Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
22/03/2025, 06:17
General
-
Target
e282def0d26b0a0ace50c80bd0d3e389.exe
-
Size
1.1MB
-
MD5
e282def0d26b0a0ace50c80bd0d3e389
-
SHA1
aad1e263222141dab481347dc60f033ffc3e86cb
-
SHA256
e8fa1ef4d468a51c9aabb390609c63f549b8693592d23160d5459817d3fefe88
-
SHA512
8966a24026b973dfa147d697ef7d659ff3f1b8ec11ea3971593667cd637655edaad4370683069ea2ecea21c1b0863ef79cf46effb8736328c3db010b25299b33
-
SSDEEP
12288:qmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:qh4TbLUEhZL/GspeYhkc9Soh2SfwJ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 11 IoCs
-
Process spawned unexpected child process 11 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 57 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 19 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 18 IoCs
-
Adds Run key to start application 2 TTPs 22 IoCs
-
Checks whether UAC is enabled 1 TTPs 38 IoCs
-
Drops file in System32 directory 12 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 19 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 57 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e282def0d26b0a0ace50c80bd0d3e389.exe"C:\Users\Admin\AppData\Local\Temp\e282def0d26b0a0ace50c80bd0d3e389.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e282def0d26b0a0ace50c80bd0d3e389.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApi.CppWinrt\SearchApp.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\pcwum\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\tdh\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\win\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\scrptadm\backgroundTaskHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\sihost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oRYbT3TuVW.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Windows\System32\pcwum\dwm.exe"C:\Windows\System32\pcwum\dwm.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acc30fbd-2a60-4dc4-9432-659d3e683f5f.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\pcwum\dwm.exeC:\Windows\System32\pcwum\dwm.exe5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e84b963-265d-43f2-874e-80f8142909f8.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\pcwum\dwm.exeC:\Windows\System32\pcwum\dwm.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df697220-9673-4268-bfe5-ebd651df2f56.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\pcwum\dwm.exeC:\Windows\System32\pcwum\dwm.exe9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0f753b2-1f91-418f-8185-9e2a1ed4a303.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\pcwum\dwm.exeC:\Windows\System32\pcwum\dwm.exe11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58b47054-a05b-4246-bf59-adf0ab0d0c93.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\pcwum\dwm.exeC:\Windows\System32\pcwum\dwm.exe13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eea1b3d2-986e-4bdb-965a-919bd90a51f7.vbs"14⤵
-
C:\Windows\System32\pcwum\dwm.exeC:\Windows\System32\pcwum\dwm.exe15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6434ec32-2b1e-4367-8b5d-62321bc17714.vbs"16⤵
-
C:\Windows\System32\pcwum\dwm.exeC:\Windows\System32\pcwum\dwm.exe17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5821815-684a-46c8-a492-aa6e7b62ecae.vbs"18⤵
-
C:\Windows\System32\pcwum\dwm.exeC:\Windows\System32\pcwum\dwm.exe19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2dcc940-1d94-477f-b00b-a02b4a4ae146.vbs"20⤵
-
C:\Windows\System32\pcwum\dwm.exeC:\Windows\System32\pcwum\dwm.exe21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4eecbf55-0d5f-4a78-9210-4071e6bad322.vbs"22⤵
-
C:\Windows\System32\pcwum\dwm.exeC:\Windows\System32\pcwum\dwm.exe23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cba39f64-7a76-4feb-94a4-b154871fcb27.vbs"24⤵
-
C:\Windows\System32\pcwum\dwm.exeC:\Windows\System32\pcwum\dwm.exe25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08000026-646a-450c-8871-fc55351ba37a.vbs"26⤵
-
