Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
12-11-2024 20:25
General
-
Target
d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe
-
Size
3.7MB
-
MD5
b0f05d80b12c67dc9d26fe6d4f0debd0
-
SHA1
9bf6fee145f08c3ea7d41e6f6755187e92f11978
-
SHA256
d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0
-
SHA512
19632526b95ea7435c05af10ceb74179e902201389c62476c7cd5281a5dea338283921166a2272cbe12caf58b2207b18b58834b5c2b1c17df87b2f83fc3824d9
-
SSDEEP
98304:UbF26GgA01Iz8pS1m+j/C7N2DXXrbpqto0:U1A6IIAY+j6pG/Yb
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 45 IoCs
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Checks whether UAC is enabled 1 TTPs 30 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 16 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 45 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe"C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MssurrogateBrowserDrivermonitor\wcYORPbCatQJR5AFuaKjs.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\MssurrogateBrowserDrivermonitor\Qi30CUagccjw.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\MssurrogateBrowserDrivermonitor\reviewnet.exe"C:\MssurrogateBrowserDrivermonitor\reviewnet.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vm34McNXba.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Recovery\WindowsRE\wininit.exe"C:\Recovery\WindowsRE\wininit.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9a6b6d4-b4af-402d-aa3b-833005a43e38.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e6ffc69-153c-4008-8773-0faf3d205730.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bc3a4b7-e2ee-4dd8-a976-bcd6f963a411.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c1bcd4b-f3d3-4d4a-aa10-1684ac1ae2ee.vbs"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cef5c35-44c1-4036-ac43-db74f5f5c5d7.vbs"15⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba3666c3-bccc-4a5b-9d5c-682c4cd7c744.vbs"17⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\599fb552-b280-412d-a47c-2e7c22b45914.vbs"19⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\720d8293-3b07-4317-9890-cb4620fd7d41.vbs"21⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5533b09d-4c1d-45b6-8ee2-f69248b671a1.vbs"23⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b8bf11d-75e7-4177-b5e6-7460566b5bd6.vbs"25⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a758ae4f-c70f-422a-a210-5a3fa8f1cbe5.vbs"27⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe28⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5d27ddd-b3fe-449d-abe1-ae57b72c2fbe.vbs"29⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe30⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbaf1cd4-48f1-455c-8d23-a0454695d6c5.vbs"31⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe32⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17afc447-5bbf-4381-9407-5641285e73a1.vbs"33⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b2e3d8d-3a81-4587-87bb-8b64f97d56aa.vbs"33⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a671dab-7d1b-4cec-9962-fe62fa6fd290.vbs"31⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0963be25-1c0a-40f8-9b38-eb32a2892535.vbs"29⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80262ab9-21a5-4c6c-b00e-69f8643a1e88.vbs"27⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bbefbd0-12bf-4f1a-b142-ba6f4fee96fa.vbs"25⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3c65996-cef4-4d65-8d2d-73d46c56c3d5.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d51c01b-1f5e-48cf-a886-d73098ea95b0.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a8d4efb-4431-4440-8c4d-470a2ed97f56.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3ba3c50-4d30-4fb8-83fc-0e373e3e76b1.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be55c717-5f49-46a5-82d2-365ccc00b9b6.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef67546b-4570-40f6-bc55-7dcfaa8af9f8.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b561d07-47f8-4fcb-a22d-11b509bc8877.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\daae4211-0956-4b07-b23c-70ad210d556d.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\959eb904-3fd0-49df-9c19-ff9e1ac1b075.vbs"7⤵
