Analysis
-
max time kernel
34s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 22:43
Behavioral task
behavioral1
Sample
ROBLOXFARMER.exe
Resource
win10-20240404-en
General
-
Target
ROBLOXFARMER.exe
-
Size
1.9MB
-
MD5
0cdc894447aa85d4b2c744c6825a2e0e
-
SHA1
a4fcb12fcfaa38c8656964749962c9cdc2b9d82d
-
SHA256
d89a9ab35a2173a4ec62cc98d54e2ffbff2f0d985386f98a8e11c5dc905bcb83
-
SHA512
b8be16d455166089c7463ea876bfc293cbb851a86bb0846427c0ad1e70e1e978531031e04064c1287d1aafebf01da32b605d6039ef1f33dc4a48a49ddca7dedd
-
SSDEEP
24576:u2G/nvxW3WieCgbyFbFdG74xU/FmYd3y7uQyBOueO9SEU5/UpdnrZ4Ef2w18:ubA3jgCgW+jxy79uz9SEWBCC
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3580 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3128 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3752 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4504 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1344 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4556 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4680 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3856 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3692 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3244 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 232 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4668 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4392 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 920 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4400 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 812 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4832 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4128 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3372 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 2060 schtasks.exe -
Processes:
driverdll.exebackgroundTaskHost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" driverdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" driverdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" driverdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe -
Processes:
resource yara_rule C:\DriverintoPerfMonitor\driverdll.exe dcrat behavioral2/memory/2176-12-0x0000000000640000-0x00000000007E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3352 powershell.exe 780 powershell.exe 3008 powershell.exe 3456 powershell.exe 2172 powershell.exe 2804 powershell.exe 668 powershell.exe 3488 powershell.exe 2132 powershell.exe 2600 powershell.exe 2476 powershell.exe 2828 powershell.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ROBLOXFARMER.exeWScript.exedriverdll.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation ROBLOXFARMER.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation driverdll.exe -
Executes dropped EXE 2 IoCs
Processes:
driverdll.exebackgroundTaskHost.exepid process 2176 driverdll.exe 1656 backgroundTaskHost.exe -
Processes:
driverdll.exebackgroundTaskHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA driverdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" driverdll.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe -
Drops file in Program Files directory 9 IoCs
Processes:
driverdll.exedescription ioc process File created C:\Program Files\Internet Explorer\uk-UA\sihost.exe driverdll.exe File created C:\Program Files\Internet Explorer\uk-UA\66fc9ff0ee96c2 driverdll.exe File created C:\Program Files\ModifiableWindowsApps\lsass.exe driverdll.exe File created C:\Program Files (x86)\Windows Media Player\uk-UA\dllhost.exe driverdll.exe File created C:\Program Files\Common Files\System\es-ES\conhost.exe driverdll.exe File created C:\Program Files\Common Files\System\es-ES\088424020bedd6 driverdll.exe File created C:\Program Files (x86)\Windows Media Player\uk-UA\5940a34987c991 driverdll.exe File created C:\Program Files (x86)\WindowsPowerShell\sysmon.exe driverdll.exe File created C:\Program Files (x86)\WindowsPowerShell\121e5b5079f7c0 driverdll.exe -
Drops file in Windows directory 9 IoCs
Processes:
driverdll.exedescription ioc process File created C:\Windows\Containers\serviced\6203df4a6bafc7 driverdll.exe File created C:\Windows\PrintDialog\sppsvc.exe driverdll.exe File created C:\Windows\apppatch\CustomSDB\sihost.exe driverdll.exe File created C:\Windows\apppatch\CustomSDB\66fc9ff0ee96c2 driverdll.exe File created C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe driverdll.exe File opened for modification C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe driverdll.exe File created C:\Windows\SKB\LanguageModels\eddb19405b7ce1 driverdll.exe File created C:\Windows\Containers\serviced\lsass.exe driverdll.exe File created C:\Windows\PrintDialog\0a1fd5f707cd16 driverdll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
ROBLOXFARMER.exedriverdll.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings ROBLOXFARMER.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings driverdll.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4504 schtasks.exe 3580 schtasks.exe 936 schtasks.exe 1428 schtasks.exe 2516 schtasks.exe 920 schtasks.exe 1140 schtasks.exe 4128 schtasks.exe 4364 schtasks.exe 324 schtasks.exe 3856 schtasks.exe 3244 schtasks.exe 232 schtasks.exe 1256 schtasks.exe 4832 schtasks.exe 1604 schtasks.exe 1344 schtasks.exe 1240 schtasks.exe 1668 schtasks.exe 4392 schtasks.exe 4556 schtasks.exe 1636 schtasks.exe 1460 schtasks.exe 1316 schtasks.exe 3128 schtasks.exe 3752 schtasks.exe 4328 schtasks.exe 3372 schtasks.exe 4680 schtasks.exe 4400 schtasks.exe 3692 schtasks.exe 4668 schtasks.exe 3048 schtasks.exe 1372 schtasks.exe 2384 schtasks.exe 1092 schtasks.exe 4864 schtasks.exe 4956 schtasks.exe 812 schtasks.exe 820 schtasks.exe 3032 schtasks.exe 2288 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
driverdll.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exebackgroundTaskHost.exepid process 2176 driverdll.exe 2176 driverdll.exe 2176 driverdll.exe 2176 driverdll.exe 2176 driverdll.exe 2176 driverdll.exe 2176 driverdll.exe 2176 driverdll.exe 2176 driverdll.exe 2176 driverdll.exe 2176 driverdll.exe 2176 driverdll.exe 2176 driverdll.exe 2176 driverdll.exe 2176 driverdll.exe 2176 driverdll.exe 2176 driverdll.exe 2600 powershell.exe 2600 powershell.exe 3488 powershell.exe 3488 powershell.exe 2828 powershell.exe 2828 powershell.exe 2476 powershell.exe 2476 powershell.exe 3456 powershell.exe 3456 powershell.exe 3352 powershell.exe 3352 powershell.exe 780 powershell.exe 780 powershell.exe 2804 powershell.exe 2804 powershell.exe 3008 powershell.exe 3008 powershell.exe 2132 powershell.exe 2132 powershell.exe 2172 powershell.exe 2172 powershell.exe 668 powershell.exe 668 powershell.exe 668 powershell.exe 3456 powershell.exe 3488 powershell.exe 2828 powershell.exe 2600 powershell.exe 2476 powershell.exe 3352 powershell.exe 2132 powershell.exe 2804 powershell.exe 780 powershell.exe 3008 powershell.exe 2172 powershell.exe 1656 backgroundTaskHost.exe 1656 backgroundTaskHost.exe 1656 backgroundTaskHost.exe 1656 backgroundTaskHost.exe 1656 backgroundTaskHost.exe 1656 backgroundTaskHost.exe 1656 backgroundTaskHost.exe 1656 backgroundTaskHost.exe 1656 backgroundTaskHost.exe 1656 backgroundTaskHost.exe 1656 backgroundTaskHost.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
driverdll.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exebackgroundTaskHost.exedescription pid process Token: SeDebugPrivilege 2176 driverdll.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 3488 powershell.exe Token: SeDebugPrivilege 2476 powershell.exe Token: SeDebugPrivilege 3456 powershell.exe Token: SeDebugPrivilege 3352 powershell.exe Token: SeDebugPrivilege 780 powershell.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 3008 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 668 powershell.exe Token: SeDebugPrivilege 1656 backgroundTaskHost.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
ROBLOXFARMER.exeWScript.execmd.exedriverdll.execmd.exedescription pid process target process PID 1672 wrote to memory of 3068 1672 ROBLOXFARMER.exe WScript.exe PID 1672 wrote to memory of 3068 1672 ROBLOXFARMER.exe WScript.exe PID 1672 wrote to memory of 3068 1672 ROBLOXFARMER.exe WScript.exe PID 3068 wrote to memory of 4468 3068 WScript.exe cmd.exe PID 3068 wrote to memory of 4468 3068 WScript.exe cmd.exe PID 3068 wrote to memory of 4468 3068 WScript.exe cmd.exe PID 4468 wrote to memory of 2176 4468 cmd.exe driverdll.exe PID 4468 wrote to memory of 2176 4468 cmd.exe driverdll.exe PID 2176 wrote to memory of 668 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 668 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 2804 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 2804 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 2828 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 2828 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 2476 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 2476 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 2172 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 2172 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 2600 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 2600 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 2132 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 2132 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 3488 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 3488 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 3456 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 3456 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 3008 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 3008 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 780 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 780 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 3352 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 3352 2176 driverdll.exe powershell.exe PID 2176 wrote to memory of 4940 2176 driverdll.exe cmd.exe PID 2176 wrote to memory of 4940 2176 driverdll.exe cmd.exe PID 4468 wrote to memory of 2244 4468 cmd.exe reg.exe PID 4468 wrote to memory of 2244 4468 cmd.exe reg.exe PID 4468 wrote to memory of 2244 4468 cmd.exe reg.exe PID 4940 wrote to memory of 3088 4940 cmd.exe w32tm.exe PID 4940 wrote to memory of 3088 4940 cmd.exe w32tm.exe PID 4940 wrote to memory of 1656 4940 cmd.exe backgroundTaskHost.exe PID 4940 wrote to memory of 1656 4940 cmd.exe backgroundTaskHost.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
driverdll.exebackgroundTaskHost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" driverdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" driverdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" driverdll.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe"C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\DriverintoPerfMonitor\rBZTKR2mYRfNEbvt9Nbq33ykB0q3.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\DriverintoPerfMonitor\7tBtpkweNP1.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\DriverintoPerfMonitor\driverdll.exe"C:\DriverintoPerfMonitor\driverdll.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2176 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverintoPerfMonitor/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tHfWPh1qyB.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3088
-
-
C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe"C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1656
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2244
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Containers\serviced\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\Containers\serviced\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\uk-UA\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\uk-UA\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\uk-UA\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\DriverintoPerfMonitor\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\DriverintoPerfMonitor\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\DriverintoPerfMonitor\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\PrintDialog\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PrintDialog\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\PrintDialog\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\DriverintoPerfMonitor\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\DriverintoPerfMonitor\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\DriverintoPerfMonitor\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\apppatch\CustomSDB\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\apppatch\CustomSDB\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\apppatch\CustomSDB\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\System\es-ES\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\es-ES\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\es-ES\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e6cdcd7d35111e728abce425b094d0c3
SHA16aafefc2fc9aac870765642ce3e0c6baaf973a87
SHA2560adb99738e12fc866bee55a4ad3aa614fe819fface03af273743e377c41899a5
SHA5125d4b93d3aed63d68281406568344c76478a2a98e65c94c1eb7acd3b51715d458651c9c7fc70908c56c90a45e2d0480f78d621ac494655d00bbcae7c63fe8fd7c
-
Filesize
1.6MB
MD50bdab38cf92a980d9682c00c384690fb
SHA1fb9b9bed33eef416f594a9afee0721315295b12d
SHA256e1d82f52161a36132915a860388b430bb8a1a129140ec03c3cab417593706032
SHA5123a793187a4ae93b2a10102893e5095d3a8b48acd33e802c35974aa68a10758db6057a2e623d35c3d9cc07f0c1ff1a72c0bc24b399d5dcb7d496f49db7de69790
-
Filesize
209B
MD5529296e248ff3230c9b1ced537b7bf5d
SHA1e5d534cb4125e530f4428b24483ec970e3d7f563
SHA25653fdb76d26b6e3e3d9e6438bf42e21f96564cbb316b3addd781e6fd628199779
SHA5127a197e20c4af21cfae6b0f628afa2be7d4a9b1acb19d1dab8bc5198f2b514ed5dcbdc54ce8d013a538f1d00c21f9fce93293aebab51fd256dd1ed507824437a7
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
217B
MD532757917fff5707317d21a0b3814cccb
SHA1d6b1eec5200c2fdb7e12fff2bb4cd27222a33089
SHA256fad18e5f105453e8e50124ada5030785148df27fa6d1b9b55ba1d710715c2b29
SHA512a3793b7443944da6649ff21cb6615e056982fee2eea402eb4d88fe7a2f09bba8c5c387aa937d5229dd65fd36767f2c1b215fe09f6b6829b43dfeb9a77bb8093d