Analysis
-
max time kernel
32s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 22:28
Behavioral task
behavioral1
Sample
valiantspooferpaid.exe
Resource
win10v2004-20240611-en
General
-
Target
valiantspooferpaid.exe
-
Size
1.9MB
-
MD5
957ba1a651b750713d78d437ed8a3c7a
-
SHA1
14fdc69fc21dc9516931f5227d5d66ac1598c69a
-
SHA256
7b6a4e1d88e9c477ac1b77f3255a9daa54c083830ad81687cd45b2f237b8237c
-
SHA512
c1ee2c80192b3f6a501d9958f49565111bdd7ee962fd05e5aab6af5fffc8bb41fb11f56ad590d60915271ecf2e9f774dd58472b6431b9cbebebfc9596efc85b5
-
SSDEEP
24576:u2G/nvxW3WieC8cVmgkR6glsR3osU0Fn98UNnFihpdTGL48uZt+x4M2rPmG1GUXH:ubA3j8c0SUk9jcH8kjM2rPVr8sLN
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4668 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3612 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4016 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3088 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 440 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3360 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4160 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3628 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4244 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3516 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1340 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3488 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 432 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3160 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5064 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5012 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3368 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4444 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4348 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 636 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3996 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3076 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3688 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3116 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4780 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3392 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3148 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3180 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4272 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 2688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4004 2688 schtasks.exe -
Processes:
Windrivercrt.exesmss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Windrivercrt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Windrivercrt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Windrivercrt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe -
Processes:
resource yara_rule C:\msAgentServer\Windrivercrt.exe dcrat behavioral1/memory/2888-13-0x0000000000F60000-0x00000000010FE000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
valiantspooferpaid.exeWScript.exeWindrivercrt.exesmss.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation valiantspooferpaid.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation Windrivercrt.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation smss.exe -
Executes dropped EXE 2 IoCs
Processes:
Windrivercrt.exesmss.exepid process 2888 Windrivercrt.exe 1664 smss.exe -
Processes:
Windrivercrt.exesmss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Windrivercrt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Windrivercrt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Drops file in Program Files directory 12 IoCs
Processes:
Windrivercrt.exedescription ioc process File created C:\Program Files\Microsoft Office\cmd.exe Windrivercrt.exe File created C:\Program Files\Windows Mail\spoolsv.exe Windrivercrt.exe File created C:\Program Files\Windows Mail\f3b6ecef712a24 Windrivercrt.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe Windrivercrt.exe File created C:\Program Files\Windows Mail\RuntimeBroker.exe Windrivercrt.exe File created C:\Program Files (x86)\Google\Temp\7a0fd90576e088 Windrivercrt.exe File created C:\Program Files\Windows Mail\9e8d7a4ca61bd9 Windrivercrt.exe File created C:\Program Files\Microsoft Office\ebf1f9fa8afd6d Windrivercrt.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\Registry.exe Windrivercrt.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\ee2ad38f3d4382 Windrivercrt.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\6ccacd8608530f Windrivercrt.exe File created C:\Program Files (x86)\Google\Temp\explorer.exe Windrivercrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
