Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-11-2024 21:59
Behavioral task
behavioral1
Sample
d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe
Resource
win10v2004-20241007-en
General
-
Target
d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe
-
Size
1.7MB
-
MD5
914dc39aa181253e11c186005dfe98f0
-
SHA1
0b63a5f139884cf75bca3b7d0b1380f9d0a8a700
-
SHA256
d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28
-
SHA512
432d25441d27cd7f4ce39835d0d2e4354ab84d390bf04941d6fa65dab99cbd1a908ab64641faf7366f9fb242ed0777f8d446c6f5808c375d39d36e6471c7c479
-
SSDEEP
24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2956 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2956 schtasks.exe 30 -
resource yara_rule behavioral1/memory/1996-1-0x0000000000AF0000-0x0000000000CA6000-memory.dmp dcrat behavioral1/files/0x000500000001a355-27.dat dcrat behavioral1/memory/1468-129-0x0000000000350000-0x0000000000506000-memory.dmp dcrat behavioral1/memory/1236-203-0x0000000001240000-0x00000000013F6000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2224 powershell.exe 1356 powershell.exe 1060 powershell.exe 2152 powershell.exe 1620 powershell.exe 1208 powershell.exe 2532 powershell.exe 2892 powershell.exe 1608 powershell.exe 2508 powershell.exe 2576 powershell.exe 1524 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe -
Executes dropped EXE 2 IoCs
pid Process 1468 OSPPSVC.exe 1236 OSPPSVC.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe File created C:\Program Files\Windows Mail\fr-FR\1610b97d3ab4a7 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXB283.tmp d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe File opened for modification C:\Program Files\Windows Mail\fr-FR\RCXB488.tmp d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe File opened for modification C:\Program Files\Windows Mail\fr-FR\RCXB489.tmp d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\f3b6ecef712a24 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe File created C:\Program Files\Windows Mail\fr-FR\OSPPSVC.exe d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXB284.tmp d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe File opened for modification C:\Program Files\Windows Mail\fr-FR\OSPPSVC.exe d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2868 schtasks.exe 2136 schtasks.exe 2032 schtasks.exe 1696 schtasks.exe 3012 schtasks.exe 2828 schtasks.exe 2880 schtasks.exe 1532 schtasks.exe 2992 schtasks.exe 2564 schtasks.exe 912 schtasks.exe 2780 schtasks.exe 592 schtasks.exe 2260 schtasks.exe 2856 schtasks.exe 2748 schtasks.exe 3008 schtasks.exe 3016 schtasks.exe 2172 schtasks.exe 2344 schtasks.exe 2876 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 1524 powershell.exe 2508 powershell.exe 2532 powershell.exe 2892 powershell.exe 1356 powershell.exe 1620 powershell.exe 2152 powershell.exe 2224 powershell.exe 1060 powershell.exe 1608 powershell.exe 2576 powershell.exe 1208 powershell.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe 1468 OSPPSVC.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe Token: SeDebugPrivilege 1468 OSPPSVC.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 1356 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 2152 powershell.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 1060 powershell.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 1208 powershell.exe Token: SeDebugPrivilege 1236 OSPPSVC.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1996 wrote to memory of 1608 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 52 PID 1996 wrote to memory of 1608 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 52 PID 1996 wrote to memory of 1608 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 52 PID 1996 wrote to memory of 2152 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 53 PID 1996 wrote to memory of 2152 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 53 PID 1996 wrote to memory of 2152 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 53 PID 1996 wrote to memory of 2508 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 54 PID 1996 wrote to memory of 2508 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 54 PID 1996 wrote to memory of 2508 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 54 PID 1996 wrote to memory of 1620 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 55 PID 1996 wrote to memory of 1620 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 55 PID 1996 wrote to memory of 1620 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 55 PID 1996 wrote to memory of 1208 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 56 PID 1996 wrote to memory of 1208 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 56 PID 1996 wrote to memory of 1208 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 56 PID 1996 wrote to memory of 2532 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 57 PID 1996 wrote to memory of 2532 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 57 PID 1996 wrote to memory of 2532 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 57 PID 1996 wrote to memory of 2892 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 58 PID 1996 wrote to memory of 2892 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 58 PID 1996 wrote to memory of 2892 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 58 PID 1996 wrote to memory of 2224 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 59 PID 1996 wrote to memory of 2224 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 59 PID 1996 wrote to memory of 2224 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 59 PID 1996 wrote to memory of 2576 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 60 PID 1996 wrote to memory of 2576 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 60 PID 1996 wrote to memory of 2576 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 60 PID 1996 wrote to memory of 1524 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 61 PID 1996 wrote to memory of 1524 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 61 PID 1996 wrote to memory of 1524 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 61 PID 1996 wrote to memory of 1356 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 62 PID 1996 wrote to memory of 1356 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 62 PID 1996 wrote to memory of 1356 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 62 PID 1996 wrote to memory of 1060 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 63 PID 1996 wrote to memory of 1060 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 63 PID 1996 wrote to memory of 1060 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 63 PID 1996 wrote to memory of 1468 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 76 PID 1996 wrote to memory of 1468 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 76 PID 1996 wrote to memory of 1468 1996 d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe 76 PID 1468 wrote to memory of 2104 1468 OSPPSVC.exe 77 PID 1468 wrote to memory of 2104 1468 OSPPSVC.exe 77 PID 1468 wrote to memory of 2104 1468 OSPPSVC.exe 77 PID 1468 wrote to memory of 1792 1468 OSPPSVC.exe 78 PID 1468 wrote to memory of 1792 1468 OSPPSVC.exe 78 PID 1468 wrote to memory of 1792 1468 OSPPSVC.exe 78 PID 2104 wrote to memory of 1236 2104 WScript.exe 80 PID 2104 wrote to memory of 1236 2104 WScript.exe 80 PID 2104 wrote to memory of 1236 2104 WScript.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe"C:\Users\Admin\AppData\Local\Temp\d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28N.exe"1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\086236cf-e3e4-4c77-8ab9-8d1aace3dbd7.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exeC:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39d2aa93-6842-46cc-9666-21f6841d4b2d.vbs"3⤵PID:1792
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\fr-FR\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5914dc39aa181253e11c186005dfe98f0
SHA10b63a5f139884cf75bca3b7d0b1380f9d0a8a700
SHA256d948b3030803875b8eb8c3e00c627e85bcaacccc6307b95da2b1425cb5f45e28
SHA512432d25441d27cd7f4ce39835d0d2e4354ab84d390bf04941d6fa65dab99cbd1a908ab64641faf7366f9fb242ed0777f8d446c6f5808c375d39d36e6471c7c479
-
Filesize
736B
MD55c6b690560983d0ff532f0d4807240b4
SHA1856a043d76aa08c21eee6b7f487ed811c62fbefb
SHA256856bf341dcbb698f187751e7c4ebea08da151629973aa24fb0182492ebcff5f6
SHA51275bbe8d4dfe13da19af0ec3e4dce2faa8b9feeff0cfed1c9399b86e40f8478dce78f53c62e06d4d222775194ab144f8017235e6a51f1ca74ead0676a00bec9c5
-
Filesize
512B
MD58b451ef88e83dc9c1bbbd63685a6a56f
SHA13e741b1fc83d8b7e7f7ffed35b43ae18d70b424c
SHA25626e1c9a6d306ea65903278f916a253df0deca530628808340c6d4985354c8898
SHA51205822b56d273beddeaea5a033081919027ddc36680aa4a5f3e9ada2f7a34119668d521f7bdbc3dafdd0ce2a32363b79bd2aa2b95e92758afc7ba23c601cb7996
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a84d5a2a802a87517052528dc1478bad
SHA1f35027a0af0d5edbdbaa9919ce2b11e0d5f40425
SHA256b04eec656b2d00d1a14e0c19bd2b2fb76202942874d33f6ccc8b3939780dfd55
SHA512a620c453ba37633147ba2669599ffcf19e4d89acb9aacfc1fb756ff768ee018b1debaeba9fbf9584250145a7ee0f618f16479c76347baeb3e67ba59ca1da0673