C:\Windows\System32\pcwum\dwm.exeC:\Windows\System32\pcwum\dwm.exe27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27456609-c479-45e0-b1cb-7bdb3c6f6405.vbs"28⤵
-
C:\Windows\System32\pcwum\dwm.exeC:\Windows\System32\pcwum\dwm.exe29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a88fe76-988d-4e65-a9a8-b5feff60dcd1.vbs"30⤵
-
C:\Windows\System32\pcwum\dwm.exeC:\Windows\System32\pcwum\dwm.exe31⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95580e50-2094-4135-8326-fbc67ed91e12.vbs"32⤵
-
C:\Windows\System32\pcwum\dwm.exeC:\Windows\System32\pcwum\dwm.exe33⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b26508bf-2b34-43fe-ad5e-c16039a6dec7.vbs"34⤵
-
C:\Windows\System32\pcwum\dwm.exeC:\Windows\System32\pcwum\dwm.exe35⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3f95169-2561-495e-8049-aa7af1a00523.vbs"36⤵
-
C:\Windows\System32\pcwum\dwm.exeC:\Windows\System32\pcwum\dwm.exe37⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cddb1647-8eaf-42ef-b9e6-e883c6e7f7d4.vbs"38⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d351a92-9ba5-4f92-8157-b7f9f92dec64.vbs"38⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fd09570-c15b-4d66-a039-9c2955b1f88b.vbs"36⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\554ebc04-df0e-43af-8db9-d6648b04acd5.vbs"34⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e58deab-e4c8-4eb2-acb4-6fbf2b3ab3bb.vbs"32⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52a6b62e-6035-46c6-8191-f553fd70063a.vbs"30⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7549eb16-9203-47ce-8c03-09bc3d7a5148.vbs"28⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a764ee3-dae7-4f39-9198-986c99e4f28d.vbs"26⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5e65222-d8d0-4a6a-bd71-59903d6bc132.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f643f6e4-5c30-49e8-91a8-d9afbf21cf53.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9b7e4f6-05c2-42b3-9380-634d1c2e1171.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da474f1a-375f-452c-bd91-8706881eb523.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f412184-2d8a-491f-a9c8-a6393c52cf06.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\592de5ec-d56b-4f0c-a842-e87581ca648e.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fc23a29-87cf-4c2d-b4e6-2776c137ce17.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6740aa8-c6a7-4bc7-bc5f-3b4a0972f34c.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18240a07-5166-4958-a51d-cae8ca7f64ef.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbbdeec5-36a5-4df8-9d7c-07c768d47dd6.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c824571e-442b-4fbe-bebf-34f54cc65d72.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApi.CppWinrt\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\pcwum\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\tdh\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\win\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\scrptadm\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\900323d723f1dd1206\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5e282def0d26b0a0ace50c80bd0d3e389
SHA1aad1e263222141dab481347dc60f033ffc3e86cb
SHA256e8fa1ef4d468a51c9aabb390609c63f549b8693592d23160d5459817d3fefe88
SHA5128966a24026b973dfa147d697ef7d659ff3f1b8ec11ea3971593667cd637655edaad4370683069ea2ecea21c1b0863ef79cf46effb8736328c3db010b25299b33
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5a16aff60eb3c3e35753a259b050c8a27
SHA185196d5dfb23d0c8b32b186325e2d58315a11287
SHA256a057f85fa5358fac25f1337c1fbabeffb1ca1908b352208038293ec575dfc206
SHA51213e6514cddaafba8f4fe3b08f6d6e118823ad454aac4efcb71a82438de50f97cd9570f44d594db27e4c534912a12ed066ea098b95505a6994f854f8349f2f5b0
-
Filesize
944B
MD5385f2ec5a61f1814b5b9ab67c2f07a0e
SHA11426461338ffaf19c90943434470b10ab38347be
SHA256832f227c50733f10c0461f4494219ceb045a9fc45b2a88b07e795a9226b4e6c7
SHA512a9858fa3d7eaca31fba2ed05c7c3a0f3db5bfde5ae20d91bb2f942f2ed39339e7939385441d1377f292c4e72761f98e61e0842fd87f852b99408a391215bd9f2