valiantspooferpaid.exesmss.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings valiantspooferpaid.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings smss.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3160 schtasks.exe 2968 schtasks.exe 3612 schtasks.exe 3996 schtasks.exe 3368 schtasks.exe 440 schtasks.exe 4160 schtasks.exe 4780 schtasks.exe 1528 schtasks.exe 1640 schtasks.exe 4244 schtasks.exe 1620 schtasks.exe 1148 schtasks.exe 1496 schtasks.exe 3116 schtasks.exe 5092 schtasks.exe 5064 schtasks.exe 5100 schtasks.exe 2780 schtasks.exe 1340 schtasks.exe 5012 schtasks.exe 1564 schtasks.exe 4444 schtasks.exe 2496 schtasks.exe 3516 schtasks.exe 1204 schtasks.exe 3488 schtasks.exe 2692 schtasks.exe 2384 schtasks.exe 2792 schtasks.exe 324 schtasks.exe 4956 schtasks.exe 1156 schtasks.exe 3688 schtasks.exe 3148 schtasks.exe 4272 schtasks.exe 2364 schtasks.exe 4668 schtasks.exe 3076 schtasks.exe 4004 schtasks.exe 1360 schtasks.exe 1280 schtasks.exe 432 schtasks.exe 4348 schtasks.exe 1016 schtasks.exe 4016 schtasks.exe 4076 schtasks.exe 3360 schtasks.exe 3628 schtasks.exe 636 schtasks.exe 2204 schtasks.exe 2436 schtasks.exe 3180 schtasks.exe 3088 schtasks.exe 1552 schtasks.exe 3392 schtasks.exe 2884 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Windrivercrt.exesmss.exepid process 2888 Windrivercrt.exe 2888 Windrivercrt.exe 2888 Windrivercrt.exe 2888 Windrivercrt.exe 2888 Windrivercrt.exe 2888 Windrivercrt.exe 2888 Windrivercrt.exe 2888 Windrivercrt.exe 2888 Windrivercrt.exe 2888 Windrivercrt.exe 2888 Windrivercrt.exe 2888 Windrivercrt.exe 2888 Windrivercrt.exe 2888 Windrivercrt.exe 2888 Windrivercrt.exe 2888 Windrivercrt.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe 1664 smss.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Windrivercrt.exesmss.exevssvc.exedescription pid process Token: SeDebugPrivilege 2888 Windrivercrt.exe Token: SeDebugPrivilege 1664 smss.exe Token: SeBackupPrivilege 4832 vssvc.exe Token: SeRestorePrivilege 4832 vssvc.exe Token: SeAuditPrivilege 4832 vssvc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
valiantspooferpaid.exeWScript.execmd.exeWindrivercrt.exesmss.exedescription pid process target process PID 3532 wrote to memory of 3180 3532 valiantspooferpaid.exe WScript.exe PID 3532 wrote to memory of 3180 3532 valiantspooferpaid.exe WScript.exe PID 3532 wrote to memory of 3180 3532 valiantspooferpaid.exe WScript.exe PID 3180 wrote to memory of 2428 3180 WScript.exe cmd.exe PID 3180 wrote to memory of 2428 3180 WScript.exe cmd.exe PID 3180 wrote to memory of 2428 3180 WScript.exe cmd.exe PID 2428 wrote to memory of 2888 2428 cmd.exe Windrivercrt.exe PID 2428 wrote to memory of 2888 2428 cmd.exe Windrivercrt.exe PID 2888 wrote to memory of 1664 2888 Windrivercrt.exe smss.exe PID 2888 wrote to memory of 1664 2888 Windrivercrt.exe smss.exe PID 2428 wrote to memory of 2156 2428 cmd.exe reg.exe PID 2428 wrote to memory of 2156 2428 cmd.exe reg.exe PID 2428 wrote to memory of 2156 2428 cmd.exe reg.exe PID 1664 wrote to memory of 2064 1664 smss.exe WScript.exe PID 1664 wrote to memory of 2064 1664 smss.exe WScript.exe PID 1664 wrote to memory of 3492 1664 smss.exe WScript.exe PID 1664 wrote to memory of 3492 1664 smss.exe WScript.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
Windrivercrt.exesmss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Windrivercrt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Windrivercrt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Windrivercrt.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\valiantspooferpaid.exe"C:\Users\Admin\AppData\Local\Temp\valiantspooferpaid.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\msAgentServer\Windrivercrt.exe"C:\msAgentServer\Windrivercrt.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2888 -
C:\msAgentServer\smss.exe"C:\msAgentServer\smss.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1664 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\375045da-501c-4975-9e9d-54ec61e3b689.vbs"6⤵PID:2064
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04a1b8c6-672f-4156-ae27-98f94d2949ca.vbs"6⤵PID:3492
