Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 09:06
Behavioral task
behavioral1
Sample
3DEF0AE25D7785E4155D73639281C783.exe
Resource
win7-20240704-en
General
-
Target
3DEF0AE25D7785E4155D73639281C783.exe
-
Size
3.0MB
-
MD5
3def0ae25d7785e4155d73639281c783
-
SHA1
83e0bd5e952c0d8501f0bae856ad057d2d66f933
-
SHA256
9c8937d1ffc2a8ce23cbaddaa9e8b046d1460fc684d05b609fec3514ab14c39c
-
SHA512
beac32faa42d72af9eb64977c2ed8aa30ec0d78a3319a758378a6c407a951919a9539b22b2595f91953b25109bd185e33798c09590c9fbbfee7618771ad1edf4
-
SSDEEP
49152:Mj0QvSoTm+SLllhsAKVSPwAk6roAIJiUhykd8zKflQ5TpweOBw7bMoc52Sf0:MpacpSLllnKsPfxro1hh9ApQ+br0nf0
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4200 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3520 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4108 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 668 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 700 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3420 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3128 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3956 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3264 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4344 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4024 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4000 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 516 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3752 5048 schtasks.exe -
Processes:
3DEF0AE25D7785E4155D73639281C783.exeOfficeClickToRun.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3DEF0AE25D7785E4155D73639281C783.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OfficeClickToRun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" OfficeClickToRun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" OfficeClickToRun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3DEF0AE25D7785E4155D73639281C783.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3DEF0AE25D7785E4155D73639281C783.exe -
Processes:
resource yara_rule behavioral2/memory/3832-1-0x0000000000470000-0x0000000000776000-memory.dmp dcrat C:\Program Files\Java\jre-1.8\SearchApp.exe dcrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
OfficeClickToRun.exe3DEF0AE25D7785E4155D73639281C783.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 3DEF0AE25D7785E4155D73639281C783.exe -
Executes dropped EXE 1 IoCs
Processes:
OfficeClickToRun.exepid process 2988 OfficeClickToRun.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
3DEF0AE25D7785E4155D73639281C783.exeOfficeClickToRun.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3DEF0AE25D7785E4155D73639281C783.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3DEF0AE25D7785E4155D73639281C783.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OfficeClickToRun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OfficeClickToRun.exe -
Drops file in Program Files directory 10 IoCs
Processes:
3DEF0AE25D7785E4155D73639281C783.exedescription ioc process File created C:\Program Files (x86)\Microsoft.NET\sysmon.exe 3DEF0AE25D7785E4155D73639281C783.exe File created C:\Program Files\Java\jdk-1.8\backgroundTaskHost.exe 3DEF0AE25D7785E4155D73639281C783.exe File created C:\Program Files (x86)\Windows Defender\uk-UA\OfficeClickToRun.exe 3DEF0AE25D7785E4155D73639281C783.exe File created C:\Program Files\Java\jre-1.8\38384e6a620884 3DEF0AE25D7785E4155D73639281C783.exe File created C:\Program Files (x86)\Windows Defender\uk-UA\e6c9b481da804f 3DEF0AE25D7785E4155D73639281C783.exe File created C:\Program Files\Microsoft Office 15\ClientX64\StartMenuExperienceHost.exe 3DEF0AE25D7785E4155D73639281C783.exe File created C:\Program Files\Microsoft Office 15\ClientX64\55b276f4edf653 3DEF0AE25D7785E4155D73639281C783.exe File created C:\Program Files (x86)\Microsoft.NET\121e5b5079f7c0 3DEF0AE25D7785E4155D73639281C783.exe File created C:\Program Files\Java\jdk-1.8\eddb19405b7ce1 3DEF0AE25D7785E4155D73639281C783.exe File created C:\Program Files\Java\jre-1.8\SearchApp.exe 3DEF0AE25D7785E4155D73639281C783.exe -
Drops file in Windows directory 6 IoCs
Processes:
3DEF0AE25D7785E4155D73639281C783.exedescription ioc process File created C:\Windows\Containers\e6c9b481da804f 3DEF0AE25D7785E4155D73639281C783.exe File created C:\Windows\Fonts\RuntimeBroker.exe 3DEF0AE25D7785E4155D73639281C783.exe File created C:\Windows\Fonts\9e8d7a4ca61bd9 3DEF0AE25D7785E4155D73639281C783.exe File created C:\Windows\Logs\NetSetup\sysmon.exe 3DEF0AE25D7785E4155D73639281C783.exe File created C:\Windows\Logs\NetSetup\121e5b5079f7c0 3DEF0AE25D7785E4155D73639281C783.exe File created C:\Windows\Containers\OfficeClickToRun.exe 3DEF0AE25D7785E4155D73639281C783.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
OfficeClickToRun.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings OfficeClickToRun.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4200 schtasks.exe 1256 schtasks.exe 768 schtasks.exe 2404 schtasks.exe 5100 schtasks.exe 516 schtasks.exe 3752 schtasks.exe 2428 schtasks.exe 4108 schtasks.exe 3264 schtasks.exe 4000 schtasks.exe 2092 schtasks.exe 2916 schtasks.exe 1852 schtasks.exe 1732 schtasks.exe 1716 schtasks.exe 4344 schtasks.exe 2424 schtasks.exe 700 schtasks.exe 1940 schtasks.exe 3520 schtasks.exe 4024 schtasks.exe 668 schtasks.exe 3420 schtasks.exe 3128 schtasks.exe 3956 schtasks.exe 2496 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3DEF0AE25D7785E4155D73639281C783.exeOfficeClickToRun.exepid process 3832 3DEF0AE25D7785E4155D73639281C783.exe 3832 3DEF0AE25D7785E4155D73639281C783.exe 3832 3DEF0AE25D7785E4155D73639281C783.exe 3832 3DEF0AE25D7785E4155D73639281C783.exe 3832 3DEF0AE25D7785E4155D73639281C783.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OfficeClickToRun.exepid process 2988 OfficeClickToRun.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
3DEF0AE25D7785E4155D73639281C783.exeOfficeClickToRun.exevssvc.exedescription pid process Token: SeDebugPrivilege 3832 3DEF0AE25D7785E4155D73639281C783.exe Token: SeDebugPrivilege 2988 OfficeClickToRun.exe Token: SeBackupPrivilege 780 vssvc.exe Token: SeRestorePrivilege 780 vssvc.exe Token: SeAuditPrivilege 780 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3DEF0AE25D7785E4155D73639281C783.exeOfficeClickToRun.exedescription pid process target process PID 3832 wrote to memory of 2988 3832 3DEF0AE25D7785E4155D73639281C783.exe OfficeClickToRun.exe PID 3832 wrote to memory of 2988 3832 3DEF0AE25D7785E4155D73639281C783.exe OfficeClickToRun.exe PID 2988 wrote to memory of 1236 2988 OfficeClickToRun.exe WScript.exe PID 2988 wrote to memory of 1236 2988 OfficeClickToRun.exe WScript.exe PID 2988 wrote to memory of 2024 2988 OfficeClickToRun.exe WScript.exe PID 2988 wrote to memory of 2024 2988 OfficeClickToRun.exe WScript.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
OfficeClickToRun.exe3DEF0AE25D7785E4155D73639281C783.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OfficeClickToRun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" OfficeClickToRun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" OfficeClickToRun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3DEF0AE25D7785E4155D73639281C783.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3DEF0AE25D7785E4155D73639281C783.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3DEF0AE25D7785E4155D73639281C783.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3DEF0AE25D7785E4155D73639281C783.exe"C:\Users\Admin\AppData\Local\Temp\3DEF0AE25D7785E4155D73639281C783.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3832 -
C:\Windows\Containers\OfficeClickToRun.exe"C:\Windows\Containers\OfficeClickToRun.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2988 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce77732b-ebd4-4d73-ae70-362f59c42b35.vbs"3⤵PID:1236
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df5c5cd3-a3e6-4317-be4a-e8be294c40a8.vbs"3⤵PID:2024
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk-1.8\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk-1.8\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Fonts\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\NetSetup\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Logs\NetSetup\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\NetSetup\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre-1.8\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre-1.8\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\Containers\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Containers\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\Containers\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3752
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:780
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1716
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD53def0ae25d7785e4155d73639281c783
SHA183e0bd5e952c0d8501f0bae856ad057d2d66f933
SHA2569c8937d1ffc2a8ce23cbaddaa9e8b046d1460fc684d05b609fec3514ab14c39c
SHA512beac32faa42d72af9eb64977c2ed8aa30ec0d78a3319a758378a6c407a951919a9539b22b2595f91953b25109bd185e33798c09590c9fbbfee7618771ad1edf4
-
Filesize
718B
MD5ce16bced6c0725cb2447ba3d40105a23
SHA16985bc804836b9a0815ce3deea8ea99764d69499
SHA2560002148d62ab50246952101552c547ae9f55f49f433b1a7c9b17707afbb8c744
SHA5125d25827cafdd0c09ffd04ff7a2e92b154cbad192bf0538306183efd861c076362f6852866e4107ab9fd7088957658889a015f0b1b58b6df74000a62a50f2a984
-
Filesize
494B
MD5cf0d1fa108230f5efc5fd6caaa12b5d9
SHA1b3adb87aaceab1c809b097ae84b14fce46ea68ac
SHA256f443d8d3f68ec6a948e6bdc492ec2cc089d96c06557ee27560d2f12dcf0827ac
SHA51217e4f2f13d3afb44b644a01c01b2c3be817c7bea89fc305c63a4a9d00763130afaa311a37e576556423dcb3d6df2fd885ee20d7c8af74cf8b3326f02247fb5e6