Analysis
-
max time kernel
119s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
04-10-2024 12:55
General
-
Target
412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
-
Size
4.9MB
-
MD5
6d28b82da857e5f86596ed8e27efb260
-
SHA1
05fb88ba2cf61b8d55fea21d273fa2f2cb6afa9a
-
SHA256
412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36f
-
SHA512
2cb1a0bef640341cf2cbda78430b18fd8218fd4f19a0801afb2a64223551902753a99892625be76a6d4aed34bb192408921206663d64b916e0298d5fa5572fdf
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri Loader
A loader sold as MaaS first seen in August 2021.
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 36 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 33 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 37 IoCs
-
Checks whether UAC is enabled 1 TTPs 24 IoCs
-
Suspicious use of SetThreadContext 11 IoCs
-
Drops file in Program Files directory 41 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 12 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe"C:\Users\Admin\AppData\Local\Temp\412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe"1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB103.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB103.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpB103.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB103.tmp.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe"C:\Users\Admin\AppData\Local\Temp\412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\tmpC208.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC208.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpC208.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC208.tmp.exe"4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L7XCWxQ1J0.bat"3⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
-
-
C:\Users\Admin\AppData\Local\Temp\412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe"C:\Users\Admin\AppData\Local\Temp\412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp.exe"6⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x2lq6Oz7Nh.bat"5⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Program Files\Crashpad\attachments\TrustedInstaller.exe"C:\Program Files\Crashpad\attachments\TrustedInstaller.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f98b1bf-4fe5-458c-99d5-b26e8e8c73eb.vbs"7⤵
-
C:\Program Files\Crashpad\attachments\TrustedInstaller.exe"C:\Program Files\Crashpad\attachments\TrustedInstaller.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6e6d815-59b6-4941-b6c7-fbcd88fa35a3.vbs"9⤵
-
C:\Program Files\Crashpad\attachments\TrustedInstaller.exe"C:\Program Files\Crashpad\attachments\TrustedInstaller.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74a58f7c-8fe1-4987-bc76-6c767a1d5c33.vbs"11⤵
-
C:\Program Files\Crashpad\attachments\TrustedInstaller.exe"C:\Program Files\Crashpad\attachments\TrustedInstaller.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2b8a08d-7215-40f1-8894-735c1d3376dd.vbs"13⤵
-
C:\Program Files\Crashpad\attachments\TrustedInstaller.exe"C:\Program Files\Crashpad\attachments\TrustedInstaller.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\708014c0-d144-4bbd-b9c7-959418457bf4.vbs"15⤵
-
C:\Program Files\Crashpad\attachments\TrustedInstaller.exe"C:\Program Files\Crashpad\attachments\TrustedInstaller.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1bc03ce-1148-4765-9d4f-9df7640cd662.vbs"17⤵
-
C:\Program Files\Crashpad\attachments\TrustedInstaller.exe"C:\Program Files\Crashpad\attachments\TrustedInstaller.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cec915a3-042e-4d89-a518-d6bd5d270790.vbs"19⤵
-
C:\Program Files\Crashpad\attachments\TrustedInstaller.exe"C:\Program Files\Crashpad\attachments\TrustedInstaller.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d7708ad-b5de-423b-b883-e0391097c241.vbs"21⤵
-
C:\Program Files\Crashpad\attachments\TrustedInstaller.exe"C:\Program Files\Crashpad\attachments\TrustedInstaller.exe"22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17189e86-82ec-4593-b096-cdb4d56bbd54.vbs"23⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4d688b9-db01-4072-8723-78173f6f0e3b.vbs"23⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7574.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7574.tmp.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp7574.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7574.tmp.exe"24⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\562f0445-a84d-4769-90ed-fe87c53fb01d.vbs"21⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4491.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4491.tmp.exe"21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp4491.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4491.tmp.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp4491.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4491.tmp.exe"23⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\122492d9-8180-4370-a231-30b0a6ad3760.vbs"19⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp12A4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp12A4.tmp.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp12A4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp12A4.tmp.exe"20⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b670a0c-8d6d-4a8e-9eff-776846848410.vbs"17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpE28B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE28B.tmp.exe"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpE28B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE28B.tmp.exe"18⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 31218⤵
- Program crash
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88982c90-40cf-4b0f-bc37-87dd242e0e42.vbs"15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB0FC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB0FC.tmp.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpB0FC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB0FC.tmp.exe"16⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a967497-b7d9-416a-a476-82ff559f8147.vbs"13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9536.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9536.tmp.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp9536.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9536.tmp.exe"14⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cc0885c-8927-4116-90b3-f29b9f535cc5.vbs"11⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7877.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7877.tmp.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp7877.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7877.tmp.exe"12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp7877.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7877.tmp.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp7877.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7877.tmp.exe"14⤵
- Executes dropped EXE
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d2ab125-c9b2-4b28-a9b3-7f64a5e88e53.vbs"9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4716.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4716.tmp.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp4716.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4716.tmp.exe"10⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2adf0025-798d-4ecc-bb06-21b8c4707b4b.vbs"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2B12.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2B12.tmp.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp2B12.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2B12.tmp.exe"8⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\OfficeClickToRun.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\SendTo\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\powershell.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\lua\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Themes\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Themes\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\WaaSMedicAgent.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\bcastdvr\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\tracing\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\Services\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Services\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\attachments\TrustedInstaller.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\attachments\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN4" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Application Data\412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN" /sc ONLOGON /tr "'C:\Users\Default\Application Data\412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN4" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Application Data\412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\Registry.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\Registry.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4316 -ip 43161⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD56d28b82da857e5f86596ed8e27efb260
SHA105fb88ba2cf61b8d55fea21d273fa2f2cb6afa9a
SHA256412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36f
SHA5122cb1a0bef640341cf2cbda78430b18fd8218fd4f19a0801afb2a64223551902753a99892625be76a6d4aed34bb192408921206663d64b916e0298d5fa5572fdf
-
Filesize
1KB
MD5bbb951a34b516b66451218a3ec3b0ae1
SHA17393835a2476ae655916e0a9687eeaba3ee876e9
SHA256eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA51263bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56c47b3f4e68eebd47e9332eebfd2dd4e
SHA167f0b143336d7db7b281ed3de5e877fa87261834
SHA2568c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA5120acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD5ecceac16628651c18879d836acfcb062
SHA1420502b3e5220a01586c59504e94aa1ee11982c9
SHA25658238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9
SHA512be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3
-
Filesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
Filesize
944B
MD5a1008cfb29cdc25b4180c736ec404335
SHA139760fbcc8c1a64e856e98d61ce194d39b727438
SHA2560eb4209b0f8c0dce02580b4d3ec5692d33be08b1a61858aad0413116afc95558
SHA51200c2cde1601217c28fd71c2daefb21c7fcfeeee7e6badcd1b7f353f4e6df7817f5c4665148a1468b10ea31547642b999e3db5914d6e5f0cb1123243fd9ef213f
-
Filesize
944B
MD5e25058a5d8ac6b42d8c7c9883c598303
SHA1bd9e6194a36a959772fc020f905244900ffc3d57
SHA2569f6fe2203df58ba90b512b436fd74f5eeb4f39f4f9f54a41e882fc54e5f35d51
SHA5120146f2d1298acf189005217784e952d6e99bf7c8bf24ae9e9af1a2ca3d881dca39f19f3ecd06c7d0ad919bc929edaf6e97e0ab2d7f71733b9422527c594ea0c5
-
Filesize
944B
MD53e242d3c4b39d344f66c494424020c61
SHA1194e596f33d54482e7880e91dc05e0d247a46399
SHA256f688037cb0c9f9c97b3b906a6c0636c91ad1864564feb17bba4973cde361172e
SHA51227c1cd6d72554fdce3b960458a1a6bd3f740aa7c22a313a80b043db283a224bf390648b9e59e6bdbf48020d082d728fbde569bee4ee2a610f21d659a7b3dfa02
-
Filesize
944B
MD54165c906a376e655973cef247b5128f1
SHA1c6299b6ab8b2db841900de376e9c4d676d61131e
SHA256fb0b3c822d300abbb892e6f218d6b4b62b80bb26d9184d1f4c731600053a3fc4
SHA51215783f2d3687388339c06423bd18c17a5704cd367bf1a1d08e436088984c0b5c52dc88d3b8455495a8051ba9f977aae34b69453e5ee252d928e74dcdebd4a11a
-
Filesize
944B
MD5c4fee36040f3f2bd5ab8cf4ceb483d10
SHA17766b611607f908c4161c7a4dd8f9f1f31e7aa3b
SHA256b9bb27c86647601607b2568ccc541c36ffa769424eb6971898f231b1d7a9bf82
SHA51251a102819956a0bfc076a1f9287ddad1cd39fa365a8ef4ecc24ae426c5cda6969db1dd8b2362dd836976d6fc916e6283185591beac49b4b1b7f5788eae695237
-
Filesize
944B
MD5815f9e54d2e55a6cd87a044f75fdba0c
SHA19e2c91b5d015a2f96539227ed0a5d83cf26f6c08
SHA256ec7d07723ca9c032e3662c0a316318065854ed4dc54106a5214278cbd148e75f
SHA5129198d94b9d3ef35693881e3dc3e1c7f4b42d98f23a27f58cec67309628504de6940f0ac58bff1de2923b9d1b2dd11be82ea98bad9419d2e22f610df01c7401a3
-
Filesize
944B
MD5caae66b2d6030f85188e48e4ea3a9fa6
SHA1108425bd97144fa0f92ff7b2109fec293d14a461
SHA256a6c642eaf80247e9682be60ab5ae9ece4d042af56013d164d8047b6fd1aefa1d
SHA512189119a2390e51a49ea0fb8ad1427279cc2bf85f220f3212957c50b33387623b42ab7736fb5a717757b5c4b99c570e7ed2e5e6a578424aafb5c126cdf129ea15
-
Filesize
944B
MD548cc83090af5044d78cf2989a7d1bb25
SHA107ba570b04aebed6bff26cbc66fa5ac4d9f249eb
SHA256c4060076432eea989d904304add15c3ec175073a5250fe858808d3b0e70a38a9
SHA51285d732b6c4b316f53faa692dfdbb36359d158421a7a696d434d01535dca032bde8656bee09ffaabe6d457335acc6496a36effafc41caf9800eb3438891e6ab9d
-
Filesize
944B
MD5cc19bcff372d20459d3651ba8aef50e7
SHA13c6f1d4cdd647864fb97a16b1aefba67fcee11f7
SHA256366473e774d8976c7fd4dc582220666fb61a4feb3f7c95e69b2a68ad9e446ec9
SHA512a0e360ca4b6e874fd44612bf4b17f3722c0619da4f6bade12a62efadae88c2d33460114eaafa2bc3fb1cef5bea07e745b8bee24f15d0cacaff5f4a521b225080
-
Filesize
944B
MD5085e0a3b869f290afea5688a8ac4e7c5
SHA10fedef5057708908bcca9e7572be8f46cef4f3ca
SHA2561fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c
SHA512bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede
-
Filesize
944B
MD5624e41a75a6dfd62039973dbbfdbe622
SHA1f791e4cc85d6ae7039acef57a9025b173d7e963b
SHA256ced1b5ac330145fa608627ad4de1dfb3533375f19b6da3d02ad202d0b7732bc1
SHA512a13a128a5ea8aad3bcd5f3dbffa5fbfe7763370d8e43b546a1df1da3b0ec0d520cf5fcc8c25c22fd1e73ea1d00da1bee99305e028e71e193339e4fa8ce8f0b2d
-
Filesize
944B
MD5b801d886e417a9bf405b2f0092e04fe1
SHA1fa99fefa2f49af240141692f78c8c28f04205389
SHA25657b1c29eef54567fcfdaa28d2923485cb6f77bb76dc54235965fb34f02a42636
SHA512b2c8bf95b4c25d7fff388b5f3e04212c43af9588f7aed8a7cb251330ee18c89789eb1d294b8449ec2afeb9b5373d7a6dce8f4369b84cbfb6a7c7813341fa07ff
-
Filesize
944B
MD5a9a7f35c006bbf5da72f9cb250ffbddb
SHA1458a8cedc38dac109631d9fccb3bf6d2c5c0e89e
SHA256a1db56d56e35a6c95f98204e40f69f70422969681d408e5edc4afbf732eef86b
SHA512d341773d30e09214567c65f24cd1854f1e438b8528aa30d35b6baac16e671dde1245edda654f19343b7c160da45985ab53f08453e7f6286e272d544f8741c131
-
Filesize
944B
MD56b0fc4d38b057a256ba5f058930f7b0f
SHA12cd26292fd836507748dacd1628e3d3cee48eaec
SHA256ece49381b0978ea846e0c9ddf2d5cd369f4b1d1ff79a8918b1b875a793786eec
SHA51293b2be33eff592b955750cd14161474c35bd99819afb776151b60d9f7302810565a865f7dc60ae7a92154a8d628650c8999b2c301a2536ae60047a39b55a553f
-
Filesize
944B
MD5575c67abdb0b2c72de0d9dd38b94d791
SHA127783f259ffd096b21c02c70cb999bf860183124
SHA256fdf985fb9c56b4462675c41f68555f8762dd7043b15750968208b88be87252bc
SHA51261b23a15b52cf51b525993e8cfc0b9fd41d1bb28501c96a35f776bfa738390783ad266c2d0383a53770f3662dd118a45114d92afee63b4673e88008a6559b774
-
Filesize
944B
MD5fdf15f7d08f3f7538ae67e5b3e5d23f4
SHA1953ff0529053ce3a1930b4f5abba2364a8befbfc
SHA2569f4964b9cf2c6d4915a8f2b9746dc5ff73d6f327c81370f92e0e7a611b28a707
SHA5124fee933635376d1467e0be63d12fa897f83cbbf9cdd1ac79cce30dfaa2621d47e137e991b701f1ed9910767904dbfb6b89db2a02ce32edc410c83351f351d7ed
-
Filesize
734B
MD5b5b06f234007bdb4e8277c8eeb9ce373
SHA15d98d0a20ff562552836b30a4920cc3bd7f7541a
SHA25676578a388beffb450a9bc586221bc4aabc3b25f03134343ae5fded26b445acab
SHA512ef9db0709842a734c21253fbb3214450bea06f5ce0fb5e176d8c2e4f4b163ce7d29e03cdd9eef55630b9defac415376883ce46b4cdcaa933337ac59883899483
-
Filesize
510B
MD58acc931ccf63dab5796d5ee2b784b9a6
SHA1ceeb22909a9000fcfa441ce671c165fc28369fb4
SHA25662674734a3072539db9edff74a91c77ab1f7c323bdba6d3a1d06fb33ae5e5a9e
SHA512d8c2a79950e380f971018587085cf418317aac88716702cbd4ddebbc665f4f16e310e1360875f45dfbc64455f2a3c36e97c1dc05ec6aebac04486ee400040b8b
-
Filesize
268B
MD57ac3da0cbf0058e27a682cf3f4c99290
SHA1d94e0cbe75dc3254933b487ae3b41ac95d18f460
SHA2560ea46bf724a9b0599b982fe2913be6c41d5bd938e1121dd30d84c889a438530c
SHA512fecfb7884798f53b29ebfcf6da2cd3e7f7a00721f4a94ce90ed50945522a88c0eac4017e5a6b63badc1b63f19113ba411307d57dfdac7bfdd2ab75ab3e837f8f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
734B
MD5406819c441a8c3f75e27458fd3290c0e
SHA1d27987d4bc213ce9e15bd730825e8017e540a874
SHA256287f7509e8ce8ca0e5315e6e98bcf9410814308fcd9a9a5cf0dc055cb9fc110b
SHA51234df333e7d97ac5d503155caa6549c219095ea21c823d741d4b2650a1c9e95ed3e03d461295cff1089f7f2c2c3320eb6f9954af33d11dffbd597134556d0a884
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
223B
MD50bf9b0e9774f4b0b58f6dfab15755f8b
SHA115bff6f979ea3ce2dd347b031325acb1c943402a
SHA2560e2ac03cf976095d515b6a6cf9bd731b3e32c90118b6c9475ec68d92e67f9bf0
SHA5126db3330335521aef94e792e390a880f554e9c210f5e53d6e42c61fc96c9d834f29fe5009d19b57e590dd2ee66246c747dfdb0b4f9456f40a7a3941971f90e12d
-
Filesize
72KB
-
Filesize
136KB
-
Filesize
28KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
1.2MB
-
Filesize
8KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
320KB
-
Filesize
5.2MB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
5.0MB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
72KB