Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
27/10/2024, 02:12
General
-
Target
272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe
-
Size
1.4MB
-
MD5
77fffee187fabb45ffc7219d421ea83f
-
SHA1
3f21e5a79d674131678ac5de8eaf30bbfcbb177c
-
SHA256
272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26
-
SHA512
3c27ed77b4e5c522804b48b94b70071bc07b4227ed3f5018d45160cb192136296f75a84af770caf72c797d2ea7fa36c8d897f2d68199f0fe0123c94781452b1f
-
SSDEEP
24576:KufUOExyABqHwzAsZg7ySXHzf9gUQ4zWp2Wn7b5kXxK:K3zBqATEzf9gUQPn7b5kXx
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 9 IoCs
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 51 IoCs
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Adds Run key to start application 2 TTPs 18 IoCs
-
Checks whether UAC is enabled 1 TTPs 34 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 17 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 51 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe"C:\Users\Admin\AppData\Local\Temp\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bVDEVcmN0E.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe"C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9be196b6-8b36-4f30-b290-2b24f2a9b3c3.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exeC:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33bb359c-0c42-4a9b-88eb-ab5db1c1bfeb.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exeC:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a185c625-fec3-4ac2-a869-c5f762809ca6.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exeC:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eea509ec-c5d0-4b01-a761-0bbcb3853246.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exeC:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db0bf3c6-67ed-4056-979e-863d64001583.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exeC:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c915eaf-d3b3-4dcd-8b19-31d9e9c62687.vbs"14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exeC:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16ce91ad-b0f0-4858-9a84-c7b36f4acb22.vbs"16⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exeC:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8dff233-54f3-4268-9918-b3d3af55b61e.vbs"18⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exeC:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd83b9b3-ec3f-45cc-bac9-6238e9a70729.vbs"20⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exeC:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ee9c904-0703-4330-8350-47d8f88e8d07.vbs"22⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exeC:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2e034c7-94b1-430f-815e-c3536ffdb416.vbs"24⤵
-
C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exeC:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3f7f52f-8fd9-4fca-a27e-c81c534d9a22.vbs"26⤵
-
C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exeC:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b94b43a5-07c6-4507-a82d-8ba54e271b64.vbs"28⤵
-
C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exeC:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23d3c3ee-eaaa-4a95-816b-3f487a291280.vbs"30⤵
-
C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exeC:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe31⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06b912ef-896f-40da-bb2a-55ef6320a650.vbs"32⤵
-
C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exeC:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe33⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c02a212-6c65-4883-b8c1-738c7536b515.vbs"34⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a684eaa8-388c-4c64-8a1b-eeb93cb91b80.vbs"34⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\127853ed-496f-4c00-aab1-eb74ae36b7a8.vbs"32⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd5db2af-17a2-48ff-aa83-c4d83165c2be.vbs"30⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec486f70-cd6f-486c-8805-bc03ec1fa5e5.vbs"28⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2c089f5-ff05-49a5-98f6-8cfc9c64b5d0.vbs"26⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c2d9325-6171-4464-a0ce-b1bb82988276.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e035402-8b62-457b-aed2-ee03e19424c1.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9072a01b-62e5-4160-bf7f-59c795ba5fd1.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e96db7f6-cfd9-4369-b2e0-1b162864fbea.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\850f9be9-73b8-4681-b3c1-dd8215ca9b68.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8025d0a5-b792-4a08-9813-77c353ddeb18.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50138985-2ac3-4b5e-9b1b-fe3a90753708.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c24bea70-9fd3-4dff-89ff-50b5f0c45069.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d5008da-2f15-400f-8891-12eccbcc26d3.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36cd0636-cdf6-425a-8cff-6af297cfdbcf.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85a64c8d-8068-41d3-842d-378f3b5c9f38.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\MusNotification.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e262" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26" /sc ONLOGON /tr "'C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e262" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD577fffee187fabb45ffc7219d421ea83f
SHA13f21e5a79d674131678ac5de8eaf30bbfcbb177c
SHA256272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26
SHA5123c27ed77b4e5c522804b48b94b70071bc07b4227ed3f5018d45160cb192136296f75a84af770caf72c797d2ea7fa36c8d897f2d68199f0fe0123c94781452b1f
-
Filesize
1KB
MD5655010c15ea0ca05a6e5ddcd84986b98
SHA1120bf7e516aeed462c07625fbfcdab5124ad05d3
SHA2562b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14
SHA512e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437
-
Filesize
763B
MD58ef1ce2d6ceea8e196c78c74c809a8ea
SHA11d3cd30bd2f6bf3b2aafc2e11b89c46035ffe9e6
SHA256952595debfaa1567c8d4d98a2347ed7657ec89eae4d3febaa0650563865482b6
SHA5120f9c18755cbcd4f319960a39cd29073c3e1319f732e9d4d92c6ea009df5c1da1ad0203609bd63fdcc5e98615801b4aaab46f3e2cce2ef957f1e64f71889f0be5
-
Filesize
763B
MD55add619c10a3f98151d9bd2f507ab409
SHA15f766d06259d552a569212128b91fefaaa52f85e
SHA256e76e10bbb4a939237c8c0f3b76ba5493c564ee9febb1413abdc722ba5371b6b0
SHA512705dd49c619e08c158c0416aefc4798b642539803ee8671db080f9ec3d9fbc2605ff027a1ac886a4e012b44295f9c6b45d6c45ff7b3a1ea0145e07fdeb4c5d98
-
Filesize
763B
MD50e0d210b25dc23ef630e4647982d4cbc
SHA1f67b56ef7e123868ad5ad41b4c32f5646ef6386d
SHA25667eca09835648d65ade3c07a9f889e453e739ce389191c0640e89ccb29542b16
SHA512e90e302fbcecee6df2b459e5f6faec918f0d15875154eee69e8e08596b84f3a1d3fcb38be8d8b95230cc0a16a68c28a0bd13fb862070b9c8e039b9b0613fbcd0
-
Filesize
763B
MD534c65a0ab2a185007ba5f6dac4433f27
SHA1b99d9df473ec2c3bbcf30f12fa40c6a805fc2659
SHA256782a626110731f44e6ac39583df488fd16413e82a7f74651858c291737322d1a
SHA512cc0ac1e0935a77c2451806343a5f06ddd438995e681c5ea260a2a872064805d6859d845bfa8448b6975dfd905e6e699c7aa52784f98034ef8453358d0cfc7c67
-
Filesize
763B
MD530a3d901c9c821c57c98435c1e40def8
SHA18e0ddfb4fa2749b39b68fe3dc46095d6d59f6566
SHA25609cee4df8802647851b57551f799dd32ff995b9fb04bd42ff6ab0d4548fbeeb5
SHA512aba5089873dddfbbc0b56006e02cc8e7c44f6595a9721c3961d22a57578a07f000bfe9b11fb0117472fd1a02c2688a1084bb714ab350e0e26d806ebfbc9cd1f9
-
Filesize
763B
MD5051e1c6f9061fe18ee5da9814d6c91eb
SHA18f79eab9a95fb4289ac22196964fe76f83b1e223
SHA256fc19cee77f68873e8c87c47107a2c5e87a5e64907c9a145267317aff072247ef
SHA512f8794f9558ae6d8ff4e704da2e4f6fc53b9287567dc9968064344632cebf65b967a854b109fb7fd7e893544ae379430086e6bdeea734e0c8dc6774118d7747b1
