Analysis
-
max time kernel
117s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 21:51
Static task
static1
Behavioral task
behavioral1
Sample
8FE4D765052F33EE206BABD50ECEBFF4.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
8FE4D765052F33EE206BABD50ECEBFF4.exe
Resource
win10v2004-20241007-en
General
-
Target
8FE4D765052F33EE206BABD50ECEBFF4.exe
-
Size
1.8MB
-
MD5
8fe4d765052f33ee206babd50ecebff4
-
SHA1
626ed36cc72ed374334c868a5d2471cd1d70e9ef
-
SHA256
9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462
-
SHA512
5a41dbc6ead37caa5de7c3110378fc1357954a6b02b50eea6d82ff2685962536090e2e6e75a83ab321aa14a04a50f31c92290ace854bd45bc4c5913a1e1a7210
-
SSDEEP
49152:IBJS5y9ltNK+s0am17m5uSTRhNCYX1xoUQ/Ui5zbf2qmOK:ywGls0amCyN5zbf7jK
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\WmiPrvSE.exe\", \"C:\\Program Files\\Internet Explorer\\dwm.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\WmiPrvSE.exe\", \"C:\\Program Files\\Internet Explorer\\dwm.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Users\\All Users\\winlogon.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\WmiPrvSE.exe\", \"C:\\Program Files\\Internet Explorer\\dwm.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Users\\All Users\\winlogon.exe\", \"C:\\Users\\Default User\\winlogon.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\WmiPrvSE.exe\", \"C:\\Program Files\\Internet Explorer\\dwm.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Users\\All Users\\winlogon.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\WmiPrvSE.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\WmiPrvSE.exe\", \"C:\\Program Files\\Internet Explorer\\dwm.exe\"" MsRefHost.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 2772 schtasks.exe 35 -
Executes dropped EXE 2 IoCs
pid Process 2800 MsRefHost.exe 1720 MsRefHost.exe -
Loads dropped DLL 2 IoCs
pid Process 2108 cmd.exe 2108 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MsRefHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsRefHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\"" MsRefHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\WmiPrvSE.exe\"" MsRefHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Internet Explorer\\dwm.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Internet Explorer\\dwm.exe\"" MsRefHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\ja-JP\\dllhost.exe\"" MsRefHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\WmiPrvSE.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\ja-JP\\dllhost.exe\"" MsRefHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\winlogon.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\winlogon.exe\"" MsRefHost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC615D6025B551407E94D24227C62FAFE.TMP csc.exe File created \??\c:\Windows\System32\qrosn9.exe csc.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\dwm.exe MsRefHost.exe File created C:\Program Files\Internet Explorer\6cb0b6c459d5d3 MsRefHost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ja-JP\dllhost.exe MsRefHost.exe File created C:\Windows\ja-JP\5940a34987c991 MsRefHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8FE4D765052F33EE206BABD50ECEBFF4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2616 schtasks.exe 2980 schtasks.exe 3016 schtasks.exe 1808 schtasks.exe 2676 schtasks.exe 2944 schtasks.exe 2972 schtasks.exe 2348 schtasks.exe 2192 schtasks.exe 956 schtasks.exe 2656 schtasks.exe 2996 schtasks.exe 1872 schtasks.exe 1152 schtasks.exe 3036 schtasks.exe 2392 schtasks.exe 2076 schtasks.exe 3004 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe 2800 MsRefHost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2800 MsRefHost.exe Token: SeDebugPrivilege 1720 MsRefHost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1956 wrote to memory of 1884 1956 8FE4D765052F33EE206BABD50ECEBFF4.exe 31 PID 1956 wrote to memory of 1884 1956 8FE4D765052F33EE206BABD50ECEBFF4.exe 31 PID 1956 wrote to memory of 1884 1956 8FE4D765052F33EE206BABD50ECEBFF4.exe 31 PID 1956 wrote to memory of 1884 1956 8FE4D765052F33EE206BABD50ECEBFF4.exe 31 PID 1884 wrote to memory of 2108 1884 WScript.exe 32 PID 1884 wrote to memory of 2108 1884 WScript.exe 32 PID 1884 wrote to memory of 2108 1884 WScript.exe 32 PID 1884 wrote to memory of 2108 1884 WScript.exe 32 PID 2108 wrote to memory of 2800 2108 cmd.exe 34 PID 2108 wrote to memory of 2800 2108 cmd.exe 34 PID 2108 wrote to memory of 2800 2108 cmd.exe 34 PID 2108 wrote to memory of 2800 2108 cmd.exe 34 PID 2800 wrote to memory of 2308 2800 MsRefHost.exe 39 PID 2800 wrote to memory of 2308 2800 MsRefHost.exe 39 PID 2800 wrote to memory of 2308 2800 MsRefHost.exe 39 PID 2308 wrote to memory of 1684 2308 csc.exe 41 PID 2308 wrote to memory of 1684 2308 csc.exe 41 PID 2308 wrote to memory of 1684 2308 csc.exe 41 PID 2800 wrote to memory of 2784 2800 MsRefHost.exe 57 PID 2800 wrote to memory of 2784 2800 MsRefHost.exe 57 PID 2800 wrote to memory of 2784 2800 MsRefHost.exe 57 PID 2784 wrote to memory of 1920 2784 cmd.exe 59 PID 2784 wrote to memory of 1920 2784 cmd.exe 59 PID 2784 wrote to memory of 1920 2784 cmd.exe 59 PID 2784 wrote to memory of 952 2784 cmd.exe 60 PID 2784 wrote to memory of 952 2784 cmd.exe 60 PID 2784 wrote to memory of 952 2784 cmd.exe 60 PID 2784 wrote to memory of 1720 2784 cmd.exe 61 PID 2784 wrote to memory of 1720 2784 cmd.exe 61 PID 2784 wrote to memory of 1720 2784 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8FE4D765052F33EE206BABD50ECEBFF4.exe"C:\Users\Admin\AppData\Local\Temp\8FE4D765052F33EE206BABD50ECEBFF4.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\jkOicXdQzIcV9is8cWaVy6nJ.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\wAdFTqpCaV8zL9PLLEPDNQlrlvWhrY.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe"C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf/MsRefHost.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gnbjojvo\gnbjojvo.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2E0.tmp" "c:\Windows\System32\CSC615D6025B551407E94D24227C62FAFE.TMP"6⤵PID:1684
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WZqCqcFRCm.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1920
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:952
-
-
C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe"C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsRefHostM" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsRefHost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsRefHostM" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51e477811e2e59d219efbcb1accbd8169
SHA158be586f61b1d2a283b02835c3dbef84bad1d125
SHA2564827d9a25fe96efc74a37cc69403a728aae664427425fc60e9d9f6d815d2dbaf
SHA5122eb6d1d62d1612bbbc4b9a86453349134dd5c80b159899d2abd31cc60ef08c6c3f835d98ef05d72dc8086db3b5b463257f20834eee52a15e0e738a0d3c2f64d9
-
Filesize
253B
MD51d904a128cf4c95cb777271e14c94643
SHA1cfd3a9ffff0c722ec80cb376ae2db0adcde6db9a
SHA25631419f462d0d5079793ee1630675f65e064d040b0aab125026cc20450716384c
SHA512c499cc13b4b015c7630e28cb886a3c75f79b4c96339de677ceed46669cfff2c1df4ebba9d1a9105d2092970068285dddf313b8b309632ada1c026c1790b0d67d
-
Filesize
247B
MD5299cb1e8030c59ea61c25d77663d93ce
SHA147ed6fb489f8e725a2a25ff2de2f769f8c010ca9
SHA256c21646d405045a3684859964fb3a6bab60be39d07ef509902baa267fb3735d60
SHA512121da7ee97dbc5ea1aed2b95acd2b9869783851bf1f267e97dd9ae25d0ad2819eccb8618108d8adb745a4baed59de9eb5da4c2c132659219f5689f03302bcb08
-
Filesize
111B
MD57570b030d6165dbe5710aea256bc5fb0
SHA1f748ac754c02cebb69b874e6c2b7c8dd51bfa43c
SHA2565a7151908f5167f6be21b2518d8d825dc3f13e4fcc0e1b7ea4931669d28ef3e7
SHA51264ba0ebacbc47fa0a7dc3efd361e89d24d7df343548ad337da0d2f4333e37a5ff208fc0d6f3c197d8e944d38cd4029f13f34b01e8a2adb63baea16dcedcd3ade
-
Filesize
393B
MD512eea2842a51d23188fa2b8bba74c3ce
SHA1234b5891ff4e85587ec955b08f5963aae3b178e8
SHA2567eef6fac5b6c94c3916b5103d9fdf71e6fff059e9a052db27f8c6de1b9a85752
SHA512b39385ddc902ce8cfb5d3262ef4edb78d3ef38a1eb2faea0b32ca15bf9337ca139e8dcc7491cc98b43fe3b4c5e9c9c90491002be28d8349bda241256c074272c
-
Filesize
235B
MD5cf27cda926e27e5fd0788cec1f35764f
SHA16547b8cfc7af21a451e29fec3eed474075681c91
SHA256ca91632da5b9c89888146e76cdc1d082c0f3c03899fb77cc605f88aad3126200
SHA512f29b0989f5bbb5810b084466b6c649169a35bd2f6faa12350594e8f7d5e8d12a9230b1983ccd5711722d83ab1c1d747a1ee61eb9ab9f71954f3b6131041db9b4
-
Filesize
1KB
MD5332eb1c3dc41d312a6495d9ea0a81166
SHA11d5c1b68be781b14620d9e98183506f8651f4afd
SHA256bab20fa8251fcee3c944e76bdc082850ae4a32fd2eff761fec3bc445f58d11f2
SHA5122c5ae1de2d4cb7f1e1540b455f7876eb1f494cda57bfb8e78a81aa01f3f453c5488b986cd170d6dc96bf684874c54257bfd0335a78764cc3fa43fe310a0cf440
-
Filesize
1.9MB
MD58f4b5051db276e30641cd63fac01a982
SHA12da38a070be557014c57d314211f6236470aca37
SHA2565864cdafd1e3c62524dd7ec715b055e11a3ace3f586d575a2c2f5f9c4f096553
SHA512db77eb1df5aa539bb55ae9c6936c40f7e6d5b9b53e2c7e0c84c2d6df91f541cbdfef92675b45e5e7bb804b8998482970ff92f793e63ad2f9754d43bfab60bfa2