Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 14:27
Behavioral task
behavioral1
Sample
AgE312YolF45.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
AgE312YolF45.exe
Resource
win10v2004-20240611-en
General
-
Target
AgE312YolF45.exe
-
Size
2.0MB
-
MD5
3c85f943f1f46c62c996d02b335ead81
-
SHA1
d19a217efea23a93c24541c0027e2bb19a32a148
-
SHA256
3f55ade4a555c326fc309c8478b1abe8acb9d24ca3496d5a3e65256c35b81ee7
-
SHA512
24220be76b6723f87c8a3b690d1ef3f876682e6fd156f5dc087d88ca7d1e020e6171354838ece2952341835babf63e51f4bd89626a2420f730b524787be34b8b
-
SSDEEP
24576:u2G/nvxW3WieCYSoWse8bvSGOkDSqMdxcXZLE2XTo6+2lXgW8/ezB8diUV6gwvB+:ubA3jYSovbvSXqGsLw6RXRgBdF6rZYdt
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1384 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 2544 schtasks.exe -
Processes:
ServerSaveshost.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ServerSaveshost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ServerSaveshost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ServerSaveshost.exe -
Processes:
resource yara_rule C:\ReviewRuntimenet\ServerSaveshost.exe dcrat behavioral1/memory/2936-13-0x0000000000D90000-0x0000000000F44000-memory.dmp dcrat behavioral1/memory/1696-56-0x0000000000030000-0x00000000001E4000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
ServerSaveshost.execsrss.exepid process 2936 ServerSaveshost.exe 1696 csrss.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2752 cmd.exe 2752 cmd.exe -
Processes:
ServerSaveshost.execsrss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ServerSaveshost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ServerSaveshost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops file in Program Files directory 10 IoCs
Processes:
ServerSaveshost.exedescription ioc process File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe ServerSaveshost.exe File created C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe ServerSaveshost.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\f3b6ecef712a24 ServerSaveshost.exe File created C:\Program Files\Mozilla Firefox\fonts\lsm.exe ServerSaveshost.exe File created C:\Program Files\Mozilla Firefox\fonts\101b941d020240 ServerSaveshost.exe File created C:\Program Files\Windows Journal\Templates\explorer.exe ServerSaveshost.exe File created C:\Program Files\Windows Journal\Templates\7a0fd90576e088 ServerSaveshost.exe File created C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe ServerSaveshost.exe File created C:\Program Files\Microsoft Office\Office14\1033\cc11b995f2a76d ServerSaveshost.exe File created C:\Program Files (x86)\Windows Mail\it-IT\f3b6ecef712a24 ServerSaveshost.exe -
Drops file in Windows directory 2 IoCs
Processes:
ServerSaveshost.exedescription ioc process File created C:\Windows\Prefetch\ReadyBoot\csrss.exe ServerSaveshost.exe File created C:\Windows\Prefetch\ReadyBoot\886983d96e3d3e ServerSaveshost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2636 schtasks.exe 2412 schtasks.exe 1884 schtasks.exe 2956 schtasks.exe 2440 schtasks.exe 1528 schtasks.exe 1056 schtasks.exe 1384 schtasks.exe 1128 schtasks.exe 2624 schtasks.exe 2908 schtasks.exe 316 schtasks.exe 1188 schtasks.exe 1444 schtasks.exe 776 schtasks.exe 2008 schtasks.exe 2616 schtasks.exe 1996 schtasks.exe 1692 schtasks.exe 264 schtasks.exe 1744 schtasks.exe 1536 schtasks.exe 1476 schtasks.exe 3028 schtasks.exe 2852 schtasks.exe 2432 schtasks.exe 2512 schtasks.exe 1204 schtasks.exe 2768 schtasks.exe 2348 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ServerSaveshost.execsrss.exepid process 2936 ServerSaveshost.exe 2936 ServerSaveshost.exe 2936 ServerSaveshost.exe 2936 ServerSaveshost.exe 2936 ServerSaveshost.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe 1696 csrss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
