Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2024, 01:22
Static task
static1
Behavioral task
behavioral1
Sample
84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe
Resource
win10v2004-20241007-en
General
-
Target
84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe
-
Size
2.1MB
-
MD5
24f297e399f1471c6dbdcc3963e5d66f
-
SHA1
5abc4979b83ca42241e55299e0ebf93c97a54c23
-
SHA256
84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719
-
SHA512
0c9adbaedde18b2213aab82bfabcad4af71a943751b434669c9df6b4c0fe13ca17e579ac6240bc2c966b8db26c85404af10fb1565953a101471062baf68af498
-
SSDEEP
24576:2TbBv5rUyXVlO8V8ikUJRQnpkPtG4HYy5hJoiJ4BUUCMmX8yvYs+UYFtaSlr3:IBJleiLOQNMbNqQs+UYF7
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Providerinto\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Windows\\twain_32\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" webrefSession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Providerinto\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Windows\\twain_32\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Providerinto\\webrefSession.exe\"" webrefSession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Providerinto\\RuntimeBroker.exe\"" webrefSession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Providerinto\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\spoolsv.exe\"" webrefSession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Providerinto\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\"" webrefSession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Providerinto\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Windows\\twain_32\\wininit.exe\"" webrefSession.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 1592 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4220 1592 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 1592 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 1592 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 1592 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 1592 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3728 1592 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 1592 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4272 1592 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 1592 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4308 1592 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4600 1592 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 1592 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3244 1592 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4668 1592 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 1592 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 612 1592 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 1592 schtasks.exe 92 -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation webrefSession.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 2 IoCs
pid Process 1156 webrefSession.exe 4260 spoolsv.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\webrefSession = "\"C:\\Providerinto\\webrefSession.exe\"" webrefSession.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\spoolsv.exe\"" webrefSession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\spoolsv.exe\"" webrefSession.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\twain_32\\wininit.exe\"" webrefSession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" webrefSession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\twain_32\\wininit.exe\"" webrefSession.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" webrefSession.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\webrefSession = "\"C:\\Providerinto\\webrefSession.exe\"" webrefSession.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Providerinto\\RuntimeBroker.exe\"" webrefSession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Providerinto\\RuntimeBroker.exe\"" webrefSession.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" webrefSession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" webrefSession.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCCB5E4015BFA3471786199499D79B723D.TMP csc.exe File created \??\c:\Windows\System32\lhkpi-.exe csc.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Photo Viewer\en-US\f3b6ecef712a24 webrefSession.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe webrefSession.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\twain_32\wininit.exe webrefSession.exe File created C:\Windows\twain_32\56085415360792 webrefSession.exe File created C:\Windows\CSC\Idle.exe webrefSession.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4768 PING.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings webrefSession.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4768 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2172 schtasks.exe 4220 schtasks.exe 2956 schtasks.exe 4308 schtasks.exe 4600 schtasks.exe 612 schtasks.exe 5104 schtasks.exe 4272 schtasks.exe 4076 schtasks.exe 4448 schtasks.exe 2804 schtasks.exe 3728 schtasks.exe 2928 schtasks.exe 2600 schtasks.exe 3244 schtasks.exe 4668 schtasks.exe 1836 schtasks.exe 1876 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe 1156 webrefSession.