-
Filesize
763B
MD5a9235416398a4dbc5cbfa9af9a522053
SHA156342a2c427e3b72dce658359ce82aeacbdd4634
SHA256fa1fcc1d87a938e2870c2476a60c87b6db57d6014e9cf50ccb00f574506bc482
SHA512d8d65d7747cf45c5e27eb7e531f34856081b5f5906eb03d67e19ccae8dd257c9a423216df5d055112dc5efd8d557b5d7e243d7a86063069bcd714cb1346760b6
-
Filesize
539B
MD5bbcb25b301a00e2931ea89bbbfbbcce6
SHA122a9f8fab8da2525b78306e5e9cdc8ea7ba1b685
SHA2564dbac3ee7aa839cee94e0b7bea7b77cf760dc3c013b99dbafae397318e4d76b3
SHA512425fef187b6c49a55371bcef17e4a697812f7f28916348699ec0e2e28ca4af80f433306d6c7d5e2e444e265ffb3c4f10fee666e01449c05f985d60f74d4490f4
-
Filesize
763B
MD5b90e3dcc8a2aa3ac98488da39acb499a
SHA11075c550a0f272e3dc1a8a508fe5abe23e027cfd
SHA256627fa94e49fc95c4ed82d55d5c575b748bf4988f58b9bb0e51be06546c375589
SHA512de38715b088eb2c3bbd3eb634115a3d6a996520a70843204e523fc06309883d9cd6cbeb510ea97b1b66188701a4a21bf0657a92dd5913911ff45a5e678094fd3
-
Filesize
762B
MD51f9ca7e95d3fd86eabaf1b765d97f145
SHA1589f8f15ab01c59c4ce5d4e4e845003bf3fce0f6
SHA2561d5e4ad6665e73307d03144fb63baf53cbb54f88b3392acadf7a28b7407dbd04
SHA5129305e57c3e48bbae180a327a474a46d8e402cae09a33b0986a708b0153e2b225105b4996a4765a79bb4db0987bc4689106a546d617ae135c4495cd6eab5c4a82
-
Filesize
763B
MD509743ef51388b2eba23c3a9049266ce3
SHA120c2a7bc4c74229a24baf3b93a6e16802dee04aa
SHA256602d3636c9e9bf70125fa001f24c889b81ce95f2a181c311d783b4fd2a716c1c
SHA512e3eb6addcc6e5104820bd1206d94a73239afb74082eca793c8cebf67fe58fcff3c49eae505c3e1dca7dfcc3900b63b24229f89afd4be9746eec3339bcf900bc0
-
Filesize
252B
MD59ee62f4f94b0d3b06b87bc7e011bcfa3
SHA1c0bac50ef2c7f3d375693238c20ea8c0717327bf
SHA256de10e5681f1e934dcdc11387c5633d7f44405dbb82112bb2da6b1a1a71692035
SHA512d0224057dfb43bf98d918c48eb1185b94bca158df6801f1710669ba87e6299445deb569ca78a0724b5fd0df05f22bd7fa5522c6443455ed6cc409aa3abc79b00
-
Filesize
763B
MD55dfdd88214b93471c66d9f3bb08cad9c
SHA1cb848433def5823e5d52a7ec5465aca373488b49
SHA25686ee49ea976aad19c7d52aa22a1e6797a62e617ed52f0ee92892cd7574848d71
SHA512834fc2bd9a752a39e683dcc2f431fe2b96d9dea5a5b4c141f5c18f8a36a5f4ff111d4aee2c836c51c5601d00249b16893c761c8d7c561c540cdb2329b64e56d3
-
Filesize
763B
MD5b2e6a23ac5ea5c3ba364201d3db4d97e
SHA100d9c53a95c340ac56cf36b4e1a6dc4b2548e8c8
SHA2568b07432a080681dbfd7b344cf1abc3d8ea048b20e43211a029d2d614075e65fa
SHA5122652fa0ce21296af7d93eb726c2e97399527bdd4f8aef2dd8baf8a54d50d32909f1b83c042f15c75abe00343a1c16af94b12183ddb74e4f1b13bc2f8dd7c55f2
-
Filesize
763B
MD5a9a3d84fc9d1bea6eb1da5f9e2944a91
SHA1d19ddd5a46320baa625ed018d9a9cb09fc9329d8
SHA25691d2e827a0f211796b479c9d0aadf369af147357d948514260308f3d85e28099
SHA51296139861db556007abc39bfae769797a63acfa8f4b5d4a1a7012f2a43f273485ab645377a216e3f4a905e0af3b6e7911f259ed70341f77fe0918904c216b1cf8
-
Filesize
763B
MD54b3d17879c2ad64c7c392b62fb31093a
SHA1a25d095f6a6d6b2da2cec864eaf38ef4f7a82a3c
SHA256d1f17978e45758a4cd3fb80c9411d4cb59827545c0c29983412487dc92e28cc0
SHA512d51ede53b434757a32eaa1571f8e0ddb9750858eb4eb12c53984e0d6d9a0f17b08bfcfd46c1b7b9667874aaaa69ac18ff1f58a78f97c012a29e2cc286b359f30
-
Filesize
763B
MD511c619c7e1833a0606ff2eefbc56ea14
SHA168b34245457fbe40c60498230179b63fca179c6c
SHA2566e015e2cb6ce69fc234653d9234818e4a6be7110e709cdbe173505db0b4a05b3
SHA5126a929354fd989399fea370bf96e6647432ea39c97b90d6b792f300f95202a11d404cf8cea03c3ec9b16b8b5e0e6437afa47b461e5aad5ca9c7ee8fd4fa46010f
-
Filesize
164KB
-
Filesize
236KB
-
Filesize
72KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
236KB
-
Filesize
164KB
-
Filesize
236KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
5.2MB
-
Filesize
8KB
-
Filesize
1.4MB
-
Filesize
56KB
-
Filesize
320KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
164KB
-
Filesize
236KB
-
Filesize
164KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
164KB
-
Filesize
72KB
-
Filesize
236KB
-
Filesize
164KB