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\msAgentServer\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\msAgentServer\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\msAgentServer\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\msAgentServer\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\msAgentServer\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\msAgentServer\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Pictures\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Pictures\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Pictures\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\msAgentServer\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\msAgentServer\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\msAgentServer\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\msAgentServer\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\msAgentServer\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\msAgentServer\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4832
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\04a1b8c6-672f-4156-ae27-98f94d2949ca.vbsFilesize
477B
MD57693c60c5692001e188a5ab33a74d627
SHA144f59dce5913926e776b6bc249bd939f82fd95d7
SHA2566567ce27ee6fb2c55515f22aa1e6aefc738942186c3ab89dfe788356c9662833
SHA512d8255cca3102ee61e447a01250dbd26e0af080f386487dca5306e05337026fa93f9c3c479347366ac30fe61205683db381774ff02c8bd8f70ef560372df234d2
-
C:\Users\Admin\AppData\Local\Temp\375045da-501c-4975-9e9d-54ec61e3b689.vbsFilesize
701B
MD56507770c0cf37a5f5e9520072ede47c9
SHA1cd8d4ccbe0df46bc0b01990f9eb863ca0c19c121
SHA25666c41dace28c0f57813c675235559e7ba4f6aeb0af119c9cf580a71773b71bff
SHA512afb778659b5c4c787ecc03b9fc28035b8f9aea8fc40d6948d03a713f4d49a5b7cce0ec24fc72b7a60748c339b2400f21710ec350bd76911ca479a20e27d44ffb
-
C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.batFilesize
147B
MD5e1f65135829b69dd7821d59410d13e2a
SHA124b0c9b6360afd46c770aec60807e4796bcd31fa
SHA256addde1c2adf45d57e91d73e20f95087a07ef6f1b0287894a207f54ce57b841a7
SHA512020241921bd533ef833ccc34a34f4404e2278e586168dc064b74827abf125640783e6b9d00318a955f4a525236d2540a26775b1a980c5be5f4137b79ba1aa985
-
C:\msAgentServer\Windrivercrt.exeFilesize
1.6MB
MD5cc022adec49e3a4e30ef5a2574f06349
SHA12eb9f31932785a8c31bf505daff842749a34692a
SHA256a931aa10f393de1169f4616686b3f02c3323f064be3edb69d160dc3e0fe67759
SHA5127146be48b4ead35d0d1e150784ac2acfaaf14c7c04690f8059ad61787a0eec2bdd04ab84f45f76a5498c5aed80d14a244a7ca4f1781ba0424d8a5f828f80aef0
-
C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbeFilesize
218B
MD51ec6b23ee71cd4838514f2984cfbec8f
SHA10bdf20ddab114712d7b846535896ac7865a48401
SHA256d1aebe6120e77195acccb1a39d91e079c83128b54b200d8aaf55e38c852a27ab
SHA512d673e5ec51cc6ba73289bcc0d126653ce0e650f79bd119e83d68ddae012be40c4dd3793fa6e897b078365c0ce3c4f6efb1c331736ebd2f3b6873a662978dc736
-
memory/1664-79-0x000000001D4A0000-0x000000001D4B2000-memory.dmpFilesize
72KB
-
memory/2888-21-0x0000000003280000-0x000000000328C000-memory.dmpFilesize
48KB
-
memory/2888-23-0x000000001C9A0000-0x000000001CEC8000-memory.dmpFilesize
5.2MB
-
memory/2888-15-0x0000000003300000-0x0000000003350000-memory.dmpFilesize
320KB
-
memory/2888-18-0x0000000001910000-0x0000000001918000-memory.dmpFilesize
32KB
-
memory/2888-19-0x0000000001920000-0x0000000001930000-memory.dmpFilesize
64KB
-
memory/2888-20-0x0000000003270000-0x000000000327A000-memory.dmpFilesize
40KB
-
memory/2888-17-0x0000000001900000-0x0000000001910000-memory.dmpFilesize
64KB
-
memory/2888-22-0x0000000003290000-0x00000000032A2000-memory.dmpFilesize
72KB
-
memory/2888-24-0x00000000032D0000-0x00000000032DC000-memory.dmpFilesize
48KB
-
memory/2888-16-0x00000000018E0000-0x00000000018E8000-memory.dmpFilesize
32KB
-
memory/2888-25-0x00000000032E0000-0x00000000032EC000-memory.dmpFilesize
48KB
-
memory/2888-28-0x0000000003360000-0x0000000003368000-memory.dmpFilesize
32KB
-
memory/2888-27-0x0000000003350000-0x000000000335E000-memory.dmpFilesize
56KB
-
memory/2888-26-0x00000000032F0000-0x00000000032FA000-memory.dmpFilesize
40KB
-
memory/2888-29-0x0000000003370000-0x000000000337C000-memory.dmpFilesize
48KB
-
memory/2888-14-0x00000000018C0000-0x00000000018DC000-memory.dmpFilesize
112KB
-
memory/2888-13-0x0000000000F60000-0x00000000010FE000-memory.dmpFilesize
1.6MB
-
memory/2888-12-0x00007FFCF87B3000-0x00007FFCF87B5000-memory.dmpFilesize
8KB