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MssurrogateBrowserDrivermonitor\file.vbs"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Windows\en-US\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\en-US\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewnetr" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\reviewnet.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewnet" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\reviewnet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewnetr" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\reviewnet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Desktop\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\attachments\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Crashpad\attachments\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Visualizations\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Visualizations\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\reports\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\reports\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\SendTo\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MssurrogateBrowserDrivermonitor\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MssurrogateBrowserDrivermonitor\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MssurrogateBrowserDrivermonitor\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Downloads\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Downloads\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\MssurrogateBrowserDrivermonitor\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\MssurrogateBrowserDrivermonitor\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\MssurrogateBrowserDrivermonitor\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5934b57a6b87ad62fbf72805fc7ed30d0
SHA104111b17e6b836077bca5c092dfd4e59657fbfae
SHA25625bfd4297df8354c427f96c5569594300935745c03f15aa1e4097cff1be3f70d
SHA5125737cbaa48b1c5804072681e58e8e9d55aa7d996614dd3ff6501afaea693aca3fe7275a811c7aad1bbb88057fea7a31a393cadf7c2761aeca32e1e1f83940b07
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
3.4MB
MD57d995f38d429ff33eaf4ce89f60585f9
SHA1160f3163b335110d718e98390add6ca7a110a8ca
SHA25649877051396a67dc531bb04d9745c78820a04e21ab3a6071906739ef48098b68
SHA51261cb35e8469cd396b8487ca31542d0f505179283aa7d645344f2de7ffa47cfda0013bdfa2c5b29edd16978bce9a90fe2795a62e3dd4b900d9db5431b2d81f887
-
Filesize
220B
MD5b7946fc546ca743f534d88dddeee3f00
SHA1668ed69a0b7a298e08a68e80161f7eeead3128a5
SHA2568673980ed61a75db17016d3fe892f2c37ddc037f34032e2fd35626ed146d80d2
SHA5127ee3cec4df1a0b2c5984ccf860a004dcaa3c3fa258370edabb50ccd3f92a8d3ab8daf1af1f5087a67a24bf285a34b040f36d7673f1f8e413dc931a201967712a
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
709B
MD510030b8650216e5697c251e832860a1c
SHA1d3ea29dd460e786742c2b985d2a4c7f34170399d
SHA256efe11761cdbf2da55af6cd12d7eb23fc577c3e6591816eb9ac7163da0b6f2ac1
SHA5122a8221ff168a342fd4b2ca6ecc295fee6ed10ee36a10ceee4e2988e712d7b99006fb543d55bd07d7831bd28361dc16d34f8eaab6cf6537226e979638debc59e7
-
Filesize
709B
MD5a4202fb34e74c4eefb25e649fd684f0e
SHA1e3982c9eb41c0e24919c58af38cec210e6720342
SHA2569b858ab7345523e49158f20d0a6c77794f05d69039a6dfe49930c879e95174f5
SHA51204c6c4254bfcd30272c276b91832833c4c9ac7fa70d1d0f7bf836316f79f8fd72dcb34273b0d566ac8cd93425d5162edab71730d49431f8dca65d220fe264b5d
-
Filesize
709B
MD5d2a74e34a030599e9719b46bb56a64d2
SHA117be7f5c41878f9d9a06a060d5d98b3ed0237873
SHA25646b5f3cbf47c514a210cb9318c1c919b15c274b28adb69acc2b5914617fbbaff
SHA512ad63bf094cf585bf8681adf83b793778308c07975d4f8af4039dccfbb0f7abf15df386cfb588feca0700d49775eabc6045c33e129925464967b3baaad66638a9
-
Filesize
709B
MD50ca858f68176444ddcfcffdce18f3df1
SHA16918ebe86d089e0da5ec9c201f3e6f4778a69805
SHA2568dc6697682103d98c3ed3193578f58109a81dfc3bb423baa4379ed777069556d
SHA512cd0fa87b8a4a05dcd4d4fb179e9f218d7e4b1d92224fa15c018fac22dbc02194bdcc0d34104d8f7329bbcd4456d8b335f7efa3a2afe73f130bb38c10591fe074
-
Filesize
708B
MD5db5d951f24ce698c4b9f5529f0f50289
SHA158d7cb1c5dc9e5352069918287ab8218566ee42b
SHA25603b9b4b5e130fba2d34365e26884625acb6327250812dd9acdca277224cf000b
SHA5120bd93595eafa079fb510a20520bdef1c0675e6b53da3252d97130357bc4083d678cb8a839d88ec18d4264989a48daa96719462b5ad5a7f5418166c396bee9b47
-
Filesize
709B
MD50c3401745d41256ddd3461c107b938fa
SHA1ea146ee2e47336ad27edb16ba3f85b6da76852fe
SHA256ca0e1531d7bdc7ebd2e5b6f682546e65fcfc061a8f7b07baf68cde64439894c1
SHA512f6052c55fc4dbcbe59d936cb66772aaeff9395c2c34bdeff96ee42f5c371499c692e48cea98cb7d535eccdac80b6ba792cf411caebef0dbf7c1b094200c566dd
-
Filesize
709B
MD532ea7714b75094a5db9472ccd639faa6
SHA11ba678bc5d018a5fba31f69f12b4f92c8ddc088a
SHA25657ee4c1e95fdc86b1b1d0908b5433bcf0551c1c69901cb6f7900d7093a0464f9
SHA51213829b9307c5d8e357cdd31f92e6a41cb31a78eba6b652a44bfd93fc1368d8b7f47d1b6f5c4dda3a2f9fd4f8d471be1939c05080bd1559dc015262851c98e95e
-
Filesize
709B
MD5f67e5b8a620df2dbe7f5afeded32d908
SHA10939f24b123eced48a4003c2c3bbb6fdfbdc2842
SHA25616174c449fbb584db0a80df8c195fb5ff3facd08a37942af45433b75026264b7
SHA5129ad6c779f31b98a4b4a7e6d5576fc99c25af54c6edb1e0aa6d2c3079c17503bafc7cc76372391d4d800bb95f27db99f8df0c3e9646d179cdbbace842d0b53271
-
Filesize
485B
MD54bbea4f9195d114e75bc972246ec647e
SHA1c1fe4d4962fc6f237aab9c54cff4456477f04fd6
SHA2564319fd7e7bb4beadd84573ef179b08e10c338eeb458f74649396064d38a9f5f0
SHA5127d62e1098f16ae3014527a414c76363856684ffaf3cb65ff390d1646ec3319539cb19ab9f20d3763b6a00fe569abfb0bb9560e6d658bfc1c09759aa9d7d8ac75
-
Filesize
709B
MD586f0d6ffb22f0bdcda7b9874db9c180b
SHA18fc73cfbdb1293b5cbc2f473cf476d3c373c10b6
SHA2568662f32753567b6263b1cb6c4819b6777b234d8cbd7ae6da312b59b5ff578397
SHA512dfd31ec7718707ac16c56d108b22230e7f17c3afa2788fa6831d38dfa4646d01e9ac453197594e86c5bb38424ebbb34e27a1c8265ea61f1d0eb37342664dcfc5
-
Filesize
709B
MD5175748edf4626206049f759592e0b67d
SHA11b37616ebb585d1b80162fe5e4190973d95648a6
SHA256bfc8e0a6494079189f95d2701038e07f5bc20da88a76905bee19690e66cff312
SHA5122dfb955329321a82ca178cb66b9ba5193b0da58e5890d2d3b12cd1ee622fce0fc60e2fd09cac60393f658efd82770568b0a9f0efe3a5fc2aaa24ab27c93e5e7b
-
Filesize
709B
MD5c9c18fbabb1c02ac1ed05a9d1779c579
SHA109d72fa4aa4736251b95d9a5221f514c619f03a0
SHA25654cece1f9ebfdd95f79f7020f8763eff05d0b50b754e55fd36010b8fefb26730
SHA51243faf6d6746f4574c7130a8ccdea5d20d6f44ad88b1fc332de34d2dc7fb185261cd8e93056d78c5dea84c67253cbf4674b7b997cd8356897aff8b41793baeaca
-
Filesize
709B
MD595eef1921b064e392fff82d5ee5bcf57
SHA12e368724e5d2504bc9135012cb21512fc1cfc5e2
SHA256360c63989f981bf2d8d09180b280994efda22ee048e1cc2bc8a7500b2e61f850
SHA512fea1ff17f741bfa71e64a0fa5d7f9d8009660b60aaed6fb63bd4b57cb00d132cb4ce2a2092f81565723abeb3e705a9b30694c1c9a850f6d304f039a1b37dc3f8
-
Filesize
198B
MD512452457e4b21319f6c65b7bf4b66eee
SHA1e66a7d68fa930964ee052e9b6c88dde54adf6a7f
SHA2562a3fbc6bc06af99a8b510e791c476b24ea0da8e0ccf958261eb230884e15b3a1
SHA51218d517f006af0a84a68c7827b8ca9097db8434fbe99a3bb596c2216fc2653cb28de7976915901d253f1a5e69c3b36ffb99e9b3de9ffe324350e2f9c21c608155
-
Filesize
32KB
-
Filesize
344KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
5.2MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
3.4MB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB