Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 06:46
Static task
static1
Behavioral task
behavioral1
Sample
5D474E6A5232B3D3DD5576111A2B22A1.exe
Resource
win7-20240508-en
General
-
Target
5D474E6A5232B3D3DD5576111A2B22A1.exe
-
Size
8.4MB
-
MD5
5d474e6a5232b3d3dd5576111a2b22a1
-
SHA1
60923eeaaf6334dde034a338302bcc25a2552618
-
SHA256
942f9e81e5d489676579e93f2e8f0c7af018399bbebf9d90f631333ab9853cbc
-
SHA512
93794f9a4548c55ab64bdf0a72a5aa08271e7ca58793de0c20c34dbff679638c22a6515e8c402ed8cf41c0a8db25f2aea33a2552fb633f43fc1bcfd7d22fdfae
-
SSDEEP
98304:tVDbpZYm4jCCC08mudOK+rdYsL9mJ+C01l96Y:tVDbpZYxBC0wWrdYB+tl9B
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1192 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 588 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 656 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 496 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 688 schtasks.exe -
Processes:
runtimeDhcpCommon.exelsass.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" runtimeDhcpCommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" runtimeDhcpCommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" runtimeDhcpCommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe -
Processes:
resource yara_rule behavioral1/memory/3008-0-0x0000000000400000-0x0000000000C6C000-memory.dmp dcrat \Users\Admin\AppData\Local\Temp\DCRatBuild.exe dcrat \surrogatedriverbroker\runtimeDhcpCommon.exe dcrat behavioral1/memory/1684-34-0x0000000001210000-0x000000000157A000-memory.dmp dcrat behavioral1/memory/2680-99-0x0000000000E20000-0x000000000118A000-memory.dmp dcrat -
Executes dropped EXE 3 IoCs
Processes:
DCRatBuild.exeruntimeDhcpCommon.exelsass.exepid process 2820 DCRatBuild.exe 1684 runtimeDhcpCommon.exe 2680 lsass.exe -
Loads dropped DLL 3 IoCs
Processes:
5D474E6A5232B3D3DD5576111A2B22A1.execmd.exepid process 3008 5D474E6A5232B3D3DD5576111A2B22A1.exe 892 cmd.exe 892 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
runtimeDhcpCommon.exelsass.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA runtimeDhcpCommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" runtimeDhcpCommon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe -
Drops file in Program Files directory 2 IoCs
Processes:
runtimeDhcpCommon.exedescription ioc process File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe runtimeDhcpCommon.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\886983d96e3d3e runtimeDhcpCommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1540 schtasks.exe 1056 schtasks.exe 2448 schtasks.exe 2384 schtasks.exe 656 schtasks.exe 2132 schtasks.exe 2392 schtasks.exe 2160 schtasks.exe 1708 schtasks.exe 1528 schtasks.exe 2480 schtasks.exe 1188 schtasks.exe 1980 schtasks.exe 1500 schtasks.exe 2260 schtasks.exe 1252 schtasks.exe 1508 schtasks.exe 588 schtasks.exe 2940 schtasks.exe 2172 schtasks.exe 3060 schtasks.exe 376 schtasks.exe 1192 schtasks.exe 2360 schtasks.exe 2052 schtasks.exe 2348 schtasks.exe 2916 schtasks.exe 1360 schtasks.exe 1644 schtasks.exe 1788 schtasks.exe 1260 schtasks.exe 496 schtasks.exe 2116 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
runtimeDhcpCommon.exelsass.exepid process 1684 runtimeDhcpCommon.exe 1684 runtimeDhcpCommon.exe 1684 runtimeDhcpCommon.exe 1684 runtimeDhcpCommon.exe 1684 runtimeDhcpCommon.exe 1684 runtimeDhcpCommon.exe 1684 runtimeDhcpCommon.exe 1684 runtimeDhcpCommon.exe 1684 runtimeDhcpCommon.exe 1684 runtimeDhcpCommon.exe 1684 runtimeDhcpCommon.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe 2680 lsass.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
lsass.exepid process 2680 lsass.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
runtimeDhcpCommon.exelsass.exevssvc.exedescription pid process Token: SeDebugPrivilege 1684 runtimeDhcpCommon.exe Token: SeDebugPrivilege 2680 lsass.exe Token: SeBackupPrivilege 1956 vssvc.exe Token: SeRestorePrivilege 1956 vssvc.exe Token: SeAuditPrivilege 1956 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 2668 DllHost.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
5D474E6A5232B3D3DD5576111A2B22A1.exeDCRatBuild.exeWScript.execmd.exeruntimeDhcpCommon.execmd.exelsass.exedescription pid process target process PID 3008 wrote to memory of 2820 3008 5D474E6A5232B3D3DD5576111A2B22A1.exe DCRatBuild.exe PID 3008 wrote to memory of 2820 3008 5D474E6A5232B3D3DD5576111A2B22A1.exe DCRatBuild.exe PID 3008 wrote to memory of 2820 3008 5D474E6A5232B3D3DD5576111A2B22A1.exe DCRatBuild.exe PID 3008 wrote to memory of 2820 3008 5D474E6A5232B3D3DD5576111A2B22A1.exe DCRatBuild.exe PID 2820 wrote to memory of 2444 2820 DCRatBuild.exe WScript.exe PID 2820 wrote to memory of 2444 2820 DCRatBuild.exe WScript.exe PID 2820 wrote to memory of 2444 2820 DCRatBuild.exe WScript.exe PID 2820 wrote to memory of 2444 2820 DCRatBuild.exe WScript.exe PID 2820 wrote to memory of 2520 2820 DCRatBuild.exe WScript.exe PID 2820 wrote to memory of 2520 2820 DCRatBuild.exe WScript.exe PID 2820 wrote to memory of 2520 2820 DCRatBuild.exe WScript.exe PID 2820 wrote to memory of 2520 2820 DCRatBuild.exe WScript.exe PID 2444 wrote to memory of 892 2444 WScript.exe cmd.exe PID 2444 wrote to memory of 892 2444 WScript.exe cmd.exe PID 2444 wrote to memory of 892 2444 WScript.exe cmd.exe PID 2444 wrote to memory of 892 2444 WScript.exe cmd.exe PID 892 wrote to memory of 1684 892 cmd.exe runtimeDhcpCommon.exe PID 892 wrote to memory of 1684 892 cmd.exe runtimeDhcpCommon.exe PID 892 wrote to memory of 1684 892 cmd.exe runtimeDhcpCommon.exe PID 892 wrote to memory of 1684 892 cmd.exe runtimeDhcpCommon.exe PID 1684 wrote to memory of 2496 1684 runtimeDhcpCommon.exe cmd.exe PID 1684 wrote to memory of 2496 1684 runtimeDhcpCommon.exe cmd.exe PID 1684 wrote to memory of 2496 1684 runtimeDhcpCommon.exe cmd.exe PID 2496 wrote to memory of 2908 2496 cmd.exe w32tm.exe PID 2496 wrote to memory of 2908 2496 cmd.exe w32tm.exe PID 2496 wrote to memory of 2908 2496 cmd.exe w32tm.exe PID 2496 wrote to memory of 2680 2496 cmd.exe lsass.exe PID 2496 wrote to memory of 2680 2496 cmd.exe lsass.exe PID 2496 wrote to memory of 2680 2496 cmd.exe lsass.exe PID 2680 wrote to memory of 1812 2680 lsass.exe WScript.exe PID 2680 wrote to memory of 1812 2680 lsass.exe WScript.exe PID 2680 wrote to memory of 1812 2680 lsass.exe WScript.exe PID 2680 wrote to memory of 2572 2680 lsass.exe WScript.exe PID 2680 wrote to memory of 2572 2680 lsass.exe WScript.exe PID 2680 wrote to memory of 2572 2680 lsass.exe WScript.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
runtimeDhcpCommon.exelsass.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" runtimeDhcpCommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" runtimeDhcpCommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" runtimeDhcpCommon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe"C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\surrogatedriverbroker\MX0u5YpaE0Bl8Q4tzHjuN5MlF.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\surrogatedriverbroker\iB8LDc93mffvsV4P5elLH7ibJvoD.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:892 -
C:\surrogatedriverbroker\runtimeDhcpCommon.exe"C:\surrogatedriverbroker\runtimeDhcpCommon.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wEAw5fePeK.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2908
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2680 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdde1f05-25f0-4f3b-8286-a67ed628be8b.vbs"8⤵PID:1812
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc21b449-0c5d-46d5-b20e-b84948135605.vbs"8⤵PID:2572
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\surrogatedriverbroker\file.vbs"3⤵PID:2520
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\wscript.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Users\Default\Desktop\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\surrogatedriverbroker\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\surrogatedriverbroker\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\surrogatedriverbroker\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\surrogatedriverbroker\wscript.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\surrogatedriverbroker\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\surrogatedriverbroker\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\surrogatedriverbroker\wscript.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\surrogatedriverbroker\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\surrogatedriverbroker\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:540
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
529B
MD55e7ecb8756527036eadb12a07fe7919c
SHA138f20ec0ed2cf1816f9009d15e6ac8b2c08f590d
SHA2561f42c9faa1e8296c4d047969e4c3df52fd9e455cac491d484706bd3459bdbe9b
SHA5128d607b858d47ccafb1f2054a8d6603d83b1f24e91e09f66f9039f89f14903cdd45dbdf29ac80403f1d41cbeee1491bf82165bc89e33fd2b22f133f633eaef91b
-
Filesize
264KB
MD518cc2b457a795b627b37dda9cfd355c5
SHA15778d3f45a662a681788e16426afdd266707f672
SHA256c94678aff77a06737177b585f5c4139d5c67d41711754f055e9bed480522b7b1
SHA512cd68c7304443aa951898fef5a45da3fb689f7c61bf1c468f2d19a8e929bc1c8b5f0c90caac630457ba27114a131fb80e5dc3ad3e4886fce91ca82a3ffcbfd75d
-
Filesize
753B
MD560ee6fdffdfbf1c445f6a990edbd6ac6
SHA19fc056698afe56ffe76996072d0a47fc90f2b9c4
SHA256561f451479dd8e03813a9c8b3988afa10290b87f14c4e64ebb83c8af83fea29a
SHA512f106a35af15a706412247f6c7ee2c93bcbc50bf8caa942a33dfe06a31e5828d3138034577384aefa4253c35909ecc199424828140522ae0b536995ca53c7ab19
-
Filesize
242B
MD5c917e531752b5b07a1c347de12a08364
SHA1758e058e83718803e55b77ef435483adbbe3ddfd
SHA25658d5500f03873d1903839047ac576934e33a539dadaaeb67e42b9d018ce15ed1
SHA5120d9e661bbdc7b41061cbc7830af192bf2404ae2dc6ec1d340d0033de87ca8cf0e4dbb62ca286b785c12419390d66a858a1e30318d562b945333f3c1ba591f771
-
Filesize
226B
MD5d9095993dc975aad0602ba66b32dad3d
SHA18c26fd1ad732827301e5af7de044420f0c06fbbe
SHA2563329d6bb2e9c7115fb8ac58881e94796069d0b7874abccc4a0bc7718731de27e
SHA5122c7adbd664c8ee7aa84c12eea0e7685f5e2275c9cd19f9a1dece9f9e3f958f9b05339be799b643fe1a0e20d8fb74ca3df0fcb9903d830137fa774b13281d7d3a
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
48B
MD585cfb82d14d95349f280e53f0764fbfc
SHA1645a8f36343a8e4b88966ab70a4a24f49b9ca2b9
SHA2563628bedd47e43459572a27570f4cf9c4ef2083703c2fbc32f3f7a67b7a109371
SHA51202cb06aa443a044f0f1a492a2e30e3d9521902a9fefba54a829bffbb37eed07e4e1c9753cd8cca71baa1a1229343ecbd05940389165e35fc71b90f48fc1191e8
-
Filesize
3.7MB
MD5d26ea8a9103b82d0e4f80b687f0c1adc
SHA1811bc8c8b6fcca69882e483ed0d59d45e7851f1a
SHA25650548a8353e5f24e36e11a4dfa2beb766b1adc1d358c54202447c8d389212eb5
SHA51268583d1f11ff00baebc5271e852848c7df76ff32df4788f91792d98728cbd69ccd04e4814265ecbb12b79ddd46bad35aafe1192551f526ff616df3e97ea7884e
-
Filesize
3.4MB
MD5dc167730759f4877ed79888e1f365249
SHA15ce03602609fa90f26b3a6774519c006a9c20bf6
SHA2560704d02dd6f8b50b3b60652096539fe51cd5ae2d3b4092763245dfcf8dc68316
SHA512d027f85c981d182b2f4bc359d86e1093c2a2ab72a78dc5d408bbb103c0626e0da3063173710ffbf2c94e2080aefe56154d371f39f09a9e6e1f4a1cd62e20140b