Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-10-2024 02:49
General
-
Target
7400236c0f5f5fec04649ae26fe2999174eb2dd73fe0e93f54adef12d8d70a1aN.exe
-
Size
4.9MB
-
MD5
2b748156c46b12dda0fe68199c2853f0
-
SHA1
11dc51c0fa65751c1a4747055700c6b54a91e845
-
SHA256
7400236c0f5f5fec04649ae26fe2999174eb2dd73fe0e93f54adef12d8d70a1a
-
SHA512
ab8a8c46da9e12024d0d4d5582fb2dc8af12e70db6f1a4c7e33ce34ed988efacac06e93a1ad05d12175eb2d450b71b4c2fa5363fa26e3099c9017a852b902fc5
-
SSDEEP
49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri Loader
A loader sold as MaaS first seen in August 2021.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 36 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 37 IoCs
-
Checks whether UAC is enabled 1 TTPs 24 IoCs
-
Suspicious use of SetThreadContext 11 IoCs
-
Drops file in Program Files directory 20 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 11 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7400236c0f5f5fec04649ae26fe2999174eb2dd73fe0e93f54adef12d8d70a1aN.exe"C:\Users\Admin\AppData\Local\Temp\7400236c0f5f5fec04649ae26fe2999174eb2dd73fe0e93f54adef12d8d70a1aN.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\tmp9F6F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9F6F.tmp.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp9F6F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9F6F.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp9F6F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9F6F.tmp.exe"4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9ed7852-0d88-4193-a098-e74d4e8408b3.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4be6219-7e56-49a1-8834-1c5c712053c9.vbs"5⤵
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\991e2ae5-bc48-444e-9dc0-8e50355c4bb3.vbs"7⤵
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6ec1477-2ffa-4d66-bd73-e5f6fbf4eb31.vbs"9⤵
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\164a123c-7aa7-479e-8ab7-cf11dd8a1fdf.vbs"11⤵
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55ee1e3b-8bc8-42dc-bc0d-e14bac0a1b58.vbs"13⤵
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64f1f48a-d226-47bf-8603-c0d6472a68e7.vbs"15⤵
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b60d511-9236-4125-87d8-8d785abd2d54.vbs"17⤵
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5164030-cc93-4b61-aab0-78b522b346e9.vbs"19⤵
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46470343-315e-4723-857a-f02ae48ad5c7.vbs"21⤵
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe"22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e0494cc-0764-4a34-b111-e9953c51b5d9.vbs"23⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ba4b016-f4ed-482d-9fbe-7ab82b9f7047.vbs"23⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp527B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp527B.tmp.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp527B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp527B.tmp.exe"24⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67b22f1a-27b4-4662-8088-6fbfb1af4319.vbs"21⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2438.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2438.tmp.exe"21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp2438.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2438.tmp.exe"22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp2438.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2438.tmp.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp2438.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2438.tmp.exe"24⤵
- Executes dropped EXE
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e28eed04-aebf-43c5-8057-588a49d03c62.vbs"19⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp97C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp97C.tmp.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp97C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp97C.tmp.exe"20⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2229eaf2-dd2c-43f9-87a8-71e674d2d085.vbs"17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpECDC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpECDC.tmp.exe"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpECDC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpECDC.tmp.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpECDC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpECDC.tmp.exe"19⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\778c954e-ffa1-4987-ad50-b8782706d305.vbs"15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpBD31.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBD31.tmp.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpBD31.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBD31.tmp.exe"16⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aec7b0ba-d6b1-40a0-90ee-520f0c20ef99.vbs"13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8CF9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8CF9.tmp.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp8CF9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8CF9.tmp.exe"14⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce5a2c7f-f705-4f21-8d5d-54f7d449c0cd.vbs"11⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5DEA.tmp.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp5DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5DEA.tmp.exe"12⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02d2c619-66ba-460d-9238-bee7fe3355ea.vbs"9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2EBC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2EBC.tmp.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp2EBC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2EBC.tmp.exe"10⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5668203e-cb33-443b-8fda-69fd025541d5.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2d9a6af-a077-4439-b049-29e3eec19dd3.vbs"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpE3A9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE3A9.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpE3A9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE3A9.tmp.exe"6⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b173d1c-94a0-4551-b59e-6f2a93ca977a.vbs"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC4B7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC4B7.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpC4B7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC4B7.tmp.exe"4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Saved Games\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Start Menu\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\ja-JP\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\NetHood\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\NetHood\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\NetHood\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\microsoft shared\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\microsoft shared\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7400236c0f5f5fec04649ae26fe2999174eb2dd73fe0e93f54adef12d8d70a1aN7" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\7400236c0f5f5fec04649ae26fe2999174eb2dd73fe0e93f54adef12d8d70a1aN.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7400236c0f5f5fec04649ae26fe2999174eb2dd73fe0e93f54adef12d8d70a1aN" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\7400236c0f5f5fec04649ae26fe2999174eb2dd73fe0e93f54adef12d8d70a1aN.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7400236c0f5f5fec04649ae26fe2999174eb2dd73fe0e93f54adef12d8d70a1aN7" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\7400236c0f5f5fec04649ae26fe2999174eb2dd73fe0e93f54adef12d8d70a1aN.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\NetHood\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\NetHood\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\NetHood\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD52b748156c46b12dda0fe68199c2853f0
SHA111dc51c0fa65751c1a4747055700c6b54a91e845
SHA2567400236c0f5f5fec04649ae26fe2999174eb2dd73fe0e93f54adef12d8d70a1a
SHA512ab8a8c46da9e12024d0d4d5582fb2dc8af12e70db6f1a4c7e33ce34ed988efacac06e93a1ad05d12175eb2d450b71b4c2fa5363fa26e3099c9017a852b902fc5
-
Filesize
4.9MB
MD58eff90bf357bb09ea717ef045f87f566
SHA1cef3d6ff3204ae97b85a3077db03640612df4393
SHA2562d776528299ab2af55f286bd85a00b9227a2d5b82151c8392bedb1b04be0fba5
SHA512126eb64a8e5635468e9ca8a770c1d6cd26a755e30cdbc3a8476ec6ab29741b84bc86cc4ce531e08800ea598e138d3f99d038773b63d4b18c0335329d46d0bd3a
-
Filesize
4.9MB
MD5ca4df14b1af7917a515a7aef648f6797
SHA187676354f8f5a0fc6cfb65bfc97bc8a06b416e99
SHA2560daa360a7376b2ad2e0011c3f2a6ff071a46e088b2805176d2e86bfed552f5db
SHA51262d680ced42fb07dedbed140500f2b340774d1cf5fed3f5fc6f6bed9f097525dbf9470120620ed284015e6940606031d566b7843e1a326f5ac88b794bff369fe
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5a43e653ffb5ab07940f4bdd9cc8fade4
SHA1af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA51262a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b
-
Filesize
944B
MD505626d543357a7b9aab66738323d7ac6
SHA18a0366530637b0f977af59dde44fae4df8906f0f
SHA256352265151df8fcc298bbbde14c4ddff51683a9a43416ce1987511ee7a27fa433
SHA51211222b457bce9d25eca8b7f4768c5706ad117960d122bf049f94158725187fbaea86f38b3910402043f5a565dcc5faca535366880c0bd92f58a799931a32401d
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD5815f9e54d2e55a6cd87a044f75fdba0c
SHA19e2c91b5d015a2f96539227ed0a5d83cf26f6c08
SHA256ec7d07723ca9c032e3662c0a316318065854ed4dc54106a5214278cbd148e75f
SHA5129198d94b9d3ef35693881e3dc3e1c7f4b42d98f23a27f58cec67309628504de6940f0ac58bff1de2923b9d1b2dd11be82ea98bad9419d2e22f610df01c7401a3
-
Filesize
748B
MD5a38e5626f46d38625ff51978b0c4d262
SHA13bd22a6892056fac24e738021a27cda2e3052b3b
SHA2562eacc854c6a56c227a40400fb049d89ed7fb849b8a232f233b6019a33824ae99
SHA5120cf9de9fde668610d0ada3c5e94807a08cb02e4da241d8e6d761685903704dbfd2d68bf54b63d2151a315d668acbf846e70bb94432af82342b17eafabf575cdf
-
Filesize
525B
MD5f1fd22a23bd3a5f1b53d4d5cfcea7049
SHA183377b7674ae5ca6cf590a7d16de9ebf2d795c22
SHA256a567f36b5c60e6cf665e3dbe2d671f0a0370b04407293dd17d55b0c398cfe21f
SHA512bade073b84c57bae7d03e89706a7becde1a19f4d3ccd9c445e2cdfdf99087c6173639b4c73985679c48aa2767de3b747065fa03ed733f52fefaef26fb0029554
-
Filesize
749B
MD5498da83a6303b10d88bcc5e2e52c96ec
SHA1cbf278df9e85caf6f02e35faabfe3bbd1b8e8b11
SHA256d18b0ba7b606b449b43dacaba188806ff00b51fd95c1537ffca5ba84763606bd
SHA512cd02f0447d5082c4d21aaffaac92ca5da6e9a35d42f657eb13d0ea0774d722b9f3ea9d6262fff7977aabbea1d06b6072afdefb5dccb66ca1820e7c5147c78488
-
Filesize
749B
MD53d3039cdcbe17bfe37da87be56cdbb72
SHA1def43f0b4944417979191d33195b5d05f155d88a
SHA256b44ce28176bc082191ec438a290f95d169e0ffe7673dbbe9cc22522d4b10bad7
SHA51246d633c7a4cbcef88665c007a9e1d1ce13836627da327858737dfb1b6b5148a068f57088ef38f9537914ea573082686763012331cfd674c5f6893e74597b2001
-
Filesize
749B
MD571bdddb8973341fa396b7c044e945883
SHA11775755d2ac9eb5bbe825843b57586540959cbc0
SHA256626a599100d73caba1e0356faa101c805ca3e96d0907f21390a91bc2912a5df9
SHA5128b8bd519eb6c530dcf93a85e78b00a82a51430599338f619b89383ff730928d139c2e9eba708d1f48e3fe5b63e654dbf7c47959dfb651d8c0929cb1f85ca96c8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
749B
MD5194aa5b435053484e7d0e5a341339db4
SHA1e1e84231f1bd0d0ed6eedf4745a20e6077dd9099
SHA2568f9a0f7855634587809a91d8e91d5014c3ea3047d79521d0eb4c10ef8db07fef
SHA512403b8809a18d142cd23c99329ad7bb0dc63e75bbcfb9fcc63bddf17f80714d9f460b5e8a89bd1d6110de1727ca8e0456c5d41014c2b52fc80ad965047a3fff49
-
Filesize
749B
MD586f4cf202ec49ab5409ae3160d6b4415
SHA15d2968e5803584318dddf359a2d9eb51cf8d60ef
SHA2565ebf8ee2f03601c7ff70d5aa686be85ecd26bc4c48b88141ad1ffdb0659dbdec
SHA512539ceaf5cb73b577333c9ecc7aa0bc7077e3abdb1c63b2b0c518efd7d7e9cb94e51cf535b6324edb35d899786c223d12956bcd4c41b9a4da63dadc04e7d6563c
-
Filesize
749B
MD51b051c9f1ad638bdc68c3a66ed66712e
SHA11ddc23115f872a4e30777f8692e8c79ae1d424c1
SHA256c77f52b9a93a5f9e013f0015c8d133505bc73e3fd7080cefeca401b44d669b9e
SHA512857bb0239be0ed39f8c212bb3e46197b89bfc7b0de193c026f1c502af78dad3b0eef340ee489b61743f97206e434aa1bd6e56a777f715055e84fcc022efea42f
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
112KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
1.2MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
320KB
-
Filesize
5.0MB
-
Filesize
56KB
-
Filesize
5.2MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
136KB
-
Filesize
28KB