Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 01:16
Behavioral task
behavioral1
Sample
a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe
Resource
win7-20240419-en
General
-
Target
a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe
-
Size
3.1MB
-
MD5
18f5a3194d73e08d7d66b7a3b42568b3
-
SHA1
86d424c8a86ec2f20407f9f2db9133a0a2b314f7
-
SHA256
a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1
-
SHA512
3f14d5b896cdba1ea41516a3c1f9b2745bd403a57bb66bf6c2016ee5dde2f2bab8560822975848f4920502a4ae94975891846d8249ab401054655482964bcb11
-
SSDEEP
49152:UbA30w1VlUYYDF62IumHbysKqLb5yHfCbShsA3z42d7U8rUc1uHToN/:UbgJWF6ymHbRzLb5ya2hsUz4c7W9K/
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4484 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3864 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4260 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4720 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 400 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4320 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3308 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3672 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4044 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 232 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3396 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3740 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3556 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3596 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3852 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4140 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3884 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3688 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4752 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 432 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3512 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4732 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5016 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4292 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3704 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3944 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4412 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 1768 schtasks.exe -
Processes:
TextInputHost.exeintoHostDhcp.exeintoHostDhcp.exeTextInputHost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" intoHostDhcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" intoHostDhcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intoHostDhcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" intoHostDhcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intoHostDhcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" intoHostDhcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe -
Processes:
resource yara_rule C:\BlockproviderComponentweb\intoHostDhcp.exe dcrat behavioral2/memory/2972-13-0x0000000000B20000-0x0000000000DFA000-memory.dmp dcrat -
Detects executables packed with SmartAssembly 7 IoCs
Processes:
resource yara_rule behavioral2/memory/2972-19-0x0000000003050000-0x000000000305A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2972-29-0x000000001BA80000-0x000000001BA8C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2972-26-0x00000000030B0000-0x00000000030BC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2972-31-0x000000001BAA0000-0x000000001BAAC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2972-34-0x000000001C4F0000-0x000000001C4FC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2972-35-0x000000001C500000-0x000000001C50A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/2972-32-0x000000001C4D0000-0x000000001C4DA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2396 powershell.exe 4872 powershell.exe 1308 powershell.exe 1560 powershell.exe 1564 powershell.exe 2748 powershell.exe 428 powershell.exe 4768 powershell.exe 4208 powershell.exe 3116 powershell.exe 384 powershell.exe 4880 powershell.exe 4520 powershell.exe 1128 powershell.exe 2604 powershell.exe 1144 powershell.exe 1520 powershell.exe 1256 powershell.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
intoHostDhcp.exeintoHostDhcp.exeTextInputHost.exea8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation intoHostDhcp.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation intoHostDhcp.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 4 IoCs
Processes:
intoHostDhcp.exeintoHostDhcp.exeTextInputHost.exeTextInputHost.exepid process 2972 intoHostDhcp.exe 4036 intoHostDhcp.exe 4784 TextInputHost.exe 2232 TextInputHost.exe -
Processes:
TextInputHost.exeTextInputHost.exeintoHostDhcp.exeintoHostDhcp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA intoHostDhcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intoHostDhcp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA intoHostDhcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intoHostDhcp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextInputHost.exe -
Drops file in Program Files directory 9 IoCs
Processes:
intoHostDhcp.exedescription ioc process File created C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe intoHostDhcp.exe File created C:\Program Files (x86)\Windows Sidebar\services.exe intoHostDhcp.exe File created C:\Program Files (x86)\Windows Sidebar\c5b4cb5e9653cc intoHostDhcp.exe File created C:\Program Files\ModifiableWindowsApps\unsecapp.exe intoHostDhcp.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\0a1fd5f707cd16 intoHostDhcp.exe File created C:\Program Files\Windows Mail\SppExtComObj.exe intoHostDhcp.exe File created C:\Program Files\Windows Mail\e1ef82546f0b02 intoHostDhcp.exe File created C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe intoHostDhcp.exe File created C:\Program Files\Windows Defender\uk-UA\9e8d7a4ca61bd9 intoHostDhcp.exe -
Drops file in Windows directory 6 IoCs
Processes:
intoHostDhcp.exedescription ioc process File created C:\Windows\Offline Web Pages\SppExtComObj.exe intoHostDhcp.exe File created C:\Windows\Offline Web Pages\e1ef82546f0b02 intoHostDhcp.exe File created C:\Windows\Vss\Writers\System\RuntimeBroker.exe intoHostDhcp.exe File created C:\Windows\Vss\Writers\System\9e8d7a4ca61bd9 intoHostDhcp.exe File created C:\Windows\Performance\TextInputHost.exe intoHostDhcp.exe File created C:\Windows\Performance\22eafd247d37c3 intoHostDhcp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
Processes:
a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exeintoHostDhcp.exeTextInputHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings intoHostDhcp.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings TextInputHost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 548 schtasks.exe 2176 schtasks.exe 4260 schtasks.exe 4720 schtasks.exe 2068 schtasks.exe 3704 schtasks.exe 400 schtasks.exe 1628 schtasks.exe 3884 schtasks.exe 432 schtasks.exe 4732 schtasks.exe 5016 schtasks.exe 4292 schtasks.exe 2556 schtasks.exe 2700 schtasks.exe 3688 schtasks.exe 4808 schtasks.exe 3944 schtasks.exe 2240 schtasks.exe 5036 schtasks.exe 4140 schtasks.exe 2648 schtasks.exe 3672 schtasks.exe 232 schtasks.exe 1784 schtasks.exe 3308 schtasks.exe 3048 schtasks.exe 1480 schtasks.exe 3864 schtasks.exe 5104 schtasks.exe 4320 schtasks.exe 4044 schtasks.exe 3852 schtasks.exe 4752 schtasks.exe 3512 schtasks.exe 1764 schtasks.exe 1516 schtasks.exe 1788 schtasks.exe 2380 schtasks.exe 1016 schtasks.exe 4484 schtasks.exe 3556 schtasks.exe 1280 schtasks.exe 2568 schtasks.exe 4412 schtasks.exe 3396 schtasks.exe 3740 schtasks.exe 3596 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
intoHostDhcp.exepowershell.exepowershell.exepowershell.exeintoHostDhcp.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2972 intoHostDhcp.exe 2972 intoHostDhcp.exe 2972 intoHostDhcp.exe 2972 intoHostDhcp.exe 2972 intoHostDhcp.exe 2972 intoHostDhcp.exe 2972 intoHostDhcp.exe 2972 intoHostDhcp.exe 2972 intoHostDhcp.exe 1308 powershell.exe 1144 powershell.exe 1560 powershell.exe 1308 powershell.exe 1144 powershell.exe 1560 powershell.exe 4036 intoHostDhcp.exe 4036 intoHostDhcp.exe 4036 intoHostDhcp.exe 4036 intoHostDhcp.exe 4036 intoHostDhcp.exe 4036 intoHostDhcp.exe 4036 intoHostDhcp.exe 4036 intoHostDhcp.exe 4036 intoHostDhcp.exe 4036 intoHostDhcp.exe 4036 intoHostDhcp.exe 4036 intoHostDhcp.exe 4036 intoHostDhcp.exe 4036 intoHostDhcp.exe 4036 intoHostDhcp.exe 3116 powershell.exe 3116 powershell.exe 4768 powershell.exe 4768 powershell.exe 1520 powershell.exe 1520 powershell.exe 2748 powershell.exe 2748 powershell.exe 1564 powershell.exe 1564 powershell.exe 2396 powershell.exe 2396 powershell.exe 1256 powershell.exe 1256 powershell.exe 4880 powershell.exe 4880 powershell.exe 1128 powershell.exe 1128 powershell.exe 384 powershell.exe 384 powershell.exe 4872 powershell.exe 4872 powershell.exe 428 powershell.exe 428 powershell.exe 2604 powershell.exe 2604 powershell.exe 4520 powershell.exe 4520 powershell.exe 4208 powershell.exe 4208 powershell.exe 1256 powershell.exe 4768 powershell.exe 3116 powershell.exe 3116 powershell.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
intoHostDhcp.exepowershell.exepowershell.exeintoHostDhcp.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeTextInputHost.exeTextInputHost.exedescription pid process Token: SeDebugPrivilege 2972 intoHostDhcp.exe Token: SeDebugPrivilege 1308 powershell.exe Token: SeDebugPrivilege 1144 powershell.exe Token: SeDebugPrivilege 4036 intoHostDhcp.exe Token: SeDebugPrivilege 1560 powershell.exe Token: SeDebugPrivilege 3116 powershell.exe Token: SeDebugPrivilege 4768 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 428 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 1256 powershell.exe Token: SeDebugPrivilege 4880 powershell.exe Token: SeDebugPrivilege 1128 powershell.exe Token: SeDebugPrivilege 4520 powershell.exe Token: SeDebugPrivilege 384 powershell.exe Token: SeDebugPrivilege 4872 powershell.exe Token: SeDebugPrivilege 4208 powershell.exe Token: SeDebugPrivilege 4784 TextInputHost.exe Token: SeDebugPrivilege 2232 TextInputHost.exe -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exeWScript.execmd.exeintoHostDhcp.exeintoHostDhcp.execmd.exeTextInputHost.exeWScript.exedescription pid process target process PID 1464 wrote to memory of 2368 1464 a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe WScript.exe PID 1464 wrote to memory of 2368 1464 a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe WScript.exe PID 1464 wrote to memory of 2368 1464 a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe WScript.exe PID 2368 wrote to memory of 3456 2368 WScript.exe cmd.exe PID 2368 wrote to memory of 3456 2368 WScript.exe cmd.exe PID 2368 wrote to memory of 3456 2368 WScript.exe cmd.exe PID 3456 wrote to memory of 2972 3456 cmd.exe intoHostDhcp.exe PID 3456 wrote to memory of 2972 3456 cmd.exe intoHostDhcp.exe PID 2972 wrote to memory of 1560 2972 intoHostDhcp.exe powershell.exe PID 2972 wrote to memory of 1560 2972 intoHostDhcp.exe powershell.exe PID 2972 wrote to memory of 1308 2972 intoHostDhcp.exe powershell.exe PID 2972 wrote to memory of 1308 2972 intoHostDhcp.exe powershell.exe PID 2972 wrote to memory of 1144 2972 intoHostDhcp.exe powershell.exe PID 2972 wrote to memory of 1144 2972 intoHostDhcp.exe powershell.exe PID 2972 wrote to memory of 4036 2972 intoHostDhcp.exe intoHostDhcp.exe PID 2972 wrote to memory of 4036 2972 intoHostDhcp.exe intoHostDhcp.exe PID 4036 wrote to memory of 4768 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 4768 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 1520 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 1520 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 1564 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 1564 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 4880 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 4880 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 1256 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 1256 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 4520 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 4520 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 4208 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 4208 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 3116 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 3116 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 1128 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 1128 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 2604 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 2604 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 4872 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 4872 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 384 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 384 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 2396 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 2396 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 428 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 428 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 2748 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 2748 4036 intoHostDhcp.exe powershell.exe PID 4036 wrote to memory of 2128 4036 intoHostDhcp.exe cmd.exe PID 4036 wrote to memory of 2128 4036 intoHostDhcp.exe cmd.exe PID 2128 wrote to memory of 4348 2128 cmd.exe w32tm.exe PID 2128 wrote to memory of 4348 2128 cmd.exe w32tm.exe PID 2128 wrote to memory of 4784 2128 cmd.exe TextInputHost.exe PID 2128 wrote to memory of 4784 2128 cmd.exe TextInputHost.exe PID 4784 wrote to memory of 4440 4784 TextInputHost.exe WScript.exe PID 4784 wrote to memory of 4440 4784 TextInputHost.exe WScript.exe PID 4784 wrote to memory of 220 4784 TextInputHost.exe WScript.exe PID 4784 wrote to memory of 220 4784 TextInputHost.exe WScript.exe PID 4440 wrote to memory of 2232 4440 WScript.exe TextInputHost.exe PID 4440 wrote to memory of 2232 4440 WScript.exe TextInputHost.exe -
System policy modification 1 TTPs 12 IoCs
Processes:
TextInputHost.exeTextInputHost.exeintoHostDhcp.exeintoHostDhcp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intoHostDhcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" intoHostDhcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" intoHostDhcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intoHostDhcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" intoHostDhcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" intoHostDhcp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe"C:\Users\Admin\AppData\Local\Temp\a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BlockproviderComponentweb\no2eZG6mwS0.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BlockproviderComponentweb\QGmdpYGOg.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\BlockproviderComponentweb\intoHostDhcp.exe"C:\BlockproviderComponentweb\intoHostDhcp.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BlockproviderComponentweb\intoHostDhcp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BlockproviderComponentweb\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\BlockproviderComponentweb\intoHostDhcp.exe"C:\BlockproviderComponentweb\intoHostDhcp.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BlockproviderComponentweb\intoHostDhcp.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\SppExtComObj.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BlockproviderComponentweb\smss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BlockproviderComponentweb\OfficeClickToRun.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\RuntimeBroker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\SppExtComObj.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\services.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\TextInputHost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BlockproviderComponentweb\StartMenuExperienceHost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\fontdrvhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FDHFEdla6V.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
C:\Recovery\WindowsRE\TextInputHost.exe"C:\Recovery\WindowsRE\TextInputHost.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21fdb40e-2eb5-4ea0-a52e-8432aa415a41.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\TextInputHost.exeC:\Recovery\WindowsRE\TextInputHost.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17e83ea0-0c0e-4003-91fa-a2a99660b073.vbs"8⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\BlockproviderComponentweb\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\BlockproviderComponentweb\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\BlockproviderComponentweb\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\BlockproviderComponentweb\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\BlockproviderComponentweb\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\BlockproviderComponentweb\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\BlockproviderComponentweb\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\BlockproviderComponentweb\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\BlockproviderComponentweb\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\System\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Writers\System\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Performance\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\BlockproviderComponentweb\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\BlockproviderComponentweb\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\BlockproviderComponentweb\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\Crashpad\reports\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\Crashpad\reports\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\BlockproviderComponentweb\QGmdpYGOg.batFilesize
58B
MD5924b1ca537cd105768edbcd1fe0cf3ca
SHA1968648854cb40f3b55d3c30aa809ffb2545dd9e2
SHA256ff9548c5810351eea938a04cc4b47dbb3cece7e555c16968edca4c140485f456
SHA512bf8157c56bdeadc32183c681f28f33e26d1e1ee6bf3053493666163ce639cd60942e543c600cd1cb70539739155c2539ba306da5557fabc9c5dc06a3fb37ec38
-
C:\BlockproviderComponentweb\intoHostDhcp.exeFilesize
2.8MB
MD593615053d95e46026ed276c2b258c306
SHA12b1c428f05fa18718c3f92a1afe6d800c9bf4191
SHA2563098b5044a048fc12aa27784d29635bbba89bac9c184cfbecd34c62c8a29987d
SHA51282fd306cbdebcd406d769bf511721daba7478fd7fb3a6035636f0da2a8de629a31644f22bd047ab57603127a7f636f331c9e2d0d1cfcb0020fe75fb07dcce3e1
-
C:\BlockproviderComponentweb\no2eZG6mwS0.vbeFilesize
222B
MD5b237326af75ea09be7db779654da38d4
SHA15b8b54c44d6dc2ddac14ed9a3feb56d088bc377e
SHA256f636ad5bfab3cacd97532396ade77867a5e198445385ce0f18128a87c2c599e0
SHA512beb445b3bac73675b70fd28e1a026096f9cb34f19be1b88f487a2b2b1452eacbc13c64a32a6b8b0b2e1d53121964ec35e8131627cb6cc7a7cbd6cb6dd1a47617
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TextInputHost.exe.logFilesize
1KB
MD59699cf9bb24ebbc9b1035710e92b7bd2
SHA173f0f26db57ea306970a76f42c647bbce02a3f23
SHA256fd35f3609663bec79a5254866d1c47342fbde3f94808acff8c3eaa19b24f67e5
SHA5123a433f40f25b5a5c09f8de45ebd0b5485b3b54eb0c1c08a1dbae776629710b8d8f5fee21329d146867e49b5d35108bba6eff3995fb7c6246dbe6fe475eadf0bb
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\intoHostDhcp.exe.logFilesize
1KB
MD5bbb951a34b516b66451218a3ec3b0ae1
SHA17393835a2476ae655916e0a9687eeaba3ee876e9
SHA256eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA51263bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5c65338524586fc00cf00e679a7d4a1f4
SHA162abf26bfb979dcbf7c7649cf8a681c2a8c7c9ae
SHA256faa246e6b356f55ad8b18cea908dbf9035f67feaa06f8259d934306e13e88bf6
SHA512c6721362afa4998c60ff60225a7b7571aaf1dbc8cb624ad7557b365a37df26e629763fa052dc31904b3175587e940d7e0630362620870c2c7351960a14c29310
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5705e397ba2c670b0b9fcebdd31e0feea
SHA18566fe7e0903b7495e659ba0588b72e3ce538c3b
SHA256ae5d0de2ba6fe534bf67dcdbbfd71cf3f8c26f3d6ec852d73362d274a242732f
SHA512a2914a193cbea13119567199082c52eebe67719c80bc056b3820c6a4b2e8cf8c7ecd3e38975f6ffc616b171ab722a6664f44f65496fdaf114615c1bbdf98306c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD589b9b22e2cb6f0b903e7f8755f49d7be
SHA1e13b62b19dccdbacb5fec9227e34f21e34fe5cad
SHA25617b31393e036af7d83e6ea288a0bbad0278c404f5e0698b3a28f2fa1faa99537
SHA512f4817348aa7f297c7c81db010bc0ce09c9193c32f0f7c2b0592df0c7731921830b5a3868486f986edfd863d7d82815e67598392b94782b9d317b7066b9fb7064
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5f6b5bbcd2386512d0b9af775e45d3770
SHA1a3f6c4f46c10ce9d9b7d8a0a7b8a922dbbdd3d43
SHA25650adabd48c94301dd4c4338e23583a702f7626abf793e6ae2eb919a18c8db999
SHA5123775a27e3ad5a6149b88214f8bc6e45335e02af4589468ca8c140db758f152a59adf3c56361523b09c6ac2b316bd6c66886f9755a1823fc2c4468a1fad417add
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD57e289a3d34516b4e7de2611b6c12f0b2
SHA1e8e03cc1bfdc8ba943a4b3d63096972fa17709a0
SHA2560b4cbf3ad8768569a414f60e265701cdf7ebb2d2f5a32519d72604ead942f97f
SHA512ce91056d04768defa621cbd08c03892a5861ee620fcb9ee5a376f9f884ebb8bff7f53f28c351093baca1f7be767a37ed4e52ee7dc77fa6d5b645001c05b47ca9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e72aedd960aa9abe03c753aed3677fc
SHA12aef2f996742ae33944720e459adef9984c03923
SHA256b48c0c7d3da325af1226ee2709051da199b3b260c465466a71506dfe84ce00e4
SHA51259e29c4d3e816df659d34c2cb306cc55a7b996b12994994e500a5628884451e9ac4840bca779d287114b297471d376fdfcf8d663711bae2ffbeeea973fe1671f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5b740f7616c3c3d006afd7e1586758eeb
SHA1c465af4c07ecb9e3de239c410d3b2ed5de93cdde
SHA256c11b84252afa74e4f323fcbae853cb45217a65d70ac44dea182f9ec872bd9872
SHA512d4dd7531d48a9f6d6432fe0d55cefc76139566c54514ba722d76e5bd4371bfca0e491939795883de21901eac98b1af7236ea83281a7dde8befe16719993f185e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Temp\17e83ea0-0c0e-4003-91fa-a2a99660b073.vbsFilesize
491B
MD554b95663f409b7420218211669433a71
SHA1b597544be34f509b0655cc848cca006320c294e8
SHA256b362ca00de384085c94e75f03f8ecaddd58b4fb48249e5532dddd2355177303e
SHA512896130838ad7fa39f79d080eceabd162a814a1a743cdd14d4d951785b5b43ecfb3a26b071e00012bb5f0b72e8ffb731922e0f249093bc0ac4be2deb806a5b7b5
-
C:\Users\Admin\AppData\Local\Temp\21fdb40e-2eb5-4ea0-a52e-8432aa415a41.vbsFilesize
715B
MD5c8ae3f06a1020b7cc7fdda6c649ae6e9
SHA1d55280656dd25680957816e68f8537c2f9d575b0
SHA256afb4f85bf1f206e76b82e7d0881187974d4e44a2de7d0813aeac364ffe428b07
SHA512704e0699b22936af63578c6e75567b233c9dc2cab496fbb884c49e1e1e9583ab256031843374e5340ff6219112a20a57ad84c2339fe358c7de0ee4a5dafb9056
-
C:\Users\Admin\AppData\Local\Temp\FDHFEdla6V.batFilesize
204B
MD5207059c1d9282c2e2b0ed52b7c4b3af1
SHA1e80bf3b85c54b693a5e1ba6e5651196d3530c96f
SHA256b68c4ec5a5c12d72c2e1683ca347606652f765f80f6f8af2dc1be94b1c7efff3
SHA512ac112ddab64cffa904137c886f5c4c782a3305452faeea51956192e8a6e35841ac7baaa6b57f5c06f7dcefa262d4a78ff510799be56a15aeea8959e6fc03528a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u1qqmpru.yda.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1308-52-0x0000013F72910000-0x0000013F72932000-memory.dmpFilesize
136KB
-
memory/2232-294-0x000000001B050000-0x000000001B062000-memory.dmpFilesize
72KB
-
memory/2972-21-0x0000000003060000-0x000000000306C000-memory.dmpFilesize
48KB
-
memory/2972-23-0x0000000003090000-0x000000000309C000-memory.dmpFilesize
48KB
-
memory/2972-34-0x000000001C4F0000-0x000000001C4FC000-memory.dmpFilesize
48KB
-
memory/2972-36-0x000000001C510000-0x000000001C51C000-memory.dmpFilesize
48KB
-
memory/2972-35-0x000000001C500000-0x000000001C50A000-memory.dmpFilesize
40KB
-
memory/2972-32-0x000000001C4D0000-0x000000001C4DA000-memory.dmpFilesize
40KB
-
memory/2972-30-0x000000001BAB0000-0x000000001BAB8000-memory.dmpFilesize
32KB
-
memory/2972-31-0x000000001BAA0000-0x000000001BAAC000-memory.dmpFilesize
48KB
-
memory/2972-22-0x0000000003080000-0x0000000003088000-memory.dmpFilesize
32KB
-
memory/2972-26-0x00000000030B0000-0x00000000030BC000-memory.dmpFilesize
48KB
-
memory/2972-27-0x000000001BA60000-0x000000001BA68000-memory.dmpFilesize
32KB
-
memory/2972-28-0x000000001BA70000-0x000000001BA7C000-memory.dmpFilesize
48KB
-
memory/2972-29-0x000000001BA80000-0x000000001BA8C000-memory.dmpFilesize
48KB
-
memory/2972-33-0x000000001C4E0000-0x000000001C4EE000-memory.dmpFilesize
56KB
-
memory/2972-25-0x000000001C800000-0x000000001CD28000-memory.dmpFilesize
5.2MB
-
memory/2972-24-0x00000000030A0000-0x00000000030B2000-memory.dmpFilesize
72KB
-
memory/2972-20-0x000000001B9F0000-0x000000001BA46000-memory.dmpFilesize
344KB
-
memory/2972-19-0x0000000003050000-0x000000000305A000-memory.dmpFilesize
40KB
-
memory/2972-18-0x0000000003070000-0x0000000003080000-memory.dmpFilesize
64KB
-
memory/2972-17-0x0000000003040000-0x0000000003052000-memory.dmpFilesize
72KB
-
memory/2972-16-0x0000000003030000-0x0000000003038000-memory.dmpFilesize
32KB
-
memory/2972-12-0x00007FFA75253000-0x00007FFA75255000-memory.dmpFilesize
8KB
-
memory/2972-13-0x0000000000B20000-0x0000000000DFA000-memory.dmpFilesize
2.9MB
-
memory/2972-15-0x000000001B9A0000-0x000000001B9F0000-memory.dmpFilesize
320KB
-
memory/2972-14-0x00000000015C0000-0x00000000015DC000-memory.dmpFilesize
112KB
-
memory/4784-281-0x000000001BD20000-0x000000001BD76000-memory.dmpFilesize
344KB
-
memory/4784-280-0x0000000002CA0000-0x0000000002CB2000-memory.dmpFilesize
72KB