Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
31-10-2024 02:27
General
-
Target
5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe
-
Size
3.2MB
-
MD5
1554ae8f1316eadf351b3e6f5e7fc9e6
-
SHA1
1fe722cd6f6e6739a2566c920931bc2f057ac55c
-
SHA256
5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23
-
SHA512
56bf054fa85f534a5b5896a21b4b511c564ffbb0a8b1685054c521d09a9122c848c5818d6518092d33da4c02b79dea6622ef7fd48ab22271522a9d7878a2883d
-
SSDEEP
49152:UbA30LfTBVuy0VtNUBslYt04P0GliFkO6Uo67iX0bCLuI9+E8Dt:Ub/7nL0jCB6q0goyUonuI998Dt
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 45 IoCs
-
DCRat payload 6 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Checks whether UAC is enabled 1 TTPs 30 IoCs
-
Drops file in Program Files directory 16 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 15 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 45 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe"C:\Users\Admin\AppData\Local\Temp\5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BridgeRefruntime\RO6jJbtsE.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BridgeRefruntime\AZmwZW66ycOuW7BVkn8W.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\BridgeRefruntime\ProviderreviewDriver.exe"C:\BridgeRefruntime\ProviderreviewDriver.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeRefruntime\ProviderreviewDriver.exe'5⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WaaSMedicAgent.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\TextInputHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\My Videos\ProviderreviewDriver.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\TextInputHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e10f02ef-4be8-4bfc-a80d-af601b180d3d.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f13aa553-337d-4e25-96e4-c01ebe05171f.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de31eab7-886e-44aa-9c8a-e7a0e343b7a0.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9196f47-6d47-4a04-ae07-27c1c69da3f5.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cc36c1c-2d10-433e-832e-aecce4322396.vbs"14⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b831e14-6ab0-4b5a-9a65-e6580bd313a7.vbs"16⤵
-
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55bdcac5-81b1-4401-b5db-7aee53231dd0.vbs"18⤵
-
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a46976c8-27f8-46e2-9952-9154f8793c40.vbs"20⤵
-
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cba271f5-15dc-4c9e-9968-526eec5a214e.vbs"22⤵
-
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32911c0c-a225-45a0-af75-c319e54a9ddc.vbs"24⤵
-
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51f58b5c-20fa-477b-b254-87df1cf128c8.vbs"26⤵
-
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37f32bd9-f629-455e-9832-334cd7b66f7d.vbs"28⤵
-
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d62eece2-9499-4b6b-8242-8266cd4d0bc2.vbs"30⤵
-
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe31⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\157488bd-23cf-455d-b5fb-3792dfc681ca.vbs"32⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b57206b1-e16c-4d4f-b4b1-52ff628939cf.vbs"32⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4e86e4d-ff5a-470f-8f71-0261dbb89bba.vbs"30⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d09fb4f1-3aa8-4053-b8d4-a47dabfc9efe.vbs"28⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aabd2a57-5f2e-46a2-8c6d-831591a48b4e.vbs"26⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71777e4a-fa48-4952-bad4-07c82dc1b3c5.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb77ee23-00d1-4fac-aecd-f544a1dadf8b.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a7d4024-16ff-4fd1-97f8-df96207b16e5.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f105fb0c-f27f-434e-a2e3-c005e95c895f.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7932aea5-142c-41f8-b4df-95fb435c6577.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47c7650d-17e3-499e-b7af-b0b65802a8b3.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6608d572-5055-4767-aa9c-7dfab5c4ab08.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24bf69a0-b123-4567-8e4b-54c635bb41c4.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca041e0e-2d6a-4402-ae0b-41381dd10c8e.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\987b6889-e43b-41e2-8350-665e8a10f65f.vbs"6⤵
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Default User\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ProviderreviewDriverP" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\My Videos\ProviderreviewDriver.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ProviderreviewDriver" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\ProviderreviewDriver.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ProviderreviewDriverP" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Documents\My Videos\ProviderreviewDriver.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\System\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD5b634ab06c0798f4284c2fcf23c1fc85a
SHA1a312a6a8dbd3fdd70e9919ffaa1b777213cf2e93
SHA25620d420d40ee7aadb457e5a8dba9d099fb66d4810675a985a26ebf36141d8e250
SHA512ae801ea89737efecc5be1c580bad10c75ee9f31f2685473bbb5512b024c355c62a7d122db5042dbfb96add27041fd2601472c57b075424d12261302804b5733c
-
Filesize
2.9MB
MD515462778cb5d131fdbde43b845ca3385
SHA1e11137a2d3643fa0569e57257f7b673b29f0ee86
SHA2567082a4ae4749fc09c3b618986952c23aa6db2ee906da896b9a517685e56b8572
SHA5121f58961f5367153539c8039e8cfafd1f74bcf09550912326d1274ec5b91ff578c0126c4f36c1916384364c74ed2a4b97013a4e6ff6b25567822eac8dabfcde6b
-
Filesize
213B
MD51217656e699a8ae1e62ad9b7059e215a
SHA13e9710cc62fcaf451a305be0fe047dfadd631e45
SHA256710eab849bf0c066cb136771f1d4dc72bc2b13598c209508db16a3770d54286f
SHA512ae775b9f675455bbb78a879f38e72e500607a6a22168591a599a04337229316fdbdd0b496d69e97c423a4e917d9174e039e0e4f80b8bc94a7d5b3f99887d3f31
-
Filesize
2.9MB
MD5d564140757d8e8d6d92cd602ef162f7a
SHA107be37c34e7f8c1a02e35c3e5baac70dd7d2a0d4
SHA256f0a22af1e81cb1bed9dd096eee11fdedf88cbcc77e92a66537072753961b3d86
SHA51265cddd42f2ac216f5294bc9f0fec84984c94abf8b8e34786a31ac549c1039624d0280be1bfab6d0fdbc167df2cdc69d3a5c554c7fdb0a2ebc1df854dc72e0b33
-
Filesize
2.9MB
MD5ecb8a56fde8d50c2fe56a26c033b8a39
SHA1dd3f7bc75f354915ca4f71b9f2d581b0d8dc9896
SHA25647d4a340d406fb9c8de309a6457493ea3b4249f7bf3fc21618697466e08e5188
SHA5125c8ce67ffc7ed3a5e66259a3ae3ed35d4666e75131b4955b002bc96ff92cea6bf939641f7680e44f0edb136bdf2fe788a616cc74e1cf930fb773060ecce72bb0
-
Filesize
2.9MB
MD502979aee54ff7db809115b084ce50394
SHA15edc73bca50e0b436a22d675431d52d991da074b
SHA25618ab195cb6cff78d55d9eb5600810faad921c7a117c14f52ee727c4094395863
SHA512de4417386a6b2351f6e7cd20979c1d016d68f3cfebb84b65a8384004cb541c6e2280eb1b4a0a4f552929fe556d87ce871fc606e4d81eb5d403527e2992ac6426
-
Filesize
1KB
MD59b0256da3bf9a5303141361b3da59823
SHA1d73f34951777136c444eb2c98394f62912ebcdac
SHA25696cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA5129f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
713B
MD570dcb420e3957b10bf8f2e71ddf3989f
SHA1870e64068d0ff26dd6b0ef4425488dcec1ab5cb1
SHA256b8bc1fb7506c9bfd65359d50b6e0b7d517000257a80d0547674af4eccf8c38f4
SHA512193d55c670694949baa2f5468dab2606d7f84453c498638d3d3b38b0bee59024cfe8e0781a07ce0518851fa8f31c0aab3ee1878430fb6cfb4e223f74e03a635f
-
Filesize
713B
MD5c1cfd738412fa8acd3ed33c65dc1da4d
SHA14ef6b7f79f1178f77b5fb9da280443b22194db02
SHA256db2ac6f844dc02cd5a41d3a909ea4ec823e471f6cb851a5a2c0fd9c9970a87cf
SHA512cee42c962a2605e5f0a3acc337e4f31877b4dd02d6a774b7427b644530ace79cffe8ac97433e8c6d513e57e9da7db01858841f5cc0f2ffa72aad39a0759e7cb5
-
Filesize
713B
MD54dd0193388b41cd5730bb76e2c10ebd8
SHA1e341a67f6c526bfdacab95b7a53d89c9603f821b
SHA256be0cd9d02c73a660559d14640be0848f7b9bae5a8fa72b070b1b21c39dd0b2d4
SHA512bbc6c0cdf0e5d0cf392af7c5bf6d9ed174e272885846987dbf438df71c4662468c78a9758ee9a01c9433519dc186826475bed8e79400e50f8185047f2ba6497e
-
Filesize
713B
MD5a160a07988d0e00bad9c42b3dce4a19c
SHA14e5adc3316d5049c1e29e02d778a93832b90eefa
SHA2561fc15ead9b68d03dd4f51a7d9a1b3423ebda0f8b57658ecd3f4ee5d0bc8fd2c1
SHA512fdcb2f28f8a77319b01d34d14bd8a097792149b80d2972c3fb98ae563a126fa1dface5cf27e763c5549935b3314c8cf4f453f8170a0cca9d5a036edfdc5de845
-
Filesize
712B
MD58687931860be55b12adadf686ec82331
SHA1b788225e52227dfdc159e7f40f87ca767d3e2d60
SHA2563b5792e54b0ea75bda19a5904aee88f2499b5ceef046349caa21c5821e65e57e
SHA512f6b7a8dc10c452f1e662aa423960071f32de571ae03e78d99d2b2398c6aa887b6cd8ee9aa614d0d0ffaeaa52b264de43ea36733520b8e138c1743fe5ec797f25
-
Filesize
713B
MD5a61337f14513b8c41696fe6832247893
SHA1a32824f297a516fceb7805a7574732b86ddb397f
SHA256a6f0fad035e57bafdc9bb03aaeb4d40810978c72216d0697b21c27a4f6052a87
SHA5123572ce6c2d64769d41d7e7ef59f5024126111af639e466ca052f4713c3b4e9757e80d3d2445230d3c0fdb6d3ed69fb521d94598be86d02b6859397696a1dd142
-
Filesize
489B
MD56868c8d5bdd695363937a5d7fdc33b82
SHA1b1b1f7f0f2ab44bdd4ad8c44a77276909c16c5d9
SHA25697e1347ba3b994ea0a12c29e4e793dc97faaf37be2cdead91befd114bec9dade
SHA5128e356acce2dfd11febfebc46e85836ee5081e897bfe4d2ae99c632fad3f79dd2d706069f66777fe604da9fafd08a57928a19a2f312ee9014ca9045643b7206fd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
713B
MD5d62ef4cc6345b2b1641df283d7587b87
SHA17379da051c722165b9e7be5934a11db635411c20
SHA2569aa64a18584c963b10c8f9490218ba575e463b1ba5d6128a561fe0929a34916d
SHA512e02ed40ed8c2d6861410e88a324d09c4ad52abfa36d07d969b75415909730aa17b93092cb11772ebe7338ea367a67588ba2ce22b3da79696388c9c980e047fe0
-
Filesize
713B
MD5351c2175ea4a56abe56ec0e6f9fb6bfe
SHA1926c1af9bac0a5281e9491cd997a5ffd8efcb05a
SHA25689bb0b6128f4aad0783f4864070e5020806d9f13ba78b6854add4df11f30fdb4
SHA512e6fa72f600f4ea6cad2a1053bbda50920b28bdaefc505d8d4856b278dd2142a53039fe754c43870f0c98dc25fe2cc5f5e8a2b9176493dfca5ad98223ec7e4f9c
-
Filesize
713B
MD5b52dac8021d8ba3462dcad2462d2834c
SHA16966ecee12b9afdb4a70f4408764345a1ce2382c
SHA25631f22e5a318efae80d23dfe713bd5792af35940949d0304bc52d7b0a72cd2b0f
SHA51221a03feec5f8b12192eb09ad15bb633b361158a6fa0e80f541a1cf8abc992f0baaf25b9a98356afd9443580f640def414aa8134b5056319ddbb7553f3bf43bf3
-
Filesize
713B
MD59d39529432769b607fcce6abc18c2eff
SHA104840cc9abec3ceaae0ba8015ea7965bc495b06b
SHA2560261f761b2934db8eda6e3a8ee016b18278bc557dd841ac4b83e96db60c4c91e
SHA512ee23336d1f9ce3b2466ee75a91b42360d6ed2254181a86f70add861fc3e2cf278978373668ff938a21d9ef08d91ee878f97dfd5ca4cfbb8f085ee8fdf9bd8f23
-
Filesize
713B
MD56a1d44007f6e467348a74204f55eb961
SHA1fafe5ecf27f8a95c25ba255c44b6091d30017258
SHA25672ed0e85b3a48e8b69deee3f86afc5b0ea4d736bc7f70f98a24f98f220297aa2
SHA512687e592aa2dc8f0fc41b246ea93b5ec540f5aa6a80593f96aba344f64b31891e5f42908384f7346d94ba7807813dc5f9f3546d2593f4f2451517edefb3cb984f
-
Filesize
713B
MD5de05e8a02337eef56ee0eea53b1027eb
SHA16b943cff13cd7179af6689d825972148dfaa379f
SHA256ccdae614a98392fd2c8edb15c7d298964e642772310fb1f16d182238ab596b9d
SHA51211973a4785cda28d61a32e3195eeea14778758c11f929b94040d20ab2511bd6bf88b0e5bfed8ba3ddd084cc0d509eae6cf64be806085c56109426fdfc1f9bf24
-
Filesize
713B
MD585d19f2be1d1ba027c4c92814be44919
SHA1cbc22d80c36f235ba177e011d652ba6758d091dc
SHA256f9977f9f53ce6883f9ca81433cf63cb91c8a08dc795e7be3cc7ad61ba0727b21
SHA51250e510dd1e3a211633318523ceaae94bb1d67d50e4a1345ed2e14c189771a13d9b0f8bd0c5a55ba086a80c803575f8579e03d9da6a02726e5dddd05529001ecf
-
Filesize
2.9MB
MD5f5bd1e479ef89a259891b9ac0c676c07
SHA1c5e0e9d8fed70b794d1d3e465380608ebd7f74c1
SHA25661d0d2c36a9f7c0f9d56ea5cb2b81c6d88a8f56137c4b72c72eb1b75fd4dcd6d
SHA5127b7b45ec4813d4cf1714fc04dab96594fb269de7338ecaf888c697997a6b57d5948e9c98eee763e86ad2c13454cec8042a193beeae4d58028f180fcd63a24ed9
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
8KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
88KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
56KB
-
Filesize
136KB
-
Filesize
344KB