Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 03:07
Static task
static1
Behavioral task
behavioral1
Sample
e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe
Resource
win10v2004-20241007-en
General
-
Target
e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe
-
Size
2.0MB
-
MD5
38924c8184bf5944da2ac3e5cd987da2
-
SHA1
1af0d4b729dd9c3a42c197a4ec961cab5722adda
-
SHA256
e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908
-
SHA512
225e25eb08a1abe529a4fc5eb435eb800145a782e3dbdd6ba1c28925f84d758c18111ed181649bd222d50fd4a44f1ede7e43c630a58ae9a92fd2074d3d306a61
-
SSDEEP
24576:FcBmS1nneRYZwoKBU7ArlQUCeYIxerW33/XfV6jx9aP5VR/z0WcBS4bppmHVSqyW:9S4/ST6xijxsBEmHVSqFHOHqnCgXu8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files\\Uninstall Information\\SearchApp.exe\"" dec7F03.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files\\Uninstall Information\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\"" dec7F03.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files\\Uninstall Information\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\SppExtComObj.exe\"" dec7F03.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files\\Uninstall Information\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Windows\\System32\\ta-lk\\TextInputHost.exe\"" dec7F03.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\"" dec7F03.tmp -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 1356 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 1356 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 1356 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 1356 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 1356 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4608 1356 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 1356 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3560 1356 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3108 1356 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 372 1356 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 1356 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 1356 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4336 1356 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 1356 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 1356 schtasks.exe 87 -
DCRat payload 2 IoCs
resource yara_rule behavioral2/files/0x000d000000023b89-2.dat family_dcrat_v2 behavioral2/memory/516-5-0x0000000000B40000-0x0000000000CF6000-memory.dmp family_dcrat_v2 -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3644 powershell.exe 1868 powershell.exe 3976 powershell.exe 3408 powershell.exe 1724 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation dec7F03.tmp -
Executes dropped EXE 2 IoCs
pid Process 516 dec7F03.tmp 2420 upfc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\System32\\ta-lk\\TextInputHost.exe\"" dec7F03.tmp Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\Uninstall Information\\SearchApp.exe\"" dec7F03.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\Uninstall Information\\SearchApp.exe\"" dec7F03.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Windows Portable Devices\\SppExtComObj.exe\"" dec7F03.tmp Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\System32\\ta-lk\\TextInputHost.exe\"" dec7F03.tmp Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Windows Portable Devices\\SppExtComObj.exe\"" dec7F03.tmp Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" dec7F03.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" dec7F03.tmp Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\"" dec7F03.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\"" dec7F03.tmp -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\System32\ta-lk\TextInputHost.exe dec7F03.tmp File created C:\Windows\System32\ta-lk\22eafd247d37c3 dec7F03.tmp File created \??\c:\Windows\System32\CSCC87C277DC65247EDA5FB28A414DF4631.TMP csc.exe File created \??\c:\Windows\System32\s_kgxh.exe csc.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Uninstall Information\SearchApp.exe dec7F03.tmp File created C:\Program Files\Uninstall Information\38384e6a620884 dec7F03.tmp File created C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe dec7F03.tmp File created C:\Program Files (x86)\Windows Portable Devices\e1ef82546f0b02 dec7F03.tmp -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\System\Speech\RuntimeBroker.exe dec7F03.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3584 PING.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings dec7F03.tmp -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3584 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2920 schtasks.exe 3560 schtasks.exe 372 schtasks.exe 2256 schtasks.exe 4952 schtasks.exe 1892 schtasks.exe 4608 schtasks.exe 2700 schtasks.exe 2276 schtasks.exe 628 schtasks.exe 1696 schtasks.exe 3108 schtasks.exe 4336 schtasks.exe 2240 schtasks.exe 2196 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp 516 dec7F03.tmp -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2420 upfc.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 516 dec7F03.tmp Token: SeDebugPrivilege 3408 powershell.exe Token: SeDebugPrivilege 3976 powershell.exe Token: SeDebugPrivilege 1868 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 3644 powershell.exe Token: SeDebugPrivilege 2420 upfc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2420 upfc.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 5088 wrote to memory of 516 5088 e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe 83 PID 5088 wrote to memory of 516 5088 e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe 83 PID 516 wrote to memory of 5060 516 dec7F03.tmp 91 PID 516 wrote to memory of 5060 516 dec7F03.tmp 91 PID 5060 wrote to memory of 2636 5060 csc.exe 93 PID 5060 wrote to memory of 2636 5060 csc.exe 93 PID 516 wrote to memory of 3644 516 dec7F03.tmp 106 PID 516 wrote to memory of 3644 516 dec7F03.tmp 106 PID 516 wrote to memory of 1868 516 dec7F03.tmp 107 PID 516 wrote to memory of 1868 516 dec7F03.tmp 107 PID 516 wrote to memory of 3976 516 dec7F03.tmp 108 PID 516 wrote to memory of 3976 516 dec7F03.tmp 108 PID 516 wrote to memory of 3408 516 dec7F03.tmp 109 PID 516 wrote to memory of 3408 516 dec7F03.tmp 109 PID 516 wrote to memory of 1724 516 dec7F03.tmp 110 PID 516 wrote to memory of 1724 516 dec7F03.tmp 110 PID 516 wrote to memory of 3152 516 dec7F03.tmp 115 PID 516 wrote to memory of 3152 516 dec7F03.tmp 115 PID 3152 wrote to memory of 2120 3152 cmd.exe 118 PID 3152 wrote to memory of 2120 3152 cmd.exe 118 PID 3152 wrote to memory of 3584 3152 cmd.exe 119 PID 3152 wrote to memory of 3584 3152 cmd.exe 119 PID 3152 wrote to memory of 2420 3152 cmd.exe 126 PID 3152 wrote to memory of 2420 3152 cmd.exe 126 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe"C:\Users\Admin\AppData\Local\Temp\e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\dec7F03.tmpC:\Users\Admin\AppData\Local\Temp\dec7F03.tmp2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bqrgljkw\bqrgljkw.cmdline"3⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F30.tmp" "c:\Windows\System32\CSCC87C277DC65247EDA5FB28A414DF4631.TMP"4⤵PID:2636
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\SearchApp.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ta-lk\TextInputHost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fsE37xrXdy.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2120
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3584
-
-
C:\Recovery\WindowsRE\upfc.exe"C:\Recovery\WindowsRE\upfc.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2420
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\ta-lk\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\System32\ta-lk\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\ta-lk\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a43e653ffb5ab07940f4bdd9cc8fade4
SHA1af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA51262a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b
-
Filesize
944B
MD51f8b23cd03fdfb5d4559ac10c445b89f
SHA1cea378877687b1967095d5237e3c0111929f012d
SHA256f1bb0869c1d26c4282aa06a4840a9ca86e9145c136af42bb85b6d2e77e684551
SHA5123ffe559e174f4706d3e7681f0d88d53dfde5eef56ee5005ccf7b3036a5d6ba85e02fa4d0cb213d237afcb894d79fbe673b18f986f57db2904558f447e42fe550
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
1KB
MD52e47dcaded87c9300509c11440bbbd14
SHA194cb259e12d0fb6b5752b82d6e2878ba2b1a8d90
SHA256449506c381918b2ab7a4ce9dab3777a1580ea7ace5e72dc72ea6d55ad46ab926
SHA512d4ae5e439a4f73dd742473f39d0dbaa642f42c481ca57f23e124309ffbcd43c0b1df9f051c64ad9343c49a63847082f2d19a4647072f013f460f2848ade7e9c2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.7MB
MD537d00592110ca3cc53b7f6ca6ab1c82a
SHA186e13c84c33969081fe59d123e3cf81e9b3e5674
SHA2565acd08cc77f1cebd2cb95f88b37edf94b9e72b9b1c965af7ea2766e9ddc5afb9
SHA512618eeaec0ac5390184a3b6195634cb16d3def1d2ac8ab3664b3128a4e4776dda7777e6c2aedf138a6f8e9b7f6f84fc58c38f89d9178b220443567e0c55e0bbcd
-
Filesize
158B
MD533fa14681c02ca49f61738b8b66af844
SHA1b1b74b2fa56c61644c580e5df8fa1eef0b471f61
SHA25633b56a2db2f77d5d95e16079efcc53c990bac78e5f5a40a380a3f620ba47265c
SHA5122434d7f0cee4e25b43024feefba21fc44de87dbda5d8658081297f316c7ba69ba438da75bdbfa39fe5829128ee25657e9da46445b1a4e460d1f69aa4ada4508d
-
Filesize
362B
MD5099b3b8baea0ba846bd58d9bf86b6c44
SHA10a9280da6c17d9c23e880e6369d3d2354da143df
SHA2567525297f41ba4d641273efc258c133fa7d3259de2a367b957757fc0056e6829c
SHA512579af6f5809c13bfac22176525878295cefa1d2e57e472e447d4fdaade9da1d67e332949898611f34b2025eb9303218bd2b9b4b83773965e9840bd6ef68a4dc0
-
Filesize
235B
MD54d8779a943c81c3a1efae6b570f4b0ad
SHA1be8f046232c9052d7a6e48a0f63ed4d6441f0f2b
SHA2568b0383a3f7525eace08a3409e6e14b7b4875bd2ef4ca485e48a88035654cc43f
SHA512ac2f15b5b109b48665f9f0b256e726009581bcc8ba1ebe7c1b2e2f33706844f528f58ad26d8f373e5c5bed6ea89fbe53597fcf61914dc5e0bf29b0cc5407e38b
-
Filesize
1KB
MD5634e281a00b7b9f516c3048badfa1530
SHA1af6369715ce2fe9b99609e470d4f66698880a35a
SHA2560d990336ae793f3f6903048004c8d707d7a7191927bd7df46b7fe887116506c8
SHA5121cb35fa0759f5362c9c7eee5546710874121005a3924bcfec2cf33ac90a257a807ce7ec0db7bc84dcb327604d708009449c34f52560ed936b54eeba49be7d27b