Overview

overview

10

Static

static

10

5fc67c6c7c...4N.exe

windows7-x64

10

5fc67c6c7c...4N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-11-2024 20:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe

  • Size

    3.4MB

  • MD5

    2940f67b5851b30f69161aa3b45ba520

  • SHA1

    2f0c61903289e0321a7fd6af12b2f347a5c57184

  • SHA256

    5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14

  • SHA512

    ccfe70dd9f94f8102b8860077e834ba45c8283619f2f8d1235bdbe63622e64b516ed9d9ec5cf59dcb4f5983a8c377f9bf901b42a47c28b21bfc17ea855bd4b82

  • SSDEEP

    49152:xZXrXU/5+Zc5SVROVisjq7miG9vv2SNty1kIP2XMxARdp:xZzU4c5SMXq7miAX2SNty1xPuMyHp

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 19 IoCs
    persistence
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 21 IoCs
    evasiontrojan
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 38 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 14 IoCs
    evasiontrojan
  • Drops file in Program Files directory 19 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 6 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • System policy modification 1 TTPs 21 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
    "C:\Users\Admin\AppData\Local\Temp\5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:952
    • C:\Users\Default\Downloads\services.exe
      "C:\Users\Default\Downloads\services.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1580
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70b5204b-3877-4d6f-adf8-407329586915.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1432
        • C:\Users\Default\Downloads\services.exe
          C:\Users\Default\Downloads\services.exe
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2248
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f8fec4b-f411-4766-b136-85ddc4c751eb.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3680
            • C:\Users\Default\Downloads\services.exe
              C:\Users\Default\Downloads\services.exe
              6⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3112
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab5f6738-fac2-46dd-b099-f88ea741bc4c.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2012
                • C:\Users\Default\Downloads\services.exe
                  C:\Users\Default\Downloads\services.exe
                  8⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:5096
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4d1bd35-40d7-46be-af4c-c09b4e1e3239.vbs"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4896
                    • C:\Users\Default\Downloads\services.exe
                      C:\Users\Default\Downloads\services.exe
                      10⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:1480
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b439cb5e-a4f2-498e-be37-6b10c2b3b0be.vbs"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4436
                        • C:\Users\Default\Downloads\services.exe
                          C:\Users\Default\Downloads\services.exe
                          12⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:1064
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff558e0b-49f6-4423-b716-20d284a8835c.vbs"
                            13⤵
                              PID:2204
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\937d2f93-69e7-46ed-97f0-7e697f41d502.vbs"
                              13⤵
                                PID:1556
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9267c89-e2a9-43c1-b7b7-09ec8f7156ee.vbs"
                            11⤵
                              PID:3908
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e14490e-c4b5-4db4-9066-9ec9f38c32ad.vbs"
                          9⤵
                            PID:1924
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6ba2408-81a7-4119-84df-5941d8c019f3.vbs"
                        7⤵
                          PID:3860
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30e6f4e6-4a6e-432e-bf27-4bc06b3e7031.vbs"
                      5⤵
                        PID:5000
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5de3693-c3c7-44b4-b5de-28481d21ccbf.vbs"
                    3⤵
                      PID:2252
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Local Settings\OfficeClickToRun.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2268
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\OfficeClickToRun.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2480
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Local Settings\OfficeClickToRun.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3064
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2252
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:648
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:932
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4468
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3000
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1144
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\lsass.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4156
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\lsass.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3740
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\lsass.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4340
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\images\Registry.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2228
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\Registry.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1440
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\images\Registry.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3856
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\backgroundTaskHost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3036
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\backgroundTaskHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2724
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\backgroundTaskHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4908
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4668
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3776
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3924
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1080
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4904
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4536
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\AppV\Setup\sysmon.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1288
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\AppV\Setup\sysmon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4484
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\AppV\Setup\sysmon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1636
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech_OneCore\Engines\RuntimeBroker.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4032
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2940
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech_OneCore\Engines\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1044
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\services.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4396
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Downloads\services.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:460
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\services.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3316
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3332
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4140
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:552
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\dllhost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2368
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\dllhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2044
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\dllhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2304
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1156
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3744
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4552
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1868
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1132
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3696
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4560
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4232
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4016
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\winlogon.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3112
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1000
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4304
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\RuntimeBroker.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4688
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3008
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4132
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4048
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1064
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2892

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Persistence

                Boot or Logon Autostart Execution

                2
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Winlogon Helper DLL

                1
                T1547.004

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Privilege Escalation

                Abuse Elevation Control Mechanism

                1
                T1548

                Bypass User Account Control

                1
                T1548.002

                Boot or Logon Autostart Execution

                2
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Winlogon Helper DLL

                1
                T1547.004

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Defense Evasion

                Abuse Elevation Control Mechanism

                1
                T1548

                Bypass User Account Control

                1
                T1548.002

                Impair Defenses

                1
                T1562

                Disable or Modify Tools

                1
                T1562.001

                Modify Registry

                4
                T1112

                Credential Access

                Discovery

                Query Registry

                2
                T1012

                System Information Discovery

                3
                T1082

                Lateral Movement

                Collection

                Command and Control

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files\Internet Explorer\images\Registry.exe
                  Filesize

                  3.4MB

                  MD5

                  2940f67b5851b30f69161aa3b45ba520

                  SHA1

                  2f0c61903289e0321a7fd6af12b2f347a5c57184

                  SHA256

                  5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14

                  SHA512

                  ccfe70dd9f94f8102b8860077e834ba45c8283619f2f8d1235bdbe63622e64b516ed9d9ec5cf59dcb4f5983a8c377f9bf901b42a47c28b21bfc17ea855bd4b82

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log
                  Filesize

                  1KB

                  MD5

                  49b64127208271d8f797256057d0b006

                  SHA1

                  b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

                  SHA256

                  2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

                  SHA512

                  f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\3f8fec4b-f411-4766-b136-85ddc4c751eb.vbs
                  Filesize

                  715B

                  MD5

                  9b5e01a56a5ade89aebc138a3ba66882

                  SHA1

                  789558469a95b048d6d57fbe3b460a352a9e2ac0

                  SHA256

                  77f116ab2d975deeb037d7a430d4b0f297adee5b60462814fff2703e05a987b6

                  SHA512

                  298dc44ec2fb3aaf6f1106818fdc24a8cdfade66689f1d9c6004f6977e784e1debec1e364f324b6a200ebc2f58a9126fa69fda1a0de3be71ead342e1f80cf451

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\70b5204b-3877-4d6f-adf8-407329586915.vbs
                  Filesize

                  715B

                  MD5

                  c2e20b90b5b8c5a04e40966a00fd74eb

                  SHA1

                  d7e7c5fb42b720b827498175cb85f15f56899be5

                  SHA256

                  e0add4600d6bc0885e8019393c4056803a8763f6e9ebfe151c2c99740ff59e88

                  SHA512

                  3ebf0b7fa03aea784f0a8cb2415b1b26e0db1a7b839507f837b835ab29c199dc72574f3396ae4543b6e48bda3a881302493253b0a1f26ceeec67cbc78b5d1112

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ab5f6738-fac2-46dd-b099-f88ea741bc4c.vbs
                  Filesize

                  715B

                  MD5

                  15d9bdbda7a6b3e1c96e43d76325749c

                  SHA1

                  a6728a56587fe6a4234ab393a68e40a2f0458a8d

                  SHA256

                  24793ca993a67a04f6f36ac7c1e2f3a41f22a14b63ec315c010ecc5422914db7

                  SHA512

                  67f1cf4b0b6c7fa288986120c0233c822670766095f838bd4a7647b6541c9a01bdee797f95b3edf0ba0e566000ead88b357c9b4dc42864694332b42b784f6759

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\b439cb5e-a4f2-498e-be37-6b10c2b3b0be.vbs
                  Filesize

                  715B

                  MD5

                  587ebb8d37e65d7551e781e44b61a6b9

                  SHA1

                  7d115c8ccee497be809b3302f598c916770a242c

                  SHA256

                  b2df8d7a48fc85bf32d41917a933703ebff392b2d6d862b61a9f91fe62fb66a4

                  SHA512

                  842cadaa9bc29c00ed19ff35b17ead313ea8f52ec6e473136b385a012457d7ace248f279fca1ef15da78cd376d5e4bc37af8e658d99bc4336722f3ece5c45136

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\d5de3693-c3c7-44b4-b5de-28481d21ccbf.vbs
                  Filesize

                  491B

                  MD5

                  bbcef8442cd329b33f9f3a93d71f28f4

                  SHA1

                  58153dd1424db1732ed304516a5bb8c85886bfb9

                  SHA256

                  e728ce1cac6ef03ad60d92ec288517be29b3e5038451028529fcdc607ff01d38

                  SHA512

                  e40b5d417cf5d6eed3c380485c551bd14272165548e447c35115d7b86ab258771e32b64e4a3c20c59c567ca30e1ce02beeedc00947458f3749f670e276e360b4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\f4d1bd35-40d7-46be-af4c-c09b4e1e3239.vbs
                  Filesize

                  715B

                  MD5

                  c96a378d1c087c2f0b6cbb122b43cf69

                  SHA1

                  404f9019c21f57e06369d468dc1b9e0c316c3e5d

                  SHA256

                  1193e05c271f7ec12781d4c4c1de50d16011d3e710fa96f04045026acfcbeb0b

                  SHA512

                  9740216fee45f2791caa55409330941923e5cff39f9cd92a1cd0cde3751806649b594d3434883de8ed557ebe0df120ad941b53458a4403e80e796145496d90f9

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ff558e0b-49f6-4423-b716-20d284a8835c.vbs
                  Filesize

                  715B

                  MD5

                  05fe0b8c975fad9df71bbbe3a6c66994

                  SHA1

                  184abe5c7b3462cc310a779e004965cbc3a9095f

                  SHA256

                  a25b81916498a5677f8aed6c37533fbfae7305c24ae1e20373be5b970f09a105

                  SHA512

                  cc9c3aa30e2ae4f60a29d266040e678defbb5ad36fae94519f43e2ef7c2201f23bfb3404b0174ddc155244e3c1f9a27fd12d6a0fd7622a169a99aa4d47ad7212

                  Download Submit

                • memory/952-28-0x000000001BF20000-0x000000001BF2C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/952-36-0x000000001C190000-0x000000001C19C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/952-9-0x0000000002C50000-0x0000000002C60000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/952-8-0x0000000002C40000-0x0000000002C48000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/952-13-0x000000001B6A0000-0x000000001B6AC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/952-14-0x000000001B680000-0x000000001B688000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/952-15-0x000000001B690000-0x000000001B6A0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/952-16-0x000000001B700000-0x000000001B70A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/952-17-0x000000001BE50000-0x000000001BEA6000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/952-18-0x000000001B710000-0x000000001B71C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/952-19-0x000000001B720000-0x000000001B728000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/952-20-0x000000001B730000-0x000000001B73C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/952-21-0x000000001BEA0000-0x000000001BEA8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/952-22-0x000000001BEB0000-0x000000001BEC2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/952-24-0x000000001BEE0000-0x000000001BEEC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/952-23-0x000000001C410000-0x000000001C938000-memory.dmp

                  Filesize

                  5.2MB

                  Download

                • memory/952-25-0x000000001BEF0000-0x000000001BEFC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/952-0-0x00007FFD50683000-0x00007FFD50685000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/952-27-0x000000001BF10000-0x000000001BF1C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/952-26-0x000000001BF00000-0x000000001BF08000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/952-29-0x000000001C1A0000-0x000000001C1A8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/952-10-0x0000000002C60000-0x0000000002C76000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/952-35-0x000000001C180000-0x000000001C188000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/952-37-0x000000001C1B0000-0x000000001C1B8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/952-38-0x000000001C2C0000-0x000000001C2CA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/952-39-0x000000001C1C0000-0x000000001C1CC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/952-34-0x000000001C170000-0x000000001C17E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/952-33-0x000000001C160000-0x000000001C168000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/952-32-0x000000001C050000-0x000000001C05E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/952-31-0x000000001C040000-0x000000001C04A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/952-30-0x000000001C030000-0x000000001C03C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/952-11-0x000000001B660000-0x000000001B668000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/952-89-0x00007FFD50680000-0x00007FFD51141000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/952-12-0x000000001B670000-0x000000001B682000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/952-7-0x000000001B6B0000-0x000000001B700000-memory.dmp

                  Filesize

                  320KB

                  Download

                • memory/952-5-0x0000000002C10000-0x0000000002C18000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/952-1-0x0000000000660000-0x00000000009CA000-memory.dmp

                  Filesize

                  3.4MB

                  Download

                • memory/952-6-0x0000000002C20000-0x0000000002C3C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/952-2-0x00007FFD50680000-0x00007FFD51141000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/952-4-0x0000000002C00000-0x0000000002C0E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/952-3-0x00000000011F0000-0x00000000011FE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/2248-102-0x000000001D840000-0x000000001D852000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3112-114-0x000000001D7B0000-0x000000001D7C2000-memory.dmp

                  Filesize

                  72KB

                  Download