Analysis
-
max time kernel
136s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2024 07:50
Static task
static1
Behavioral task
behavioral1
Sample
371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe
Resource
win10v2004-20240709-en
General
-
Target
371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe
-
Size
2.7MB
-
MD5
90094c2066f9e53cb9217876c833c269
-
SHA1
da9086b65e114257168e634cc921e1ab1c069144
-
SHA256
371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0
-
SHA512
ef4a15be7efa9ac59c991c64c5afa5fb9e8015334f69e1c64315f788345c456fec5caf58605ccf08afaf16f1a2f7cc2fda1ffd85850d6c2ea268c63efc261aa8
-
SSDEEP
49152:+o0vjh94l17uf+lwSV64uaQ+AMqAXKM5VIZsTirMC6gOpkXF3eew0w2Gc2MAPRT0:+p87WSV69aQ+GW5CZsTirMjRkOow2H2U
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 400 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4888 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4908 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3668 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3644 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4972 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4324 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4288 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4804 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3308 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 636 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3628 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3808 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3392 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 412 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1060 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4404 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4188 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 644 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3768 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3188 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4756 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3896 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3816 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 60 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 2496 schtasks.exe -
Processes:
MsHostsvc.exeWmiPrvSE.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe dcrat C:\bridgeServercomponentFontDriver\MsHostsvc.exe dcrat behavioral2/memory/1604-30-0x0000000000760000-0x0000000000A22000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exeíóòèïàõóé.exeWScript.exeMsHostsvc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation íóòèïàõóé.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation MsHostsvc.exe -
Executes dropped EXE 4 IoCs
Processes:
CrackLauncher.exeíóòèïàõóé.exeMsHostsvc.exeWmiPrvSE.exepid process 2492 CrackLauncher.exe 4148 íóòèïàõóé.exe 1604 MsHostsvc.exe 64 WmiPrvSE.exe -
Processes:
WmiPrvSE.exeMsHostsvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe -
Drops file in Program Files directory 10 IoCs
Processes:
MsHostsvc.exedescription ioc process File created C:\Program Files\Mozilla Firefox\browser\features\c82b8037eab33d MsHostsvc.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\121e5b5079f7c0 MsHostsvc.exe File created C:\Program Files (x86)\Windows Media Player\cmd.exe MsHostsvc.exe File created C:\Program Files (x86)\Windows Media Player\ebf1f9fa8afd6d MsHostsvc.exe File created C:\Program Files (x86)\Internet Explorer\dwm.exe MsHostsvc.exe File created C:\Program Files (x86)\Internet Explorer\6cb0b6c459d5d3 MsHostsvc.exe File created C:\Program Files\Mozilla Firefox\browser\features\WaaSMedicAgent.exe MsHostsvc.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\sysmon.exe MsHostsvc.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe MsHostsvc.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\5b884080fd4f94 MsHostsvc.exe -
Drops file in Windows directory 6 IoCs
Processes:
MsHostsvc.exedescription ioc process File created C:\Windows\ja-JP\WmiPrvSE.exe MsHostsvc.exe File created C:\Windows\ja-JP\24dbde2999530e MsHostsvc.exe File created C:\Windows\bcastdvr\explorer.exe MsHostsvc.exe File created C:\Windows\bcastdvr\7a0fd90576e088 MsHostsvc.exe File created C:\Windows\InputMethod\CHT\StartMenuExperienceHost.exe MsHostsvc.exe File created C:\Windows\InputMethod\CHT\55b276f4edf653 MsHostsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
íóòèïàõóé.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings íóòèïàõóé.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4908 schtasks.exe 2908 schtasks.exe 412 schtasks.exe 4404 schtasks.exe 2692 schtasks.exe 4888 schtasks.exe 2212 schtasks.exe 4804 schtasks.exe 636 schtasks.exe 644 schtasks.exe 3188 schtasks.exe 4288 schtasks.exe 1740 schtasks.exe 2708 schtasks.exe 2868 schtasks.exe 60 schtasks.exe 876 schtasks.exe 2044 schtasks.exe 1780 schtasks.exe 2852 schtasks.exe 2372 schtasks.exe 4972 schtasks.exe 1060 schtasks.exe 4364 schtasks.exe 3644 schtasks.exe 4324 schtasks.exe 1212 schtasks.exe 1036 schtasks.exe 2328 schtasks.exe 3392 schtasks.exe 4188 schtasks.exe 4860 schtasks.exe 1620 schtasks.exe 3896 schtasks.exe 400 schtasks.exe 2716 schtasks.exe 4756 schtasks.exe 1188 schtasks.exe 1028 schtasks.exe 2088 schtasks.exe 4508 schtasks.exe 2464 schtasks.exe 1448 schtasks.exe 3308 schtasks.exe 3628 schtasks.exe 3808 schtasks.exe 404 schtasks.exe 4660 schtasks.exe 1248 schtasks.exe 3668 schtasks.exe 3768 schtasks.exe 3816 schtasks.exe 3940 schtasks.exe 4076 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
MsHostsvc.exeWmiPrvSE.exepid process 1604 MsHostsvc.exe 1604 MsHostsvc.exe 1604 MsHostsvc.exe 1604 MsHostsvc.exe 1604 MsHostsvc.exe 1604 MsHostsvc.exe 1604 MsHostsvc.exe 1604 MsHostsvc.exe 1604 MsHostsvc.exe 1604 MsHostsvc.exe 1604 MsHostsvc.exe 1604 MsHostsvc.exe 1604 MsHostsvc.exe 1604 MsHostsvc.exe 1604 MsHostsvc.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe 64 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MsHostsvc.exeWmiPrvSE.exedescription pid process Token: SeDebugPrivilege 1604 MsHostsvc.exe Token: SeDebugPrivilege 64 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exeíóòèïàõóé.exeWScript.execmd.exeMsHostsvc.exedescription pid process target process PID 2852 wrote to memory of 2492 2852 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe CrackLauncher.exe PID 2852 wrote to memory of 2492 2852 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe CrackLauncher.exe PID 2852 wrote to memory of 2492 2852 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe CrackLauncher.exe PID 2852 wrote to memory of 4148 2852 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe íóòèïàõóé.exe PID 2852 wrote to memory of 4148 2852 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe íóòèïàõóé.exe PID 2852 wrote to memory of 4148 2852 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe íóòèïàõóé.exe PID 4148 wrote to memory of 4508 4148 íóòèïàõóé.exe WScript.exe PID 4148 wrote to memory of 4508 4148 íóòèïàõóé.exe WScript.exe PID 4148 wrote to memory of 4508 4148 íóòèïàõóé.exe WScript.exe PID 4508 wrote to memory of 1064 4508 WScript.exe cmd.exe PID 4508 wrote to memory of 1064 4508 WScript.exe cmd.exe PID 4508 wrote to memory of 1064 4508 WScript.exe cmd.exe PID 1064 wrote to memory of 1604 1064 cmd.exe MsHostsvc.exe PID 1064 wrote to memory of 1604 1064 cmd.exe MsHostsvc.exe PID 1604 wrote to memory of 64 1604 MsHostsvc.exe WmiPrvSE.exe PID 1604 wrote to memory of 64 1604 MsHostsvc.exe WmiPrvSE.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
MsHostsvc.exeWmiPrvSE.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe"C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"2⤵
- Executes dropped EXE
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1604 -
C:\Windows\ja-JP\WmiPrvSE.exe"C:\Windows\ja-JP\WmiPrvSE.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:64
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\TrustedInstaller.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\bridgeServercomponentFontDriver\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\bridgeServercomponentFontDriver\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\bridgeServercomponentFontDriver\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\bridgeServercomponentFontDriver\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\bridgeServercomponentFontDriver\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\bridgeServercomponentFontDriver\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\All Users\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\browser\features\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\features\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\bcastdvr\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\bcastdvr\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\bcastdvr\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\InputMethod\CHT\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHT\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\InputMethod\CHT\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\Music\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Music\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD578f38e4700f08a5a56a3bd422ba8fe9f
SHA125993fbf617830c23592ee0adff340c3f76dc641
SHA2560f207fe33eaa8a486a50938a7c4668f61762fbac383a9b5005af545dd18265af
SHA512d865387fe14d7bebd6a3bacc26a34af2e3d05d1521ddc839cdbcd00413b6147a15895f9f5b40b44055a416aa55030a28f068b6c80abc698ac2179d0f69bcecbb
-
Filesize
3.0MB
MD5d80301cde99009a601e22c0f9cb3433a
SHA1d82a05a75f31ec11ced2f6c5e0b945510dbfcd5a
SHA256334e48543f8c2d0203135f7820116b676467ae1c1a3d6eabd8b17f96308e5574
SHA51202b744e15834b654b1d4772d8f2ddc26ca773a9139d9d12fec12c2749e09e69c904014c8464762a7bd97aa8413971193a8c386bb2bfecc14fc8aabd78383888b
-
Filesize
50B
MD521b5523fa5a489444309d54f4f58ec98
SHA14b9f2c6c37e428a6c504d38bf404fbe7613b900c
SHA256f3816eaf5c2710018fea5d788601d9c31d0b21d4c25f44284da0d3641eda8dd5
SHA512ef25536cc3c27e22b2e6cb1834a8279ebb95c5a06d3c2ebab46ad2d0b88c6dc7a1f3c4069d16b747d4108b859bb3776575414e3aeefaca1cd768274b887b2738
-
Filesize
2.7MB
MD5a7a6c9f410573c8fbd408170eab6aa33
SHA199354c9e2c7fc978abd47e8d2ec1a403bcc5dfd6
SHA2569d5aaaf2551239a60ec1a383a3512be976cfaa866573e86687c59412ae167974
SHA512f3dbb349ed88f1d9b7c6d1e0ffc2fa12b3d2f68209eaf97ff8bf4344c5a87e39ba3588584df4b656acdcf1b1526415b0a06e921f405bc836792c9b55a794d6b5
-
Filesize
215B
MD5bd091f4d8a1df91d73b0c65a4ba02330
SHA1bef757dc154e1d4a0fc91f8ce1e4072c4c12d6df
SHA2567eeb92d6b5e2faca9ea5763051aac81b7851f4aefe76680ccb25a3aec7e05be2
SHA5120559ece912e8d3f061e615dd55ced1ddb75c743014b99f4589421c192a4aadf58c41c5b8d72cb96ac3b40f4326e7a7c5791691d557036fb3df2df8f78ff2a98c