Analysis
-
max time kernel
1438s -
max time network
1424s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
29-10-2024 16:38
General
-
Target
XBinderOutput(1).exe
-
Size
607KB
-
MD5
19d31479381cfda2c9878b427f51a0c2
-
SHA1
5b8774c60b71dd32e7325d0fbceb3434975ca7cc
-
SHA256
e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550
-
SHA512
14ce10c974af40f5ab3e93f3bb3ff5ada22a8c2245bf45f40be0a59a75bcd9bfb2bf2288416744a2cebb93b3eb487ba070670d553ea87ca8c0e566c727bf28a2
-
SSDEEP
12288:DikJ/Wmo/J594F3o472LiJgSifSdq/UByol53uFb/V4YUWpcZm83:TJ/+z4F3osuiKoqsyol54bWYUK
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Process spawned unexpected child process 61 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Drops file in Drivers directory 64 IoCs
-
Manipulates Digital Signatures 4 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
-
Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Indicator Removal: Clear Windows Event Logs 1 TTPs 64 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Loads dropped DLL 4 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 31 IoCs
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 64 IoCs
-
Modifies termsrv.dll 1 TTPs 1 IoCs
Commonly used to allow simultaneous RDP sessions.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe"C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kendalcp.exe"C:\Users\Admin\AppData\Local\Temp\kendalcp.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\blocksavesperfMonitorDll\reviewDll.exe"C:\blocksavesperfMonitorDll\reviewDll.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\blocksavesperfMonitorDll\fontdrvhost.exe"C:\blocksavesperfMonitorDll\fontdrvhost.exe"6⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies termsrv.dll
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\authman\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\authman\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\blocksavesperfMonitorDll\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\blocksavesperfMonitorDll\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\blocksavesperfMonitorDll\TrustedInstaller.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 8 /tr "'C:\blocksavesperfMonitorDll\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\blocksavesperfMonitorDll\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\blocksavesperfMonitorDll\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\SchCache\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\PrintHood\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\PrintHood\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy1⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy1⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy1⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "fontdrvhost" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "fontdrvhostf" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "fontdrvhost" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "fontdrvhostf" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy1⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Print Processors
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Print Processors
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Query Registry
2System Information Discovery
2System Location Discovery
1System Language Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
279B
MD517e8f07d4574e42685fbff68f05b3360
SHA1af52b855b590f6319465d0eef4dad1787c751e80
SHA2563b8ad2712b85dbf32979ca47252da0da24e0d87f38623e42f2e8d9c738ffd0bc
SHA512eb5dfe811855ed9293f4519792c6f58ac53d8919b61fb5cac17bc90da6a307126d8adf3de58fad2c4df4d07d8a0d31a563f2e809a99fbaa4a667287eaaf2e4db
-
Filesize
945B
MD5bec8569f591b8d8b0628a716f54311eb
SHA14ebe22b85c903efdb62e60fb08d5256d527c0105
SHA2565e27a565f484efe6c7e19f28f1a20e4c14d8ebf673cc6eafe15a6a94884406ac
SHA512dde1957b61924c7629d760f90d1a47cbca153e6fb06bf8955c2c6ae776b6e6ef1a115c81632ba44d1a8902cbd961fddd4355e602cc712bc275016837e5a34da4
-
Filesize
317B
MD5177ddf04c1fd17277eac2468935a6c1a
SHA16c1bbd5ef19290d73db99d304bded9d5dca44930
SHA256eda46a120281667b651baf47f0ae6d4099231dee9f237ca10c63d4ad3729368a
SHA5126f7cf11f9301cec29423cc2b3dc63c12bb080b49a7514d92d8114aa98279738471fab74ef2f61f7495c8dd035c4486766b0108a541a86303ffec9e0a7a057115
-
Filesize
512B
MD5574a98f0f0392ef35bcd75d7d9ff073e
SHA1c46bdee3c1d421234608ca1b21a1879e2f0eddb4
SHA256f5359352f91056ba5389199999801039df03a5078c01515701aa6e874158af34
SHA512b3c1a8919aef08fc09a60958cabfe23afb72515b8a91f43cee416f86f6d752435a1c3ff6de9f3d82e7a6835fcfbef561bb58e03f4f18f70e61a404d23454e952
-
Filesize
721B
MD5c61a6a70279592ca8a97fc71fbaff08a
SHA170488af30099d0b102f8946dc59a3c32c5f27678
SHA2561cf2afdf67f0fb0b4bcac3c40b6a49e2c3d91685f35b2112552473b1f38b6f01
SHA51225050de528313f1e26e179ca472b3fce3de04de799d6e33737f1ae728eee59de1271fe02c2cc911de80486599cffcb98cfadbaa6ee335a129ab34e6a4ad974bb
-
Filesize
746B
MD5816a25bef3d514be740af466993f84ab
SHA14080d998ea19ba1daaa7e24c5a311af467095e51
SHA256bfbeb0f11a4457be96e420b870c0634dcc24d6c8482cd8affa854f3ba08a8c76
SHA512d8585e4989d3bc44366062482f6b8759efba5d4bb9d972a31d671b4026d76cc9e953e5e040108500abfa5d9e8fc1d7f2cdfb8db83b93f8d3f9618c5c2a38c7d8
-
Filesize
414B
MD5da7280ff3f748d8be3eca088f546b1f8
SHA14303f7c2d75e162a2d8d78488607e54060c4b4d5
SHA256fa1c234273013e99686da2cd2d8cf814edf1f6ef864d2faaa54864631474df08
SHA5128fc5b71afb291d78dfc959d74beda5958ed616afec1c8009a19ba5a3f40de9d0dc68a9d689cfc4dc46215d2907cf669a47f3d918369fe2afae5c0d5f30d39c2b
-
Filesize
581B
MD53dd2150e73886830cb74f97fefcccc42
SHA12318c56cdf7f0f4a5b09947324ed9e44c0727ed2
SHA25698480b53cc1dfd5a9e15baa0105cf5686e80939d4fbb856e6cafae150906e818
SHA5129a5dd78d8d2a7e18dc5619fd9d3f37fa458c971684655f54cf94d720ae5d5e1247b687c8288e26dbaa0f0843f7457e21751c6fb8a1758a3f362ee3596b491a7c
-
Filesize
279KB
MD57efcf0111eb7a22aec8410d6a427b328
SHA1d6828e7c4fb2789da55899e69c6197eaf4017b88
SHA2567a83319f41c626818556e406b5b664aa4c102cb851269e9becbe3041bde4368a
SHA512c1526e7bfe3c9f5d9ea9ab0f18d555e01f107ec56123ab83b8677ac24da57e206fb02a0148d2ae08ceba6ec4c10f42a46b0093e2324c0d723f09ec1fd4f43d97
-
Filesize
1.7MB
MD5c606bd7c9c733dd27f74157c34e51742
SHA1aab92689723449fbc3e123fb614dd536a74b74d4
SHA256606390649012b31b5d83630f1186562e4b1ce4023d8870d8c29eb62e7e0769e0
SHA5125f8fabe3d9753413d1aedcc76b9568c50dd25a5a6aeacd1ce88aecc28c0ba96dac80177679d380708213a0997946e49383bdaca7114c8c9526a24ed999194e38
-
Filesize
613KB
MD5c1b066f9e3e2f3a6785161a8c7e0346a
SHA18b3b943e79c40bc81fdac1e038a276d034bbe812
SHA25699e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd
SHA51236f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728
-
Filesize
83KB
MD51453290db80241683288f33e6dd5e80e
SHA129fb9af50458df43ef40bfc8f0f516d0c0a106fd
SHA2562b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c
SHA5124ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91
-
Filesize
611B
MD50b9f77b417a0eab628b4bf5ca1197c1b