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4260 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1156 webrefSession.exe Token: SeDebugPrivilege 4260 spoolsv.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4704 wrote to memory of 3980 4704 84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe 86 PID 4704 wrote to memory of 3980 4704 84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe 86 PID 4704 wrote to memory of 3980 4704 84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe 86 PID 3980 wrote to memory of 2068 3980 WScript.exe 96 PID 3980 wrote to memory of 2068 3980 WScript.exe 96 PID 3980 wrote to memory of 2068 3980 WScript.exe 96 PID 2068 wrote to memory of 1156 2068 cmd.exe 98 PID 2068 wrote to memory of 1156 2068 cmd.exe 98 PID 1156 wrote to memory of 2508 1156 webrefSession.exe 102 PID 1156 wrote to memory of 2508 1156 webrefSession.exe 102 PID 2508 wrote to memory of 3152 2508 csc.exe 104 PID 2508 wrote to memory of 3152 2508 csc.exe 104 PID 1156 wrote to memory of 4804 1156 webrefSession.exe 120 PID 1156 wrote to memory of 4804 1156 webrefSession.exe 120 PID 4804 wrote to memory of 4748 4804 cmd.exe 122 PID 4804 wrote to memory of 4748 4804 cmd.exe 122 PID 4804 wrote to memory of 4768 4804 cmd.exe 123 PID 4804 wrote to memory of 4768 4804 cmd.exe 123 PID 4804 wrote to memory of 4260 4804 cmd.exe 124 PID 4804 wrote to memory of 4260 4804 cmd.exe 124 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe"C:\Users\Admin\AppData\Local\Temp\84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Providerinto\jxEdxGsN64kiOqEUGJ67IuxvNwoevsckopc9pvSU.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Providerinto\Bn5IdhR1tUpuTxK5hmOWWYzImaYN1V5cjqGFLj.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Providerinto\webrefSession.exe"C:\Providerinto/webrefSession.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2ud3kigp\2ud3kigp.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13B2.tmp" "c:\Windows\System32\CSCCB5E4015BFA3471786199499D79B723D.TMP"6⤵PID:3152
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45MTYscXym.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4748
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4768
-
-
C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe"C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Providerinto\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Providerinto\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Providerinto\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\twain_32\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\twain_32\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "webrefSessionw" /sc MINUTE /mo 13 /tr "'C:\Providerinto\webrefSession.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "webrefSession" /sc ONLOGON /tr "'C:\Providerinto\webrefSession.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "webrefSessionw" /sc MINUTE /mo 14 /tr "'C:\Providerinto\webrefSession.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77B
MD553d8109386eeba065202d0cf2138f459
SHA1d5972faee3997246c7ffa5c53e1c2d8cc2b3803a
SHA2563e551e685fa443e19c1cef210062d7c4b960c9c5d538e692ac0eaeb47e09ee4f
SHA51255a0633b1d9c9d1b30f9efb0acff436c2a591f55c2dcf56c67038794ed31e06cb384ab8e1a0969903956789279a7d9b28c20a5e51c837b0c3bf24aa33ed23313
-
Filesize
229B
MD5e9b28a6c1dcf0251811da0e9b23eaa4b
SHA19cee1ece8bf61d4088e604697b0ef0662e27dce3
SHA256cfc6ef18996e238555dad4daa17f08ee502bc3e8f6a4c315939522b3944c54b0
SHA512eba575e7ff8ddacf8f2dad24ef99dc448b4abccaad05904c1a7156a1a04f5df87c8997795858ca980f340f11e4be9236fe7ffdd5f858634a0cf9a118d66f760c
-
Filesize
1.8MB
MD5aa47cc8dc99f5a7b574343c64bb23044
SHA1047dbd74b8beaf914c5ca58ab53a6cae2e33e603
SHA25627cc2a9fb4fce7185c7a3ff203e7bfe7133fa3f489aab93bf63534b1b2615b99
SHA5127790eacbf8973d000e6e35210b165e7569446445c438a3761987d2fe90553218e5f999efe862ffeacd2d3065b6c4972cb045030b3f3ee0ce32772f532c34d628
-
Filesize
189B
MD5ab5212a0ce9dd61913bb5a87a04535d2
SHA1cef8ab29b2d7c227111ae516123d54c9d2758d21
SHA2569c6f4335bbf167e39de4e757df0e7e126b08aa173d49a5981f5f5e340a818993
SHA512b94737e5dcd551467220254cb5c7dacc7a0d174e8b787b843eabb19e4da81a28aed5c6fb8d0d671434f022b004c2285ef0d58fabf77df8ec7bb4bc8c04edba0a
-
Filesize
1KB
MD5301ecc319ae1df11c01d3b6cb61e62f7
SHA186d3f56ef2c3a3d05a3b2294a39eaf5f25fb530d
SHA256d7a1a43432f774d652e4c281f800d40acc3abf786fc4e760d96e1c6a85ab308f
SHA5124113cbb3b2586ac48b6c47142dcb10a410328f8b7d6343f559fe0df86dfbf3a4975f40f744e4f5af106eca383005c99d0e467d55dfea70b7e6b1a81e9900a705
-
Filesize
365B
MD53b5f64ad501dd3e8fac40345b2f88ef9
SHA145c74bcb30ebeffd22f0cce22c301e533c0f4b89
SHA2564952739a3861af03ab0cd986aab1e47be92e4ca351df43a98da67947f257e034
SHA512cd4a2c04069e2a23b79d5e4cbc37c795b43594465d281573698fa1581c0f719fa7edc7a951ba4dacaa40f11f5de523efe6d6afc815c4685c8dbba2294f081981
-
Filesize
235B
MD548a68d28b702d249d3169dccd3ce72a6
SHA1e8c5a6977d8fd06fa681b8f699fdf66c36043135
SHA256fadfa034c864623d3203273d38251dee19b8025c25bd504f2ee3ad6ddd23e0af
SHA5127ffc056a3d38277a333f997116d2e0be6032746cdddcbaa00febd3eb01f1c55d4a8c6ac0eb022b3c44f6b799aae472eba4ccb9f2175548412cd01ce5ceed2228
-
Filesize
1KB
MD575e32610d8ef6143201c7c28465fcda9
SHA1b2bae99fade2dda07aecbe1659d184be0fc4e7a6
SHA25697ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b
SHA512b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc