Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
01-07-2024 01:16
General
-
Target
a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe
-
Size
3.1MB
-
MD5
18f5a3194d73e08d7d66b7a3b42568b3
-
SHA1
86d424c8a86ec2f20407f9f2db9133a0a2b314f7
-
SHA256
a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1
-
SHA512
3f14d5b896cdba1ea41516a3c1f9b2745bd403a57bb66bf6c2016ee5dde2f2bab8560822975848f4920502a4ae94975891846d8249ab401054655482964bcb11
-
SSDEEP
49152:UbA30w1VlUYYDF62IumHbysKqLb5yHfCbShsA3z42d7U8rUc1uHToN/:UbgJWF6ymHbRzLb5ya2hsUz4c7W9K/
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 12 IoCs
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Detects executables packed with SmartAssembly 7 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 8 IoCs
-
Drops file in Program Files directory 9 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 58 IoCs
-
System policy modification 1 TTPs 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe"C:\Users\Admin\AppData\Local\Temp\a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BlockproviderComponentweb\no2eZG6mwS0.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BlockproviderComponentweb\QGmdpYGOg.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\BlockproviderComponentweb\intoHostDhcp.exe"C:\BlockproviderComponentweb\intoHostDhcp.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BlockproviderComponentweb\intoHostDhcp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BlockproviderComponentweb\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\BlockproviderComponentweb\intoHostDhcp.exe"C:\BlockproviderComponentweb\intoHostDhcp.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BlockproviderComponentweb\intoHostDhcp.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\SppExtComObj.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BlockproviderComponentweb\smss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BlockproviderComponentweb\OfficeClickToRun.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\RuntimeBroker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\SppExtComObj.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\services.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\TextInputHost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BlockproviderComponentweb\StartMenuExperienceHost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\fontdrvhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FDHFEdla6V.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
C:\Recovery\WindowsRE\TextInputHost.exe"C:\Recovery\WindowsRE\TextInputHost.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21fdb40e-2eb5-4ea0-a52e-8432aa415a41.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\TextInputHost.exeC:\Recovery\WindowsRE\TextInputHost.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17e83ea0-0c0e-4003-91fa-a2a99660b073.vbs"8⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\BlockproviderComponentweb\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\BlockproviderComponentweb\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\BlockproviderComponentweb\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\BlockproviderComponentweb\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\BlockproviderComponentweb\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\BlockproviderComponentweb\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\BlockproviderComponentweb\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\BlockproviderComponentweb\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\BlockproviderComponentweb\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\System\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Writers\System\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Performance\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\BlockproviderComponentweb\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\BlockproviderComponentweb\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\BlockproviderComponentweb\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\Crashpad\reports\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\Crashpad\reports\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\BlockproviderComponentweb\QGmdpYGOg.batFilesize
58B
MD5924b1ca537cd105768edbcd1fe0cf3ca
SHA1968648854cb40f3b55d3c30aa809ffb2545dd9e2
SHA256ff9548c5810351eea938a04cc4b47dbb3cece7e555c16968edca4c140485f456
SHA512bf8157c56bdeadc32183c681f28f33e26d1e1ee6bf3053493666163ce639cd60942e543c600cd1cb70539739155c2539ba306da5557fabc9c5dc06a3fb37ec38
-
C:\BlockproviderComponentweb\intoHostDhcp.exeFilesize
2.8MB
MD593615053d95e46026ed276c2b258c306
SHA12b1c428f05fa18718c3f92a1afe6d800c9bf4191
SHA2563098b5044a048fc12aa27784d29635bbba89bac9c184cfbecd34c62c8a29987d
SHA51282fd306cbdebcd406d769bf511721daba7478fd7fb3a6035636f0da2a8de629a31644f22bd047ab57603127a7f636f331c9e2d0d1cfcb0020fe75fb07dcce3e1
-
C:\BlockproviderComponentweb\no2eZG6mwS0.vbeFilesize
222B
MD5b237326af75ea09be7db779654da38d4
SHA15b8b54c44d6dc2ddac14ed9a3feb56d088bc377e
SHA256f636ad5bfab3cacd97532396ade77867a5e198445385ce0f18128a87c2c599e0
SHA512beb445b3bac73675b70fd28e1a026096f9cb34f19be1b88f487a2b2b1452eacbc13c64a32a6b8b0b2e1d53121964ec35e8131627cb6cc7a7cbd6cb6dd1a47617
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TextInputHost.exe.logFilesize
1KB
MD59699cf9bb24ebbc9b1035710e92b7bd2
SHA173f0f26db57ea306970a76f42c647bbce02a3f23
SHA256fd35f3609663bec79a5254866d1c47342fbde3f94808acff8c3eaa19b24f67e5
SHA5123a433f40f25b5a5c09f8de45ebd0b5485b3b54eb0c1c08a1dbae776629710b8d8f5fee21329d146867e49b5d35108bba6eff3995fb7c6246dbe6fe475eadf0bb
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\intoHostDhcp.exe.logFilesize
1KB
MD5bbb951a34b516b66451218a3ec3b0ae1
SHA17393835a2476ae655916e0a9687eeaba3ee876e9
SHA256eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA51263bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5c65338524586fc00cf00e679a7d4a1f4
SHA162abf26bfb979dcbf7c7649cf8a681c2a8c7c9ae
SHA256faa246e6b356f55ad8b18cea908dbf9035f67feaa06f8259d934306e13e88bf6
SHA512c6721362afa4998c60ff60225a7b7571aaf1dbc8cb624ad7557b365a37df26e629763fa052dc31904b3175587e940d7e0630362620870c2c7351960a14c29310
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5705e397ba2c670b0b9fcebdd31e0feea
SHA18566fe7e0903b7495e659ba0588b72e3ce538c3b
SHA256ae5d0de2ba6fe534bf67dcdbbfd71cf3f8c26f3d6ec852d73362d274a242732f
SHA512a2914a193cbea13119567199082c52eebe67719c80bc056b3820c6a4b2e8cf8c7ecd3e38975f6ffc616b171ab722a6664f44f65496fdaf114615c1bbdf98306c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD589b9b22e2cb6f0b903e7f8755f49d7be
SHA1e13b62b19dccdbacb5fec9227e34f21e34fe5cad
SHA25617b31393e036af7d83e6ea288a0bbad0278c404f5e0698b3a28f2fa1faa99537
SHA512f4817348aa7f297c7c81db010bc0ce09c9193c32f0f7c2b0592df0c7731921830b5a3868486f986edfd863d7d82815e67598392b94782b9d317b7066b9fb7064
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5f6b5bbcd2386512d0b9af775e45d3770
SHA1a3f6c4f46c10ce9d9b7d8a0a7b8a922dbbdd3d43
SHA25650adabd48c94301dd4c4338e23583a702f7626abf793e6ae2eb919a18c8db999
SHA5123775a27e3ad5a6149b88214f8bc6e45335e02af4589468ca8c140db758f152a59adf3c56361523b09c6ac2b316bd6c66886f9755a1823fc2c4468a1fad417add
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD57e289a3d34516b4e7de2611b6c12f0b2
SHA1e8e03cc1bfdc8ba943a4b3d63096972fa17709a0
SHA2560b4cbf3ad8768569a414f60e265701cdf7ebb2d2f5a32519d72604ead942f97f
SHA512ce91056d04768defa621cbd08c03892a5861ee620fcb9ee5a376f9f884ebb8bff7f53f28c351093baca1f7be767a37ed4e52ee7dc77fa6d5b645001c05b47ca9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e72aedd960aa9abe03c753aed3677fc
SHA12aef2f996742ae33944720e459adef9984c03923
SHA256b48c0c7d3da325af1226ee2709051da199b3b260c465466a71506dfe84ce00e4
SHA51259e29c4d3e816df659d34c2cb306cc55a7b996b12994994e500a5628884451e9ac4840bca779d287114b297471d376fdfcf8d663711bae2ffbeeea973fe1671f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5b740f7616c3c3d006afd7e1586758eeb
SHA1c465af4c07ecb9e3de239c410d3b2ed5de93cdde
SHA256c11b84252afa74e4f323fcbae853cb45217a65d70ac44dea182f9ec872bd9872
SHA512d4dd7531d48a9f6d6432fe0d55cefc76139566c54514ba722d76e5bd4371bfca0e491939795883de21901eac98b1af7236ea83281a7dde8befe16719993f185e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Temp\17e83ea0-0c0e-4003-91fa-a2a99660b073.vbsFilesize
491B
MD554b95663f409b7420218211669433a71
SHA1b597544be34f509b0655cc848cca006320c294e8
SHA256b362ca00de384085c94e75f03f8ecaddd58b4fb48249e5532dddd2355177303e
SHA512896130838ad7fa39f79d080eceabd162a814a1a743cdd14d4d951785b5b43ecfb3a26b071e00012bb5f0b72e8ffb731922e0f249093bc0ac4be2deb806a5b7b5
-
C:\Users\Admin\AppData\Local\Temp\21fdb40e-2eb5-4ea0-a52e-8432aa415a41.vbsFilesize
715B
MD5c8ae3f06a1020b7cc7fdda6c649ae6e9
SHA1d55280656dd25680957816e68f8537c2f9d575b0
SHA256afb4f85bf1f206e76b82e7d0881187974d4e44a2de7d0813aeac364ffe428b07
SHA512704e0699b22936af63578c6e75567b233c9dc2cab496fbb884c49e1e1e9583ab256031843374e5340ff6219112a20a57ad84c2339fe358c7de0ee4a5dafb9056
-
C:\Users\Admin\AppData\Local\Temp\FDHFEdla6V.batFilesize
204B
MD5207059c1d9282c2e2b0ed52b7c4b3af1
SHA1e80bf3b85c54b693a5e1ba6e5651196d3530c96f
SHA256b68c4ec5a5c12d72c2e1683ca347606652f765f80f6f8af2dc1be94b1c7efff3
SHA512ac112ddab64cffa904137c886f5c4c782a3305452faeea51956192e8a6e35841ac7baaa6b57f5c06f7dcefa262d4a78ff510799be56a15aeea8959e6fc03528a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u1qqmpru.yda.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1308-52-0x0000013F72910000-0x0000013F72932000-memory.dmpFilesize
136KB
-
memory/2232-294-0x000000001B050000-0x000000001B062000-memory.dmpFilesize
72KB
-
memory/2972-21-0x0000000003060000-0x000000000306C000-memory.dmpFilesize
48KB
-
memory/2972-23-0x0000000003090000-0x000000000309C000-memory.dmpFilesize
48KB
-
memory/2972-34-0x000000001C4F0000-0x000000001C4FC000-memory.dmpFilesize
48KB
-
memory/2972-36-0x000000001C510000-0x000000001C51C000-memory.dmpFilesize
48KB
-
memory/2972-35-0x000000001C500000-0x000000001C50A000-memory.dmpFilesize
40KB
-
memory/2972-32-0x000000001C4D0000-0x000000001C4DA000-memory.dmpFilesize
40KB
-
memory/2972-30-0x000000001BAB0000-0x000000001BAB8000-memory.dmpFilesize
32KB
-
memory/2972-31-0x000000001BAA0000-0x000000001BAAC000-memory.dmpFilesize
48KB
-
memory/2972-22-0x0000000003080000-0x0000000003088000-memory.dmpFilesize
32KB
-
memory/2972-26-0x00000000030B0000-0x00000000030BC000-memory.dmpFilesize
48KB
-
memory/2972-27-0x000000001BA60000-0x000000001BA68000-memory.dmpFilesize
32KB
-
memory/2972-28-0x000000001BA70000-0x000000001BA7C000-memory.dmpFilesize
48KB
-
memory/2972-29-0x000000001BA80000-0x000000001BA8C000-memory.dmpFilesize
48KB
-
memory/2972-33-0x000000001C4E0000-0x000000001C4EE000-memory.dmpFilesize
56KB
-
memory/2972-25-0x000000001C800000-0x000000001CD28000-memory.dmpFilesize
5.2MB
-
memory/2972-24-0x00000000030A0000-0x00000000030B2000-memory.dmpFilesize
72KB
-
memory/2972-20-0x000000001B9F0000-0x000000001BA46000-memory.dmpFilesize
344KB
-
memory/2972-19-0x0000000003050000-0x000000000305A000-memory.dmpFilesize
40KB
-
memory/2972-18-0x0000000003070000-0x0000000003080000-memory.dmpFilesize
64KB
-
memory/2972-17-0x0000000003040000-0x0000000003052000-memory.dmpFilesize
72KB
-
memory/2972-16-0x0000000003030000-0x0000000003038000-memory.dmpFilesize
32KB
-
memory/2972-12-0x00007FFA75253000-0x00007FFA75255000-memory.dmpFilesize
8KB
-
memory/2972-13-0x0000000000B20000-0x0000000000DFA000-memory.dmpFilesize
2.9MB
-
memory/2972-15-0x000000001B9A0000-0x000000001B9F0000-memory.dmpFilesize
320KB
-
memory/2972-14-0x00000000015C0000-0x00000000015DC000-memory.dmpFilesize
112KB
-
memory/4784-281-0x000000001BD20000-0x000000001BD76000-memory.dmpFilesize
344KB
-
memory/4784-280-0x0000000002CA0000-0x0000000002CB2000-memory.dmpFilesize
72KB