csrss.exepid process 1696 csrss.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
ServerSaveshost.execsrss.exevssvc.exedescription pid process Token: SeDebugPrivilege 2936 ServerSaveshost.exe Token: SeDebugPrivilege 1696 csrss.exe Token: SeBackupPrivilege 1968 vssvc.exe Token: SeRestorePrivilege 1968 vssvc.exe Token: SeAuditPrivilege 1968 vssvc.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
AgE312YolF45.exeWScript.execmd.exeServerSaveshost.execmd.execsrss.exedescription pid process target process PID 2124 wrote to memory of 1512 2124 AgE312YolF45.exe WScript.exe PID 2124 wrote to memory of 1512 2124 AgE312YolF45.exe WScript.exe PID 2124 wrote to memory of 1512 2124 AgE312YolF45.exe WScript.exe PID 2124 wrote to memory of 1512 2124 AgE312YolF45.exe WScript.exe PID 1512 wrote to memory of 2752 1512 WScript.exe cmd.exe PID 1512 wrote to memory of 2752 1512 WScript.exe cmd.exe PID 1512 wrote to memory of 2752 1512 WScript.exe cmd.exe PID 1512 wrote to memory of 2752 1512 WScript.exe cmd.exe PID 2752 wrote to memory of 2936 2752 cmd.exe ServerSaveshost.exe PID 2752 wrote to memory of 2936 2752 cmd.exe ServerSaveshost.exe PID 2752 wrote to memory of 2936 2752 cmd.exe ServerSaveshost.exe PID 2752 wrote to memory of 2936 2752 cmd.exe ServerSaveshost.exe PID 2936 wrote to memory of 1812 2936 ServerSaveshost.exe cmd.exe PID 2936 wrote to memory of 1812 2936 ServerSaveshost.exe cmd.exe PID 2936 wrote to memory of 1812 2936 ServerSaveshost.exe cmd.exe PID 2752 wrote to memory of 2224 2752 cmd.exe reg.exe PID 2752 wrote to memory of 2224 2752 cmd.exe reg.exe PID 2752 wrote to memory of 2224 2752 cmd.exe reg.exe PID 2752 wrote to memory of 2224 2752 cmd.exe reg.exe PID 1812 wrote to memory of 2236 1812 cmd.exe w32tm.exe PID 1812 wrote to memory of 2236 1812 cmd.exe w32tm.exe PID 1812 wrote to memory of 2236 1812 cmd.exe w32tm.exe PID 1812 wrote to memory of 1696 1812 cmd.exe csrss.exe PID 1812 wrote to memory of 1696 1812 cmd.exe csrss.exe PID 1812 wrote to memory of 1696 1812 cmd.exe csrss.exe PID 1696 wrote to memory of 1636 1696 csrss.exe WScript.exe PID 1696 wrote to memory of 1636 1696 csrss.exe WScript.exe PID 1696 wrote to memory of 1636 1696 csrss.exe WScript.exe PID 1696 wrote to memory of 820 1696 csrss.exe WScript.exe PID 1696 wrote to memory of 820 1696 csrss.exe WScript.exe PID 1696 wrote to memory of 820 1696 csrss.exe WScript.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
ServerSaveshost.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ServerSaveshost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ServerSaveshost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ServerSaveshost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe"C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ReviewRuntimenet\21ZjY.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ReviewRuntimenet\TQG4xYGlGcFKVrVpNsWy.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\ReviewRuntimenet\ServerSaveshost.exe"C:\ReviewRuntimenet\ServerSaveshost.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bp2QSrQG1f.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2236
-
C:\Windows\Prefetch\ReadyBoot\csrss.exe"C:\Windows\Prefetch\ReadyBoot\csrss.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1696 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca9caac2-0768-4a73-8b8a-dd2fc8c21f8c.vbs"7⤵PID:1636
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\197153c0-cdbd-4f7c-903b-943b36c4b484.vbs"7⤵PID:820
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\ReviewRuntimenet\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ReviewRuntimenet\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\ReviewRuntimenet\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\NetHood\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\NetHood\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\Templates\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\Templates\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ReviewRuntimenet\21ZjY.vbeFilesize
