Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-11-2024 17:53
General
-
Target
cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
-
Size
4.9MB
-
MD5
f605296b4b314f194d7c23f29eb9cd90
-
SHA1
0c8838372279256fa34fab408e4d0727464f7cfb
-
SHA256
cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96
-
SHA512
c63eeb73bc4d4b19d63a4376c8bca1b58aea98578cb619b3f96270ea0dda70f620dce45269a0b4b2a455c362dbf0047e18662d9c65f9f2ac0c8a1a8e57977f1e
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri Loader
A loader sold as MaaS first seen in August 2021.
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 33 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 37 IoCs
-
Checks whether UAC is enabled 1 TTPs 22 IoCs
-
Suspicious use of SetThreadContext 10 IoCs
-
Drops file in Program Files directory 24 IoCs
-
Drops file in Windows directory 13 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 11 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 33 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe"C:\Users\Admin\AppData\Local\Temp\cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\tmpA79C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA79C.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpA79C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA79C.tmp.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tb43hevojt.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Windows\Offline Web Pages\sihost.exe"C:\Windows\Offline Web Pages\sihost.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e5aff27-f7ba-43ed-89e8-a9ab1adcbe12.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Offline Web Pages\sihost.exe"C:\Windows\Offline Web Pages\sihost.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f24c969-cb7d-44bc-a323-7d332a8015d5.vbs"6⤵
-
C:\Windows\Offline Web Pages\sihost.exe"C:\Windows\Offline Web Pages\sihost.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f94773d8-6299-4717-bd47-0109537e9fc6.vbs"8⤵
-
C:\Windows\Offline Web Pages\sihost.exe"C:\Windows\Offline Web Pages\sihost.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b700411d-2976-429e-a7cf-94e7e09f6954.vbs"10⤵
-
C:\Windows\Offline Web Pages\sihost.exe"C:\Windows\Offline Web Pages\sihost.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13993ec8-e848-4303-b741-6d86c99a6a9b.vbs"12⤵
-
C:\Windows\Offline Web Pages\sihost.exe"C:\Windows\Offline Web Pages\sihost.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66ddf9e8-e882-4ee8-9859-ff82eaa6d838.vbs"14⤵
-
C:\Windows\Offline Web Pages\sihost.exe"C:\Windows\Offline Web Pages\sihost.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\010a1895-ced6-488e-81fa-29e1c6e18a9d.vbs"16⤵
-
C:\Windows\Offline Web Pages\sihost.exe"C:\Windows\Offline Web Pages\sihost.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b39f44c5-40bf-4b7b-bb99-edde49c48377.vbs"18⤵
-
C:\Windows\Offline Web Pages\sihost.exe"C:\Windows\Offline Web Pages\sihost.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\688ca738-27ac-42d2-bf9f-5bca7bc6877e.vbs"20⤵
-
C:\Windows\Offline Web Pages\sihost.exe"C:\Windows\Offline Web Pages\sihost.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f8e1763-d800-4233-bdbb-45cf49ac7c53.vbs"22⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35e59383-d5f9-40bc-bfc6-c8b78aa0bb12.vbs"22⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4F5E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4F5E.tmp.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp4F5E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4F5E.tmp.exe"23⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a033ebd9-6080-4992-a18f-4003d6909b6a.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74aba92e-a25f-4078-90bf-27f3a5227b52.vbs"18⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp304.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp304.tmp.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp304.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp304.tmp.exe"19⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b531f33-e3bb-498f-bdc4-63680d26b66f.vbs"16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpE79C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE79C.tmp.exe"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpE79C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE79C.tmp.exe"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpE79C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE79C.tmp.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpE79C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE79C.tmp.exe"19⤵
- Executes dropped EXE
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b731dc20-a16e-4b1c-ae5e-b641882d5811.vbs"14⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB551.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB551.tmp.exe"14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpB551.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB551.tmp.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpB551.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB551.tmp.exe"16⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9db7de6-7b07-4ef6-abe1-3ccaf675cbf7.vbs"12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp98A1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp98A1.tmp.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp98A1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp98A1.tmp.exe"13⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5104d34d-7d5d-4c2d-a21c-f8a6b2af9477.vbs"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp66A4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp66A4.tmp.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp66A4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp66A4.tmp.exe"11⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c6cca69-6b4d-4096-b40c-0fc26bffe1ab.vbs"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4A91.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4A91.tmp.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp4A91.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4A91.tmp.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp4A91.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4A91.tmp.exe"10⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab172ad1-9453-4fef-9a2c-b161f56c56e2.vbs"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp.exe"9⤵
- Executes dropped EXE
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f83d7d06-e7cc-4148-a402-64e38ee31493.vbs"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpEB79.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEB79.tmp.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpEB79.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEB79.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpEB79.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEB79.tmp.exe"6⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\uk-UA\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\uk-UA\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\uk-UA\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Branding\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Links\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Links\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5f605296b4b314f194d7c23f29eb9cd90
SHA10c8838372279256fa34fab408e4d0727464f7cfb
SHA256cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96
SHA512c63eeb73bc4d4b19d63a4376c8bca1b58aea98578cb619b3f96270ea0dda70f620dce45269a0b4b2a455c362dbf0047e18662d9c65f9f2ac0c8a1a8e57977f1e
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD5ecceac16628651c18879d836acfcb062
SHA1420502b3e5220a01586c59504e94aa1ee11982c9
SHA25658238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9
SHA512be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
715B
MD548c87b19f6adaf055f7818b6431dd2b1
SHA16d20462c4e76d07d3c9e9d5ddc5fc46e2d932e58
SHA2568760a926845113fc5c9df8e6132bea79b3013a0fd788e7d2783f9e0af232589d
SHA512608ac9a71a0ef4227158c9b682dd8fe586f2450c538635b850c8d254d9fa0d9b6fe19bb02370e845405a0bed6deeecd830544ec409093a6699ad62d638cffdf5
-
Filesize
715B
MD5d4540671de1d7759e3fbc4849e16e7e6
SHA1f0e7cae0bbcf2974f2ca87b9256db950ecd2cb0f
SHA256043ed31f8ca2c23f4709695efc469ab63041369fd2d856553957cbf0073d9b83
SHA512ed9981beb631bc06feda94c96ad20c4f82c8748702a74c22b54af693a9cf61f41c09c44bb8e4cd514df8043eea977662f068cfa2d0be4a71a1ace25128fa2e49
-
Filesize
715B
MD5e4796b8d3d78fa1d2cc686515e2c300c
SHA1b49a9896be39d988190c7e1ff92b01c0af5ce211
SHA256b9a4eb7c173d4421a4deafdc48e5a60e9d9034b6d2c9de33cae6d28882ae03a4
SHA5121f1f0168b202db1cc3086458b5a96fcf2055f55399d125c94003d9ea81ce9d89d245e3b7ea861a98ecc8db1eaf34c75cf3732c01cdf2d732d915d8434c896b67
-
Filesize
714B
MD5bd918dda6db47ea599d37a6786a3710a
SHA170d1621e0040dcdc25c99d370de46b3bb89dd319
SHA256a7da1f61751cfba9b8d2e4828f450289336f0adf80f930f9be3411438f565625
SHA512e2bba99740d7f5ee0f53712a31ed7448a4790c44fe7f4ce30672f041064ed30c4b4766e67aa9dca94aaad482807ccb5a573be51bb2c183edc4ac9dda0e5eb713
-
Filesize
204B
MD5207db5ab9572b28c35c8ac3ddab09f0b
SHA1ea0a2de1fc06de087fc5e890304eb925d57c3d6a
SHA256b97869eb101685aa9bfc508f156cb189fe83b34d0455b3bc389feb3740f1e954
SHA5125f4d96468a9b705f4fca77fa61222df0929360b0415e0365922a0445953ee53c92a2388b9baaac9d222319a10278ef755d21767057e8898484c2f58f007e02fc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
715B
MD5bfddef3a1a869f8e3830b61cf79b635a
SHA14964e7d28404b0569951fa9b2696f5d339d197fe
SHA25679405bce90e082331a82b47a45fae1fa3d61901ea95e6283c33a866f6fcdc7b5
SHA512ad705b5505cee0be5be3d71b18b7a76daa41c2a78efe2786426904485800c0967595975708bde59c553048bae97a60ad351233cea457c678ae60f040eba9911f
-
Filesize
491B
MD5325893f057039c0d75af8ac882448031
SHA1547bf7b373f2c1279c3e0029c4ecb9fd4186d4be
SHA256dcfd9540b73e00109f25d9faf7c4950bcd7fa84dca2ebbad3712b1454798c2db
SHA5127e39ce5ff2d902d0a4c76a49cf0c79ba6ad947c3304ddf19487a308f26c5f40c21b6c450ccbfb42f908902ac8a3ac0ef74b576680b807d30b6af9db95c9e2eab
-
Filesize
714B
MD5f8e4938fc39d98da7456cf846702d0b8
SHA112ff899c0f04c9e4e9a0212c183dcab106aa1716
SHA2564bd4602977ba07fa4e0c0fa8cf56e81074f0f9728624e79e1ebbe9f92839d6f6
SHA51279782a53154b66effe8518998771c850cf73f3099cdbb76d417bdae7ee7e1e3ba6c75e3e7684f3d00c7ff496190d6c43370a9f824da53865235a69cd42c5a1a6
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
4.9MB
MD5805504474664295a7e42391cfdbb5eb6
SHA159037fecbde18eb2ab60c1b31d79af60526f4e23
SHA256eb8fd6aaa27f9dcd92ec0119987d191770d8cb42fae8d07be6e12b394c80b0b4
SHA5122710ccc20d77eb48b64027c03c9472d829c9132d579f4cfec859c05c11a1d6a1d07563fb75e611d309bb2e220725999d974fe87b9e5c29d3a67e11a187ba4f33
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
28KB
-
Filesize
72KB
-
Filesize
136KB
-
Filesize
5.2MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
8KB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
1.2MB
-
Filesize
5.0MB
-
Filesize
8KB