Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-11-2024 18:00
Static task
static1
Behavioral task
behavioral1
Sample
e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe
Resource
win10v2004-20241007-en
General
-
Target
e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe
-
Size
2.0MB
-
MD5
38924c8184bf5944da2ac3e5cd987da2
-
SHA1
1af0d4b729dd9c3a42c197a4ec961cab5722adda
-
SHA256
e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908
-
SHA512
225e25eb08a1abe529a4fc5eb435eb800145a782e3dbdd6ba1c28925f84d758c18111ed181649bd222d50fd4a44f1ede7e43c630a58ae9a92fd2074d3d306a61
-
SSDEEP
24576:FcBmS1nneRYZwoKBU7ArlQUCeYIxerW33/XfV6jx9aP5VR/z0WcBS4bppmHVSqyW:9S4/ST6xijxsBEmHVSqFHOHqnCgXu8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\lsm.exe\"" dec3FED.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Users\\Default\\My Documents\\dec3FED.tmp.exe\"" dec3FED.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Users\\Default\\My Documents\\dec3FED.tmp.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\WmiPrvSE.exe\"" dec3FED.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Users\\Default\\My Documents\\dec3FED.tmp.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\"" dec3FED.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Users\\Default\\My Documents\\dec3FED.tmp.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\"" dec3FED.tmp -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 3044 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 3044 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 3044 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 3044 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 3044 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 3044 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 112 3044 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 3044 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 756 3044 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 3044 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 712 3044 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 3044 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 3044 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 3044 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 3044 schtasks.exe 31 -
DCRat payload 3 IoCs
resource yara_rule behavioral1/files/0x00080000000120f6-4.dat family_dcrat_v2 behavioral1/memory/2080-7-0x0000000000C60000-0x0000000000E16000-memory.dmp family_dcrat_v2 behavioral1/memory/2532-107-0x0000000000390000-0x0000000000546000-memory.dmp family_dcrat_v2 -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1280 powershell.exe 1320 powershell.exe 2988 powershell.exe 1764 powershell.exe 1248 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 2080 dec3FED.tmp 2532 smss.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dec3FED.tmp = "\"C:\\Users\\Default\\My Documents\\dec3FED.tmp.exe\"" dec3FED.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dec3FED.tmp = "\"C:\\Users\\Default\\My Documents\\dec3FED.tmp.exe\"" dec3FED.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\WmiPrvSE.exe\"" dec3FED.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\"" dec3FED.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\lsm.exe\"" dec3FED.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\lsm.exe\"" dec3FED.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\WmiPrvSE.exe\"" dec3FED.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\"" dec3FED.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\"" dec3FED.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\"" dec3FED.tmp -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC234CD8968F5F4487A977C8673DB3027.TMP csc.exe File created \??\c:\Windows\System32\byyuy-.exe csc.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe dec3FED.tmp File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\42af1c969fbb7b dec3FED.tmp -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\security\ApplicationId\PolicyManagement\WmiPrvSE.exe dec3FED.tmp File created C:\Windows\security\ApplicationId\PolicyManagement\24dbde2999530e dec3FED.tmp -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1396 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1396 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1956 schtasks.exe 1860 schtasks.exe 2076 schtasks.exe 2888 schtasks.exe 112 schtasks.exe 756 schtasks.exe 2656 schtasks.exe 2896 schtasks.exe 2940 schtasks.exe 2408 schtasks.exe 1256 schtasks.exe 1852 schtasks.exe 2832 schtasks.exe 712 schtasks.exe 2244 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp 2080 dec3FED.tmp -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2532 smss.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2080 dec3FED.tmp Token: SeDebugPrivilege 1764 powershell.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeDebugPrivilege 1248 powershell.exe Token: SeDebugPrivilege 1280 powershell.exe Token: SeDebugPrivilege 2988 powershell.exe Token: SeDebugPrivilege 2532 smss.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2532 smss.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2080 2316 e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe 30 PID 2316 wrote to memory of 2080 2316 e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe 30 PID 2316 wrote to memory of 2080 2316 e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe 30 PID 2080 wrote to memory of 2180 2080 dec3FED.tmp 35 PID 2080 wrote to memory of 2180 2080 dec3FED.tmp 35 PID 2080 wrote to memory of 2180 2080 dec3FED.tmp 35 PID 2180 wrote to memory of 2448 2180 csc.exe 37 PID 2180 wrote to memory of 2448 2180 csc.exe 37 PID 2180 wrote to memory of 2448 2180 csc.exe 37 PID 2080 wrote to memory of 1320 2080 dec3FED.tmp 50 PID 2080 wrote to memory of 1320 2080 dec3FED.tmp 50 PID 2080 wrote to memory of 1320 2080 dec3FED.tmp 50 PID 2080 wrote to memory of 1280 2080 dec3FED.tmp 51 PID 2080 wrote to memory of 1280 2080 dec3FED.tmp 51 PID 2080 wrote to memory of 1280 2080 dec3FED.tmp 51 PID 2080 wrote to memory of 1248 2080 dec3FED.tmp 52 PID 2080 wrote to memory of 1248 2080 dec3FED.tmp 52 PID 2080 wrote to memory of 1248 2080 dec3FED.tmp 52 PID 2080 wrote to memory of 1764 2080 dec3FED.tmp 53 PID 2080 wrote to memory of 1764 2080 dec3FED.tmp 53 PID 2080 wrote to memory of 1764 2080 dec3FED.tmp 53 PID 2080 wrote to memory of 2988 2080 dec3FED.tmp 54 PID 2080 wrote to memory of 2988 2080 dec3FED.tmp 54 PID 2080 wrote to memory of 2988 2080 dec3FED.tmp 54 PID 2080 wrote to memory of 2488 2080 dec3FED.tmp 60 PID 2080 wrote to memory of 2488 2080 dec3FED.tmp 60 PID 2080 wrote to memory of 2488 2080 dec3FED.tmp 60 PID 2488 wrote to memory of 328 2488 cmd.exe 62 PID 2488 wrote to memory of 328 2488 cmd.exe 62 PID 2488 wrote to memory of 328 2488 cmd.exe 62 PID 2488 wrote to memory of 1396 2488 cmd.exe 63 PID 2488 wrote to memory of 1396 2488 cmd.exe 63 PID 2488 wrote to memory of 1396 2488 cmd.exe 63 PID 2488 wrote to memory of 2532 2488 cmd.exe 64 PID 2488 wrote to memory of 2532 2488 cmd.exe 64 PID 2488 wrote to memory of 2532 2488 cmd.exe 64 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe"C:\Users\Admin\AppData\Local\Temp\e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\dec3FED.tmpC:\Users\Admin\AppData\Local\Temp\dec3FED.tmp2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mdqy21gf\mdqy21gf.cmdline"3⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES536D.tmp" "c:\Windows\System32\CSC234CD8968F5F4487A977C8673DB3027.TMP"4⤵PID:2448
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\dec3FED.tmp.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\ApplicationId\PolicyManagement\WmiPrvSE.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y5CQu6zSeI.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:328
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1396
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2532
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dec3FED.tmpd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\My Documents\dec3FED.tmp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dec3FED.tmp" /sc ONLOGON /tr "'C:\Users\Default\My Documents\dec3FED.tmp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dec3FED.tmpd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\My Documents\dec3FED.tmp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD528b9ebe3583b52454086067c1bc391ac
SHA1fbc3feae3b2b919e179c989a53cb3d2f9cb06f0c
SHA256c5feff326fcdf821538561106cd6188c49c7834e36cfca358d8d809aae3f40a5
SHA512f1738e5fee59d3633b9025ecda9ad0a24270a67049e200e8ce3ceaed8452ec8099896e4b477595fbb1c2e4abef93036ec763a8c1cd4c80aba039c6e76f40064a
-
Filesize
199B
MD5dbbbbdc3077a83e730ae5edf4be98c15
SHA1a30255519733c0a8c532f90d55313268ead1358b
SHA25606dcc5865741e05a5318924c2ff1f36c4ec5f221909a2d535f86bb453cca9404
SHA512391237304e7688e6d4de70b730c1065279ca77755fd415d8348fa89b7a53db692755fd0dcb8be25896779be913a4527f3a86bc6aad485df7bb8445c67961a4a3
-
Filesize
1.7MB
MD537d00592110ca3cc53b7f6ca6ab1c82a
SHA186e13c84c33969081fe59d123e3cf81e9b3e5674
SHA2565acd08cc77f1cebd2cb95f88b37edf94b9e72b9b1c965af7ea2766e9ddc5afb9
SHA512618eeaec0ac5390184a3b6195634cb16d3def1d2ac8ab3664b3128a4e4776dda7777e6c2aedf138a6f8e9b7f6f84fc58c38f89d9178b220443567e0c55e0bbcd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f02f4a1e8f00258ad1f18706d2a99fc3
SHA18f6a16208ef7c88c2bc394773178f6b725e01685
SHA25652aad9e4f2749f05799857d118cd54059f103292e84ea6e82b171211596b7bb8
SHA5127215ae98192111fec71f35790799720bf92f9a30b455cc03963b05fcc299b554be9a374a8b3c7d5c8ccfc6704dfd1a5cf73fe54d4c6c8073fe83bb876bc29e3f
-
Filesize
402B
MD5300fd08c21a27a4e99740fe088a5078d
SHA19e339950025ba3b3aa4a633added58e567c0859a
SHA256d1b5e6993f116f600706d663e005dc4f3f76a9eabc493c0f2a520ca8d1e2b549
SHA512adf9058ac313b121d68b1b42e8885ff53fa3724101c549b72773716fbfe4ad0c0529ea2f095df18c24d40705f6e6baf7d77d3ad0684efeae5f7595306618ad89
-
Filesize
235B
MD54ecfd4954867713fa6677145be72fee3
SHA1ed7f609076265108307b3e1f9a68a27b2708724c
SHA2569ddb25b15c8fb2d7e611c94bb1cb67782bea6df2d77de94699b9110baf2b4d57
SHA5125e932bd048a5b179da72cefd0d9c58e4bc8b16541e8423e5cad4a5c7dea2fb36189445e91e490e475fab804303ce5c8a3d67941093aa50ac5980c2865c56191c
-
Filesize
1KB
MD5078586b266e519b5c113064d7a0bf45c
SHA1a9395c0ef35add5c75591ebb94c85c1f33f408bf
SHA256ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e
SHA5125b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959