Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2023 05:41
Static task
static1
Behavioral task
behavioral1
Sample
a29004d57b0582196965b9344e0eb7b4.exe
Resource
win7-20230220-en
General
-
Target
a29004d57b0582196965b9344e0eb7b4.exe
-
Size
3.5MB
-
MD5
a29004d57b0582196965b9344e0eb7b4
-
SHA1
6e0ab8638b3559750dc40e4c23623552d84b5d8c
-
SHA256
1a659b2d6922bd1ea186c53148094c26733368e9099ea037a83912c02a59d410
-
SHA512
b097b10dcf833740b4bbd922a035c3658e51d8aeb6dd4f27ff1e8661da8c2ea47593e53b6400af5096943e6eebb27407c1c92b3ea2c10913150edad2f593b5b1
-
SSDEEP
98304:XFXg7GTzJBVeXbdAWTUjpI5q05tzpMpKcvA0T:XFw7CzgXRAh9O4K5m
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4668 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4284 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4304 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3444 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4204 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3800 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4628 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4852 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4928 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4908 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4828 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4744 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4936 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4840 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 524 564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 564 schtasks.exe -
Processes:
containerSvc.exeRuntimeBroker.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" containerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" containerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" containerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\DCRE.exe dcrat C:\Users\Admin\AppData\Local\Temp\DCRE.exe dcrat C:\Users\Admin\AppData\Local\Temp\DCRE.exe dcrat C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe dcrat C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe dcrat behavioral2/memory/4392-180-0x0000000000E70000-0x0000000001180000-memory.dmp dcrat C:\Windows\Temp\Crashpad\dllhost.exe dcrat C:\Recovery\WindowsRE\RuntimeBroker.exe dcrat C:\Recovery\WindowsRE\RuntimeBroker.exe dcrat -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a29004d57b0582196965b9344e0eb7b4.exeDCRE.exeWScript.execontainerSvc.exeRuntimeBroker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation a29004d57b0582196965b9344e0eb7b4.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation DCRE.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation containerSvc.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Executes dropped EXE 4 IoCs
Processes:
DCRE.exeSLIPWARE.execontainerSvc.exeRuntimeBroker.exepid process 3936 DCRE.exe 4424 SLIPWARE.exe 4392 containerSvc.exe 3980 RuntimeBroker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Processes:
containerSvc.exeRuntimeBroker.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA containerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" containerSvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe -
Drops file in Program Files directory 2 IoCs
Processes:
containerSvc.exedescription ioc process File created C:\Program Files\Windows NT\TableTextService\en-US\winlogon.exe containerSvc.exe File created C:\Program Files\Windows NT\TableTextService\en-US\cc11b995f2a76d containerSvc.exe -
Drops file in Windows directory 5 IoCs
Processes:
containerSvc.exedescription ioc process File created C:\Windows\PolicyDefinitions\ja-JP\services.exe containerSvc.exe File created C:\Windows\PolicyDefinitions\ja-JP\c5b4cb5e9653cc containerSvc.exe File created C:\Windows\TAPI\fontdrvhost.exe containerSvc.exe File created C:\Windows\TAPI\5b884080fd4f94 containerSvc.exe File created C:\Windows\OCR\en-us\cmd.exe containerSvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4304 schtasks.exe 2664 schtasks.exe 4936 schtasks.exe 524 schtasks.exe 2760 schtasks.exe 4744 schtasks.exe 1888 schtasks.exe 2384 schtasks.exe 4940 schtasks.exe 4668 schtasks.exe 3444 schtasks.exe 3800 schtasks.exe 4928 schtasks.exe 4284 schtasks.exe 2224 schtasks.exe 5072 schtasks.exe 4828 schtasks.exe 4840 schtasks.exe 2268 schtasks.exe 2024 schtasks.exe 4852 schtasks.exe 1932 schtasks.exe 4204 schtasks.exe 560 schtasks.exe 2148 schtasks.exe 4628 schtasks.exe 4908 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
DCRE.exeRuntimeBroker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings DCRE.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings RuntimeBroker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SLIPWARE.execontainerSvc.exeRuntimeBroker.exepid process 4424 SLIPWARE.exe 4424 SLIPWARE.exe 4424 SLIPWARE.exe 4392 containerSvc.exe 4392 containerSvc.exe 4392 containerSvc.exe 4392 containerSvc.exe 4392 containerSvc.exe 4424 SLIPWARE.exe 4392 containerSvc.exe 4392 containerSvc.exe 4392 containerSvc.exe 4392 containerSvc.exe 4392 containerSvc.exe 4392 containerSvc.exe 4392 containerSvc.exe 4392 containerSvc.exe 4392 containerSvc.exe 4392 containerSvc.exe 4424 SLIPWARE.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 4424 SLIPWARE.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 4424 SLIPWARE.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 4424 SLIPWARE.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 4424 SLIPWARE.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 4424 SLIPWARE.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 4424 SLIPWARE.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe 3980 RuntimeBroker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RuntimeBroker.exepid process 3980 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
SLIPWARE.execontainerSvc.exeRuntimeBroker.exevssvc.exedescription pid process Token: SeDebugPrivilege 4424 SLIPWARE.exe Token: SeDebugPrivilege 4392 containerSvc.exe Token: SeDebugPrivilege 3980 RuntimeBroker.exe Token: SeBackupPrivilege 4172 vssvc.exe Token: SeRestorePrivilege 4172 vssvc.exe Token: SeAuditPrivilege 4172 vssvc.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
a29004d57b0582196965b9344e0eb7b4.exeDCRE.exeWScript.execmd.execontainerSvc.exeRuntimeBroker.exedescription pid process target process PID 1064 wrote to memory of 3936 1064 a29004d57b0582196965b9344e0eb7b4.exe DCRE.exe PID 1064 wrote to memory of 3936 1064 a29004d57b0582196965b9344e0eb7b4.exe DCRE.exe PID 1064 wrote to memory of 3936 1064 a29004d57b0582196965b9344e0eb7b4.exe DCRE.exe PID 1064 wrote to memory of 4424 1064 a29004d57b0582196965b9344e0eb7b4.exe SLIPWARE.exe PID 1064 wrote to memory of 4424 1064 a29004d57b0582196965b9344e0eb7b4.exe SLIPWARE.exe PID 3936 wrote to memory of 32 3936 DCRE.exe WScript.exe PID 3936 wrote to memory of 32 3936 DCRE.exe WScript.exe PID 3936 wrote to memory of 32 3936 DCRE.exe WScript.exe PID 3936 wrote to memory of 3836 3936 DCRE.exe WScript.exe PID 3936 wrote to memory of 3836 3936 DCRE.exe WScript.exe PID 3936 wrote to memory of 3836 3936 DCRE.exe WScript.exe PID 32 wrote to memory of 4492 32 WScript.exe cmd.exe PID 32 wrote to memory of 4492 32 WScript.exe cmd.exe PID 32 wrote to memory of 4492 32 WScript.exe cmd.exe PID 4492 wrote to memory of 4392 4492 cmd.exe containerSvc.exe PID 4492 wrote to memory of 4392 4492 cmd.exe containerSvc.exe PID 4392 wrote to memory of 3980 4392 containerSvc.exe RuntimeBroker.exe PID 4392 wrote to memory of 3980 4392 containerSvc.exe RuntimeBroker.exe PID 3980 wrote to memory of 3816 3980 RuntimeBroker.exe WScript.exe PID 3980 wrote to memory of 3816 3980 RuntimeBroker.exe WScript.exe PID 3980 wrote to memory of 1404 3980 RuntimeBroker.exe WScript.exe PID 3980 wrote to memory of 1404 3980 RuntimeBroker.exe WScript.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
containerSvc.exeRuntimeBroker.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" containerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" containerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" containerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a29004d57b0582196965b9344e0eb7b4.exe"C:\Users\Admin\AppData\Local\Temp\a29004d57b0582196965b9344e0eb7b4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DCRE.exe"C:\Users\Admin\AppData\Local\Temp\DCRE.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msMonitorDll\OD39V0ZVybL6mpt7I8.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\msMonitorDll\150EIi8HhNIkntcrdLIIm.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe"C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba1be1e6-d526-485a-b01a-ec962b9c74ba.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\536c4fa1-321e-4376-aeda-d25e47da90ce.vbs"7⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msMonitorDll\file.vbs"3⤵
-
C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe"C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\Videos\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\Crashpad\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\ja-JP\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\ja-JP\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\TAPI\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\odt\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\odt\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\WindowsRE\RuntimeBroker.exeFilesize
3.0MB
MD5bc8ab70d4bf5934131878ca8bf79e792
SHA148cac83b05468b0061e3a9d7e7f44ce638216b8a
SHA25629ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa
SHA51231dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66
-
C:\Recovery\WindowsRE\RuntimeBroker.exeFilesize
3.0MB
MD5bc8ab70d4bf5934131878ca8bf79e792
SHA148cac83b05468b0061e3a9d7e7f44ce638216b8a
SHA25629ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa
SHA51231dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66
-
C:\Users\Admin\AppData\Local\Temp\536c4fa1-321e-4376-aeda-d25e47da90ce.vbsFilesize
491B
MD5dda8f6591cfeff38b137583fa2250939
SHA1daa47f92b77c6f012fa0583ded991988f58fd4df
SHA256b64b356270a5aae435e77cf114230753b54d91c74d997316e0f8ad1a88b6ca15
SHA512a8a3434e9c1b5ca803da7ff722753eb53588f486247a57ceabaee104782734aac3287a683efe45174889f1e615d19aac6d3c3e34fcd9fb631eab5c2a6f3bb4a6
-
C:\Users\Admin\AppData\Local\Temp\DCRE.exeFilesize
3.3MB
MD513146f7d739a36053c50fbd0aa3e9d8d
SHA1de10c9ff567a2413f3fc2ffbd3c9e95c8ce4160c
SHA256f0aaba469aeda1a6dd59f9c235179e4e826ecbcf7ef02978984c99286d05aff6
SHA512c1560fd025cb5278067540bf8b2a8bb419046e2c6998346946944f77816bc260f6f9bfc9716e9a91a606ed3b65b4ed605cd53e136e6201c9669f894b2738829d
-
C:\Users\Admin\AppData\Local\Temp\DCRE.exeFilesize
3.3MB
MD513146f7d739a36053c50fbd0aa3e9d8d
SHA1de10c9ff567a2413f3fc2ffbd3c9e95c8ce4160c
SHA256f0aaba469aeda1a6dd59f9c235179e4e826ecbcf7ef02978984c99286d05aff6
SHA512c1560fd025cb5278067540bf8b2a8bb419046e2c6998346946944f77816bc260f6f9bfc9716e9a91a606ed3b65b4ed605cd53e136e6201c9669f894b2738829d
-
C:\Users\Admin\AppData\Local\Temp\DCRE.exeFilesize
3.3MB
MD513146f7d739a36053c50fbd0aa3e9d8d
SHA1de10c9ff567a2413f3fc2ffbd3c9e95c8ce4160c
SHA256f0aaba469aeda1a6dd59f9c235179e4e826ecbcf7ef02978984c99286d05aff6
SHA512c1560fd025cb5278067540bf8b2a8bb419046e2c6998346946944f77816bc260f6f9bfc9716e9a91a606ed3b65b4ed605cd53e136e6201c9669f894b2738829d
-
C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exeFilesize
563KB
MD56a0aa70c2ae786f560c7261c5c5f34b0
SHA142cf55d6070e88f12870aa78c0bf19d72c68fa5d
SHA2560df25151605d6aaa9be8b371af6edc0f36d6620243a0c94495d21d4fe6951bf9
SHA51258369aee426de92eafa2607eb05665134991850e2727c185f0b20654e513e3ea27dc38c0af5c967ce14a9c79dd6b31c68794496f75f7d4a74beb177162b92cb4
-
C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exeFilesize
563KB
MD56a0aa70c2ae786f560c7261c5c5f34b0
SHA142cf55d6070e88f12870aa78c0bf19d72c68fa5d
SHA2560df25151605d6aaa9be8b371af6edc0f36d6620243a0c94495d21d4fe6951bf9
SHA51258369aee426de92eafa2607eb05665134991850e2727c185f0b20654e513e3ea27dc38c0af5c967ce14a9c79dd6b31c68794496f75f7d4a74beb177162b92cb4
-
C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exeFilesize
563KB
MD56a0aa70c2ae786f560c7261c5c5f34b0
SHA142cf55d6070e88f12870aa78c0bf19d72c68fa5d
SHA2560df25151605d6aaa9be8b371af6edc0f36d6620243a0c94495d21d4fe6951bf9
SHA51258369aee426de92eafa2607eb05665134991850e2727c185f0b20654e513e3ea27dc38c0af5c967ce14a9c79dd6b31c68794496f75f7d4a74beb177162b92cb4
-
C:\Users\Admin\AppData\Local\Temp\ba1be1e6-d526-485a-b01a-ec962b9c74ba.vbsFilesize
715B
MD5c713f6bf1edec7c4ea3a00b3176e19a8
SHA1733f495075cbe125080cb7adeacbaa209e6a62cb
SHA2561886c56cb574714bf7bc108b367aed59b683eb554c9d5d6d5a1fed051e4e86bf
SHA51246a815eff435a8f1c733833f71c69ad72e44af9052ace8d7144560549bccfc16c23c49381658df2378b2d4dd35ab5f433445bfee22212147220e8a0acc388b55
-
C:\Users\Admin\AppData\Roaming\msMonitorDll\150EIi8HhNIkntcrdLIIm.batFilesize
41B
MD56daccbefb453cde7378d378574cc9c7b
SHA192b2145db1421878ffbdad18ba046247b2a4b159
SHA2566a770c19c51d3806aedcff4d99c12b2e74e979050d68ea84c17adf5f10684041
SHA5127cbbed8110e59c03aedbac23c8a85c4afac7c1671b36bb1a0947b3bcb1e35305cc8dd75104993d07de18c385a73840caa3a7ca2d2e5e8d444dcf56f420104308
-
C:\Users\Admin\AppData\Roaming\msMonitorDll\OD39V0ZVybL6mpt7I8.vbeFilesize
217B
MD5e176c5bbb3e43b082a130d9b7af304c8
SHA1cde44f62e6a436279028c7009833b8daf5171476
SHA256f188560cf6c0b289e72f5d142d22f7b52b856928769a09acae5464671b54e84a
SHA51295ec5a92acbbf337ff2519ac511fba3fe1cc56c8baa4c283e130ea2550b275b8b42c65f773d3fbe5f900f08fb788117b1d3e22574cf09210ada4224077455dbe
-
C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exeFilesize
3.0MB
MD5bc8ab70d4bf5934131878ca8bf79e792
SHA148cac83b05468b0061e3a9d7e7f44ce638216b8a
SHA25629ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa
SHA51231dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66
-
C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exeFilesize
3.0MB
MD5bc8ab70d4bf5934131878ca8bf79e792
SHA148cac83b05468b0061e3a9d7e7f44ce638216b8a
SHA25629ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa
SHA51231dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66
-
C:\Users\Admin\AppData\Roaming\msMonitorDll\file.vbsFilesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
C:\Windows\Temp\Crashpad\dllhost.exeFilesize
3.0MB
MD5bc8ab70d4bf5934131878ca8bf79e792
SHA148cac83b05468b0061e3a9d7e7f44ce638216b8a
SHA25629ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa
SHA51231dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66
-
memory/3980-226-0x000000001F430000-0x000000001F5F2000-memory.dmpFilesize
1.8MB
-
memory/4392-181-0x000000001BDB0000-0x000000001BDC0000-memory.dmpFilesize
64KB
-
memory/4392-183-0x000000001CB00000-0x000000001D028000-memory.dmpFilesize
5.2MB
-
memory/4392-182-0x000000001C410000-0x000000001C460000-memory.dmpFilesize
320KB
-
memory/4392-180-0x0000000000E70000-0x0000000001180000-memory.dmpFilesize
3.1MB
-
memory/4424-172-0x000001BB79570000-0x000001BB7957E000-memory.dmpFilesize
56KB
-
memory/4424-171-0x000001BB7B960000-0x000001BB7B998000-memory.dmpFilesize
224KB
-
memory/4424-174-0x000001BB7B720000-0x000001BB7B730000-memory.dmpFilesize
64KB
-
memory/4424-175-0x000001BB7B720000-0x000001BB7B730000-memory.dmpFilesize
64KB
-
memory/4424-170-0x000001BB79550000-0x000001BB79558000-memory.dmpFilesize
32KB
-
memory/4424-169-0x000001BB79640000-0x000001BB7965A000-memory.dmpFilesize
104KB
-
memory/4424-213-0x000001BB7B720000-0x000001BB7B730000-memory.dmpFilesize
64KB
-
memory/4424-214-0x000001BB7B720000-0x000001BB7B730000-memory.dmpFilesize
64KB
-
memory/4424-222-0x000001BB7B720000-0x000001BB7B730000-memory.dmpFilesize
64KB
-
memory/4424-163-0x000001BB7B720000-0x000001BB7B730000-memory.dmpFilesize
64KB
-
memory/4424-153-0x000001BB79110000-0x000001BB791A2000-memory.dmpFilesize
584KB
-
memory/4424-225-0x000001BB7B720000-0x000001BB7B730000-memory.dmpFilesize
64KB
-
memory/4424-173-0x000001BB7B720000-0x000001BB7B730000-memory.dmpFilesize
64KB