ed1b19c4c7e85b20a6a5275de0690bfa6
SHA256697f06a23ad9e4378b926560ef1876af5a13f76d74332a358482474f617b1a74
SHA5126ae0f9270e5a726dee27c7f05c28f2883aa5e7218e9be4390908deb6cdff22da035cb5e41ca23c7e97f936805db991898b4d23cb43ea2dd2580763e34d459c7d
-
C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.batFilesize
199B
MD5538f3b6752b32efe9412602d116c7866
SHA1a4fb850a3e39998a01800b15a4130e553cf43ff6
SHA25699aa9736d480bdc0ccf649ab409003d81867d90e86732aa68240e9e2a7709244
SHA512cc4101b78b3bcc3d4e5c1c020a81cfe0788ef6fe5210c63b8f28ce9e9a7cadf17d841a9e9c414638c40a5e6870a0d6610301526d2f065e248379288472ef2495
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fbykfmgl.k4w.psm1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\b021da26-ee32-4000-8de4-34afaaf8178a.vbsFilesize
710B
MD5734baea5e4ea3caee97f8bd18118f0a5
SHA1074de0febb9ca9d55df9b9739a1e99f10d0a7924
SHA256581e102e725b9a3089ce323652ab2ff568cb913aad8ba6ac5e7647e99f8efca3
SHA512445625e358764584ba7c97224e4ddd556cd1779b4c53374c32e57de39cbcb5d1ba4da43fdd4af06c67746e95d601551c493cd1f24e049b00a6cbb8c32683ac3e
-
C:\Users\Admin\AppData\Local\Temp\d7b12a73-5ed3-4b52-99df-e2e678033c4a.vbsFilesize
486B
MD553dbda2e8e847183c68d0881f2e9d1e3
SHA137b261d0f25e5b1cf4dd7db36a72e37a5bc4bc64
SHA25654e7b4fa09634e41f49f68d3698c8ee62e68c9ddd586cff64d3aaebe3b6748ed
SHA5128a47e20200f2329a24008f473d66551ae9b1fa94d458bb091a3cebfc7a9bec0e82847a60b8b64afc8c870b740930bcc5b6cc1fd9106e01d6f16fb92e142f03b9
-
C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.batFilesize
199B
MD543a9df49d524d44f236cdae71e7065a9
SHA1a7f046d783bf40c7b7fd50b25ea90c6e10a0a901
SHA256a73b7383b335e4d741f9f67e44cab2b056fa45f3fc42ef53c97184777e0e3cbf
SHA512fd7432b61e4380ddaa910ef500a860c58984fa8b1b19f789e7e114868397bf5e3d3b824cbc760f4961c23bf34bd7940fb4f99b8c3b4542253f7c4816cc6c75d8
-
memory/448-81-0x000000001C590000-0x000000001C739000-memory.dmpFilesize
1.7MB
-
memory/1652-28-0x00007FF992650000-0x00007FF993111000-memory.dmpFilesize
10.8MB
-
memory/1652-5-0x000000001AF80000-0x000000001AF88000-memory.dmpFilesize
32KB
-
memory/1652-1-0x0000000000310000-0x0000000000466000-memory.dmpFilesize
1.3MB
-
memory/1652-12-0x000000001B6D0000-0x000000001B6DC000-memory.dmpFilesize
48KB
-
memory/1652-2-0x00007FF992650000-0x00007FF993111000-memory.dmpFilesize
10.8MB
-
memory/1652-11-0x000000001B6C0000-0x000000001B6CA000-memory.dmpFilesize
40KB
-
memory/1652-8-0x000000001B030000-0x000000001B03A000-memory.dmpFilesize
40KB
-
memory/1652-9-0x000000001B040000-0x000000001B04E000-memory.dmpFilesize
56KB
-
memory/1652-3-0x0000000002790000-0x00000000027AC000-memory.dmpFilesize
112KB
-
memory/1652-6-0x000000001B010000-0x000000001B01A000-memory.dmpFilesize
40KB
-
memory/1652-10-0x000000001B6B0000-0x000000001B6BE000-memory.dmpFilesize
56KB
-
memory/1652-7-0x000000001B020000-0x000000001B02C000-memory.dmpFilesize
48KB
-
memory/1652-4-0x000000001B660000-0x000000001B6B0000-memory.dmpFilesize
320KB
-
memory/1652-0-0x00007FF992653000-0x00007FF992655000-memory.dmpFilesize
8KB
-
memory/2412-59-0x0000017D6CF10000-0x0000017D6D07A000-memory.dmpFilesize
1.4MB
-
memory/2412-30-0x0000017D6AB90000-0x0000017D6ABB2000-memory.dmpFilesize
136KB
-
memory/4212-65-0x0000027FFBD60000-0x0000027FFBECA000-memory.dmpFilesize
1.4MB
-
memory/4696-66-0x000001C9F6940000-0x000001C9F6AAA000-memory.dmpFilesize
1.4MB