213B
MD509a35d6cb1e2ea076586988cdbcc940a
SHA17e062f07474330abdab5d77ad336bc0a3532ca89
SHA2566d8ba67017098b244d617acea6d2e70b47db126ca14924b9a82703bae95a5c38
SHA5122f3100f18b3aa18abdbead9e8955af0eebdf451ed0ec987306fcc73bda195933b8fe8c59be7a8f777192890260efb96edaf6b3c04ce56e3151c7a0c9ee960f7c
-
C:\ReviewRuntimenet\ServerSaveshost.exeFilesize
1.7MB
MD588e250828f656440b29f7be2b67b5d44
SHA186c19cccc181827c99f8703f017ee2d22a1ffe1e
SHA25667d4916350ff960cd46e98f0c1d00290b63eb8a6c94c3595e76245d4ae4706d0
SHA51211c7da52c1a67af894608dad046cf85947f64e74ecaae20edbf3f748ee0a9b65d3a5a03ceb1a690016de883fa39a5fba384cb6d031a09a086e323367f7de3c1f
-
C:\ReviewRuntimenet\TQG4xYGlGcFKVrVpNsWy.batFilesize
153B
MD5285b91a7a5b84ebdca3dc8f49a68638c
SHA161c9262f49da3afdf6310efd11108adb9b8283ff
SHA25659ddfb2705077e864946fe450625206671a1faafc9e46704ca108b4196d24f99
SHA5127ce8348ddb6571aaadcce2e8780d3032055a2bded51e9dd4a2eb1aa1f7f24ea9258322dae8c15223ed92b83681f2b5333b0e828239624b1e929771a4b670601d
-
C:\Users\Admin\AppData\Local\Temp\197153c0-cdbd-4f7c-903b-943b36c4b484.vbsFilesize
491B
MD5bd4c600493d8b3ebd31c567615c86f8b
SHA18e67b7fccff39954c19672b603f06b1e5a96235c
SHA2561753230cbb0f1f6a54464b5810e8a7f3efcfbbe80fdfb8560889babb33eff8fd
SHA512ab58c3eb65f99565b53964bb5b66f425ec55c7a2fd349ec53c9ec9344bcf43e12fe957b1a3b63df928cc3ab31cf6d5ea2b8166ed7e058f2b7aa9b64a0585d157
-
C:\Users\Admin\AppData\Local\Temp\bp2QSrQG1f.batFilesize
204B
MD5bbaa8dc024c5443c733dc9bea0bc6867
SHA12dceb80cf2db133a2febff76767c0fb96d11d682
SHA256af0cdd446ec2a2aeca814db2dc871f9b2326c75c2c915ad181a69a3f5fdb009c
SHA512535d846c74f3eb3666447e551c3011931642eac6f86d49f577b59a6ae1acb39825265aa2fdd58a3c7508c4c3e247f5c78520e53528bb03003ad7455d97a45736
-
C:\Users\Admin\AppData\Local\Temp\ca9caac2-0768-4a73-8b8a-dd2fc8c21f8c.vbsFilesize
715B
MD51c481223b8099c98cab692f597865dee
SHA11015dc2476dd3e8b3318590c3b01c0682fb0dc41
SHA25638659c5e3886ba04e5bffeb716b55cb38a9b1c6648251fe0a033837a61c727f2
SHA51240cd2963de7b4365a32b35eca77446f0bf1a1152df1cd934c51b6ec3bbecb7b433409a4b6294d1f626962fa0e21d9436b48158f5246fa21ba7bf06ce7d05c9ad
-
memory/1696-57-0x0000000000920000-0x0000000000932000-memory.dmpFilesize
72KB
-
memory/1696-56-0x0000000000030000-0x00000000001E4000-memory.dmpFilesize
1.7MB
-
memory/2936-22-0x0000000000BC0000-0x0000000000BCC000-memory.dmpFilesize
48KB
-
memory/2936-25-0x0000000000BE0000-0x0000000000BEE000-memory.dmpFilesize
56KB
-
memory/2936-20-0x0000000000660000-0x000000000066C000-memory.dmpFilesize
48KB
-
memory/2936-21-0x0000000000670000-0x0000000000682000-memory.dmpFilesize
72KB
-
memory/2936-18-0x0000000000640000-0x0000000000648000-memory.dmpFilesize
32KB
-
memory/2936-23-0x0000000000BD0000-0x0000000000BDC000-memory.dmpFilesize
48KB
-
memory/2936-24-0x000000001A6E0000-0x000000001A6EA000-memory.dmpFilesize
40KB
-
memory/2936-19-0x0000000000650000-0x000000000065A000-memory.dmpFilesize
40KB
-
memory/2936-26-0x0000000000BF0000-0x0000000000BF8000-memory.dmpFilesize
32KB
-
memory/2936-27-0x000000001A6D0000-0x000000001A6DA000-memory.dmpFilesize
40KB
-
memory/2936-28-0x000000001A8D0000-0x000000001A8DC000-memory.dmpFilesize
48KB
-
memory/2936-17-0x0000000000510000-0x0000000000526000-memory.dmpFilesize
88KB
-
memory/2936-16-0x0000000000380000-0x0000000000390000-memory.dmpFilesize
64KB
-
memory/2936-15-0x0000000000370000-0x0000000000378000-memory.dmpFilesize
32KB
-
memory/2936-14-0x0000000000150000-0x000000000016C000-memory.dmpFilesize
112KB
-
memory/2936-13-0x0000000000D90000-0x0000000000F44000-memory.dmpFilesize
1.7MB