SHA1d67b007c20018b658211f7c7d0cb8d39655bb473
SHA2566ebea1dafbfaf1172422a8835b71cbc4cc6553550fd5d1d19630c5673a8423a9
SHA512881b5b907b37c26f4892d0558c50eaafe20ba2956fb7fad5f95b628f0300e675d1a36b055715ea551b9ab12e07a865e80cc6d90bb1e071d5e85b9b2839edbc71
-
Filesize
268B
MD525b2aa848f9fe20aab46634bc069aba3
SHA1026ec0c9567ac59ff881ac342ef046ca6fb36ee8
SHA2564f313c30125d5078153a6bdcadc90bd32636e39549769430b8d43392a7af6249
SHA512438af989c5c4d29761c77285af56354fac657430fc0f0a2c1c700c7b8b216c64e77b955b04c3aa279e6593d46c76d64cec022b06b480c8cebb97082179c12365
-
Filesize
841B
MD5f90b9c796458f76a1a1db635c95676d4
SHA158ffeb3b3c9397907ecbdad4b81961eb386f6404
SHA2564c387e1f3768f2f3a160cc127fd00a839d5ad1783984374c62fcefa8d7937bf9
SHA512be3f178fe81811fa7efd301bd987b1a90e9e962b8203aad188f9887006bbb42a44002914a1f0c650dc39bc65efc41a13e05ffbe6c09d409076c108a8056b6a6b
-
Filesize
862B
MD500b9caa10b7e047d56bbf227f03132e7
SHA1e8b78c82e64d53b40591b2eef1e77c1967bda7d2
SHA25639f8d6fe63e658584041df5f99a405d7615afade413d174156b71a9b2ed2e5d9
SHA5126ea746595b57722f0394b75a8016f09137b54bb12d67a4d5a4bacb32bf344907b9171909adfffbbbb046277d177eab239aea28b9ade9e224cd290b3de5ec3d26
-
Filesize
316B
MD5873a273df62b3cd53b809c84a34d47c6
SHA11d0f47e7663cb0ed3960678ce659d6372f7859fc
SHA256f9d4ca07081daaed221f678b8f3445045219fe98420b8ac586fbd214f1f1876b
SHA512a10103cb3ee1526d51b46a398bebb0a28c3e591fa161d3b11cbda1f59a2a5350c35d1e9fe0ffa3edc48f08dd4795d22b0837550a5c6a3c76680cbf74c9577f50
-
Filesize
8KB
MD5ad4407a0d4f76d7872969e3f57fedad3
SHA10902eff2590f9bc4dece99d21d47dbeaf569328c
SHA256763b24328234b2126cb4e839994d2f518ab05ca8860e3742f065e8e723bb2e6b
SHA5120902fb38b3b9a596b59515865784d27325dcadf3dc3f87b7453626e126c9d327825d783c36d822efbb6fe77a115b47c57e54da311566eefa136c42d1a6413479
-
Filesize
3.0MB
MD57dd6bb452c8eabf3e8d5728a28eb4b82
SHA1a51808eb883cfd203d461aecb5e3c6c654747c6b
SHA25674a2aa07e69932f7ad78ec17b7b251d7f93aa76b9d32741912506f8f338724d5
SHA5122664efb737533ef23d9bfefa3ee27c70942162ea730ade080760cd1bbfb4f1215bb1b95ec69fef903c4663db5c9c3d4baaedaa0416d13e84633390f11f748e47
-
Filesize
3.0MB
MD5d1dd210d6b1312cb342b56d02bd5e651
SHA11e5f8def40bb0cb0f7156b9c2bab9efb49cfb699
SHA256bbd05cf6097ac9b1f89ea29d2542c1b7b67ee46848393895f5a9e43fa1f621e5
SHA51237a33d86aa47380aa21b17b41dfc8d04f464de7e71820900397436d0916e91b353f184cefe0ad16ae7902f0128aae786d78f14b58beee0c46d583cf1bfd557b8
-
Filesize
16KB
MD5d393420dff425c49e000f24a5d685a71
SHA1819cf0df436c1e4efcff66c84439ea598fdae045
SHA256c0a8baaef95aaf72305eac162f5e1a6e4d4e6b6417411b62484820ff9dd38910
SHA512755a784717a9bcc0f7154678237d3111f7befbe0faa40a40703acf61e29c59f32c38a64b79f91ad1e5e879b41dc7ce10692ed9242bf6a866dbddd6537e3e0e9c
-
Filesize
6.0MB
MD54a14322dc9c3d3cdfd2da59670734a03
SHA149a0bbae079678ba24df02903229fc7118da906a
SHA256252244087f38b9e416db9e3a6613b6ab451dfcaea017435fba1af16220634698
SHA5120a0f5ede356bebe8f42e4c589adf5c140bbe50553bce4611da69d007b6f13fa5bac0f71a2e181f13101fdd941c4ccfb2f84f6443135839f3689956d7fc1c2060
-
Filesize
192KB
MD5ad3aa4183f24b8295a672f3436fd8b4c
SHA19308e0e87bfd053544169584c10a2f0661921dd1
SHA25677ee4ba1173284d36bae4bbd254bb07974a506324670409e407f529c31033dc9
SHA512273d1190eaee7fd9c7f48e60f723daab227ae8c3b40ba7b50f22a2f83c318ec0fb357003fbcd4cde75ec00473c5ffec38b04692aab0a64828f756d477f9c4d2a
-
Filesize
4B
MD5f1d3ff8443297732862df21dc4e57262
SHA19069ca78e7450a285173431b3e52c5c25299e473
SHA256df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
SHA512ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
271B
MD5adeba13ac21cb9a7cbabf43482d6d6a6
SHA1cbb3a36bce61e0d5ffa8cbca6574393ffabda0d6
SHA256c5e0784dedac343e9952322654be9dab9d714232d8865848b3a18516dfa8d4c5
SHA512b6fa1d21d5842ebe9d14108cacf4db3029e87e0af5e098b8fb8f275c60fbaca8590b48d06f95c7e404cefe63faff81fd2a9b8b451eb480af9e927ba74f3964b4
-
Filesize
1.1MB
MD50d015cc111d53a019e680b0bed11fcad
SHA13b3fb6eeba0c2ba286a4db5e850697399ccb5e36
SHA2562b7365d9634016b0483009225b959692c290a6b17fad133e42434dc89fdf4150
SHA512c3a7ea551d0151033dde83a3dda1042e8fe26702c84da2b630ecffb739aecb654730bb5f7ec8914189f72ca7d0ecf1352f0ca7effa938bc1d6f0ae56c3358eab
-
Filesize
871B
MD507db197f029c7a765f86c9ecd84b95ba
SHA1382d75da2567a0cc4ccf059c3333df8faf05160f
SHA2562c80a0be8061b7143a6239e697e04adfae0e2e44d914ff96d316434abf96d57a
SHA512d354489d9b30bae25d6823d7081aa8f5476cdf0492c898a996d83a7e42226c2ec92576da3c19cf8a1f7f541cafd808abcdb1d3faeb46c84104c96ffd99ea300a
-
Filesize
196B
MD57bcb76bc88341876c15b453c528e7c01
SHA19450b7d084746f6afc20cf0be0e97f4160599f66
SHA2562d59bba32f53b3ac6363f042c252b3143e71123356753727ee3ff06e635f21d8
SHA5120be59474950ae79c4e8c6ad32a0a2f6f30f7a79673d6162f86848f812797488b9cc688788923437079cf890ba65c641a62ed02274180eb5bb1bcf6c0bc8b4fdb
-
Filesize
491B
MD540866c14dcac96eb350e7c83bd1aeee3
SHA18b8f22977cbdf5d20dcd23fd3041ffea27f8678d
SHA2569338038abdc6037be3bd45a642d6d87307f60fdd8b079e34b96680c2a9759a1c
SHA5127308842d0d1e59b67dba805517e2325acdf6c1893f83132d41ef6d4cbdd159fb55740f8f73fdd5b405caa3b60a871d9a8779f8c3c3ea23046091de6e4383aa5f
-
Filesize
339B
MD5ec7d0bc582019dbba6a7f63bba44ec5f
SHA1f3f81dbbcd70897ced59e2314817e1e755ab1c82
SHA256ec86cd54cadcaa9f3aa79470a3d197a3f9a6287503be59c259a997ad7d500ac3
SHA512c18f0005c4088e123e484cd3833fa3f6bb57533b80757a0c903009f150d5e72141ae71fb5ee6e9c088d9ae2ffaa8a18dcd72f6671d97e8c18b6fe995422d7102
-
Filesize
896B
MD55872e9073f48891ccb1b0ac7bd651561
SHA1302f26e1b3cb613fffb8b542f2be2da68577f771
SHA2560ca12e07ce2ebfd5a3d398ae3488f0071b4f5211966158175c0e6a3c671f783e
SHA512b259009fb89efe58d998fdd45d4195ff2229381d8d035e649b9ba5b06696c0c8707b5d18976850b8b47913af15bc4486c26b80f69666c5c0dc12ce26106975e1
-
Filesize
222B
MD5a6f295a2e58c722b5935cc905e81fd8b
SHA1a2a30408197320a639e3e2f18a57fc8578c97b58
SHA2568bcebca170fc0768cb1afb63f1350d63c3a295b26ca04602e07ec43498b9691c
SHA512839605d7eadcdc470dd4edd117cedd976cb9f36bf0a636d08afecc6378adadf0fccb80beb44de849b6dfec814845cef8ca83ca171b39c1f6d90d55485bd06635
-
Filesize
43B
MD57c582abd8874b9cc60df72d62bd86440
SHA1564e7b01338d08f657f2c02fa8fc5b8dadb92331
SHA256c5e95b783c6ec1b98a40edf8663370c678de43e9b657e09ca1f054618277b329
SHA512444cf67666329ea359e221560a229990013af07d1ed074b2406e903c7ee04cf279953ad0726a96c2ca875216da68369dfdde00f905adf1de9ed93b8582bf8828
-
Filesize
452B
MD59464f40e95616df63c35f7ace5f535a2
SHA1a3a433e23ee740138a2e6e2d85e42ff493cc3074
SHA25609e91b59c4aeb04151e10f678a658660ab66e09acc5a951a152ea06a89843160
SHA512b498f1d421851d61a2aeef227fe658971691af60e4b28aa4aead6720da2bb07c686784eb4c31e1434bb0047622c39fb4453ccaf825e1c40af843c4c6bdf8433c
-
Filesize
828KB
MD5d9dac9e1d95e84e6aec084cf2ddb3f3a
SHA1a231a41c7ad994879b15116dcea41fdc09bb5879
SHA2560fbeb71fb1dfe793eace5ed167f035a8f4bcc6b56d0930b6b97481f2b222b1d5
SHA512c4aa115de6f61c7311e8654d40537cd1ce08f0fb7efd0a225a42e06ad000ed420ba905e5cc26a19cb56af951ee1441aa257c073c47911a72fff733c0db1c2f9a
-
Filesize
856KB
-
Filesize
10.8MB
-
Filesize
632KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB