Analysis
-
max time kernel
135s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 02:33
Behavioral task
behavioral1
Sample
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe
Resource
win10v2004-20240426-en
General
-
Target
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe
-
Size
2.7MB
-
MD5
9508912e063cac5e940efba1f85ce86f
-
SHA1
e6d15f29a811c4470f4b7a245207e9f2d1051e62
-
SHA256
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf
-
SHA512
2581361c9c99904ff11beb75208e3689ef310cdb98fd8a0d71a3f0a3d5480f696fc14a5b8e42075d3df79b89bb2623114763ff75820fa454e053f5f72b875f27
-
SSDEEP
49152:iH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:iHfE5Ad8Xd295UmGc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Downloads\\spoolsv.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Downloads\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe -
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 4656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 4656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3568 4656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 4656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 4656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 4656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 4656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4912 4656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4184 4656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 4656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 4656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4936 4656 schtasks.exe -
Processes:
OfficeClickToRun.exeb7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" OfficeClickToRun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OfficeClickToRun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" OfficeClickToRun.exe -
Processes:
resource yara_rule behavioral2/memory/1020-1-0x0000000000C00000-0x0000000000EC0000-memory.dmp dcrat C:\Program Files (x86)\Windows NT\fontdrvhost.exe dcrat -
Detects executables packed with SmartAssembly 9 IoCs
Processes:
resource yara_rule behavioral2/memory/1020-7-0x0000000001860000-0x0000000001870000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/1020-12-0x000000001BB50000-0x000000001BB5A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/1020-13-0x000000001C1E0000-0x000000001C236000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/1020-16-0x000000001BC90000-0x000000001BC9C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/1020-19-0x000000001BCC0000-0x000000001BCCC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/1020-23-0x000000001C4B0000-0x000000001C4BC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/1020-22-0x000000001C3A0000-0x000000001C3AC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/1020-25-0x000000001C510000-0x000000001C51A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/4924-89-0x000000001C2C0000-0x000000001C316000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe -
Executes dropped EXE 1 IoCs
Processes:
OfficeClickToRun.exepid process 4924 OfficeClickToRun.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\Downloads\\spoolsv.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\Downloads\\spoolsv.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe -
Processes:
OfficeClickToRun.exeb7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OfficeClickToRun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe -
Drops file in Program Files directory 4 IoCs
Processes:
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exedescription ioc process File created C:\Program Files (x86)\Windows NT\fontdrvhost.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File opened for modification C:\Program Files (x86)\Windows NT\fontdrvhost.exe b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File created C:\Program Files (x86)\Windows NT\5b884080fd4f94 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe File opened for modification C:\Program Files (x86)\Windows NT\RCX53DE.tmp b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3568 schtasks.exe 3052 schtasks.exe 392 schtasks.exe 2224 schtasks.exe 4184 schtasks.exe 840 schtasks.exe 2308 schtasks.exe 4076 schtasks.exe 780 schtasks.exe 1752 schtasks.exe 4912 schtasks.exe 4936 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exepowershell.exeOfficeClickToRun.exepid process 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe 3176 powershell.exe 3176 powershell.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe 4924 OfficeClickToRun.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exepowershell.exeOfficeClickToRun.exedescription pid process Token: SeDebugPrivilege 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Token: SeDebugPrivilege 3176 powershell.exe Token: SeDebugPrivilege 4924 OfficeClickToRun.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.execmd.exedescription pid process target process PID 1020 wrote to memory of 3176 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe powershell.exe PID 1020 wrote to memory of 3176 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe powershell.exe PID 1020 wrote to memory of 1560 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe cmd.exe PID 1020 wrote to memory of 1560 1020 b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe cmd.exe PID 1560 wrote to memory of 2112 1560 cmd.exe w32tm.exe PID 1560 wrote to memory of 2112 1560 cmd.exe w32tm.exe PID 1560 wrote to memory of 4924 1560 cmd.exe OfficeClickToRun.exe PID 1560 wrote to memory of 4924 1560 cmd.exe OfficeClickToRun.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
OfficeClickToRun.exeb7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OfficeClickToRun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" OfficeClickToRun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" OfficeClickToRun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe"C:\Users\Admin\AppData\Local\Temp\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1020 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3176 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Q5RNa0biU.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2112
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Downloads\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Downloads\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD59508912e063cac5e940efba1f85ce86f
SHA1e6d15f29a811c4470f4b7a245207e9f2d1051e62
SHA256b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf
SHA5122581361c9c99904ff11beb75208e3689ef310cdb98fd8a0d71a3f0a3d5480f696fc14a5b8e42075d3df79b89bb2623114763ff75820fa454e053f5f72b875f27
-
Filesize
207B
MD56bb33abc76b51d5e4c4ce9006e6b3ead
SHA175fa1ca7685c0d8ac578751e76006a9c47a2600a
SHA256b3378c21302b3978b1734c12a19f6d7b3638790c078718f2dc71fbd5e0106f7b
SHA512fb79d6e568f8af56920059ae1aebaa95e0b12e37edc1e93e9361534c57a9f9d04d9de898c644f01dfd0689a698691d72e4871a698a4d3bb67c62733c13ade82f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82