-
Filesize
944B
MD59038073858225f9afc939a0a2385005d
SHA1ccd8ee1416a8e738628ffd01f39eca6324000563
SHA2563fc794e69bf73ea36eccc866688e3ba9303224c00f264f4b771bdb536035240e
SHA512cb0f4422b84975595744bf183a71527b053cf738f19aa4ed1008c35d5ea6fb9e2c8ae142a81eeae2091abf2a17e24c6beca488a9c3ea6b6d2d989e3a58a52d53
-
Filesize
944B
MD5bcebe662dcddf8a8c942299b507205e0
SHA174c92b01e2b8c147f2f6e39ef7a95b171252ad37
SHA2561aa7e8cd174ef0191e4aa20a0d71c447ecba9cca979ccb0b921d8275c4aad610
SHA512bb6156cc9a37d8e978b54c7a91d3362eb759b02a58c434633f76ebea793674b8b5633dcbce9ac8297bf97d92fdae49a6bfa85df0e8fa0a204628d65c7074b4e9
-
Filesize
944B
MD500889a4c090a6a44dee9c16d05fc83df
SHA13ca3e69969cd5f63856d27fff17ecb00b854b0ca
SHA2567badaad80d3059dd0b80c71e42e196345c38d08630ec8e5e20d145c918dcd6ce
SHA5129d02a7e437a1cb0269d595a3a435c7b22993715100c741cfd415907dcc8d62f9655922c77fca66fe9365152dedc8784aba8123bda4b137eb218a9e8e6c624dbe
-
Filesize
944B
MD5c44e48d99762769d16de7352e92db16f
SHA129898e4ddba0504899fe0f0a55abacf592689e1b
SHA256f92b4e399718fecfdc08924f70f0bdb7c5e0014eaeec343d815a503e06205bc8
SHA51218cfd8b4bf3871c26c01d20ecd90f76493a6e55d7df33e78fb1491f6151ab3c04589758d6419f7b73a1288d5e65b85f40142bb7e3df5bc46e7fe4cf2da014879
-
Filesize
944B
MD50c3cddab7d289f65843ac7ee436ff50d
SHA119046a0dc416df364c3be08b72166becf7ed9ca9
SHA256c94ea9a9d0877a48ade47f77733be15871512f7aded45a211eb636bdcf7e45a1
SHA51245c710a959f67ed05c25709c24887a4d5e5909e94f2012bd1cad64b32729fafea6f6628b2552f36c9d98bf8a1ddf50bb84d92d6e1cb15f20b2a74739ff19c9ff
-
Filesize
709B
MD5d9ec474ab97f28d79eae74d134f93a66
SHA1630f010ba1bf61099ad550a59cf3867946daf26d
SHA256581d0d0095bb686d5d6649c46b42956463847ffb6587e724c7a93784dc5db74b
SHA512fbee72d64558dba19457a4790faf7bc2f1fb89bb4d263124e3456946edf28ecb9cb0d3af98c783ec69072f1690ab516a2ea905c113eaaaebddd688f9447bed00
-
Filesize
709B
MD59d91a5c071228a7f4be802a6a2a34f4f
SHA11947a5200eeed59860e8729f02fe8f8ab22fe8ad
SHA25625caaaf6b1bb3b878772227bc0d3dfc2fea9386aefd99b351d835bc4744613e0
SHA512df2b3ecab6b0842e79b99b56628993a7a3bb2ec14dfc245b2d9b4acd06db1696d472675545beb777bd7f745ceedeb0119b3fa6a9884e42494fcab604b1391ba3
-
Filesize
709B
MD5192db28c9b6f2ac5ff5b39309c43f728
SHA1569069426a61f2586a923b403c485bdd14d32bd5
SHA2567c03d4369c7e860e493855c1f3189a20eab63c62a10b51dc580b2152a5f92527
SHA512655fbaa2cb4940421b0641b74a35bbac553dfa4dd880451a69b68968674458df76ef4e290d697f19ce09ddb5321c784924c542c9504dd5a6584a3f6be4f87b6e
-
Filesize
709B
MD5a7eba2a00fbc6bfe44e7eabbaa79a43e
SHA1617ff728f2d938e3aede2f225248128e72510435
SHA25610f16e72bd20e0699d742031494ea0a521c17158ead4988bd4f739785d72353c
SHA512c8aae58be5035b6f0315b8451aebf7f68b74d8ab4f9037bbfebad33ef816f37682fe778b215a215a4ca5b04609523f075cf0928fd2dcd5f67d4fb7e6cee0b80f
-
Filesize
709B
MD57a7d187af91b872175bfc4bb57874c62
SHA12ae321d545101ff295773a2047d452b7580f0eb0
SHA25689de2678824fb52921abd13e180154be1612f39359d024eced9c982bfcecf99a
SHA512d26ffabd9a1db116ba0e5e2f1215405379f80895a511acd3417dc38458572246330d620f4521262321072da6f830f2a4cb84646a8a0fb7d8828fd40de7209742
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
709B
MD507fc4d1417a096419b1159493f3d3f6c
SHA140b29c020d9c061ebb13df3dee09a475cb1e229a
SHA256e1ff15c1b78df7e8521befc7bc5355ea3bc1ffd035a6a0ec330258cb54c801ee
SHA512d0ec563226b861cfd0218dc41c60604f2443899b12e2c8d10ad1a797115d3105112efcbe61cde8f2f152d6179a355d2801f41bfe388bc94e351a2609fa200655
-
Filesize
709B
MD59f91234ec15257e989647c745a745327
SHA1018f62bd9725719968a0365cec7cc4ed06212fe5
SHA256e83ff8df3b0a0e1c047e4359293ec18b90497a02c515fe835960fcb95b05a082
SHA512ff3e99e6a9244604af21897158fde86727dde548c22b3dbfd728b4f49ce958e993ecb598032578154d4007167dadca03aef636a4b129ec35e8e44549deb8d378
-
Filesize
485B
MD5c4cd84deda5da31785155bcefbcb5d36
SHA10c4fdfc37f886f35ce332506724768330ace2e28
SHA25641d7970802bd4cc0cab53420d8296f7ba86709214113e53daa437949edf50121
SHA51282cbf553f023d6cd23d07f7e90c2e4d059b704bf78c6c03cfbb3d45c4982aa1829d33e15bcbdb24c23c6dfef15783828afd63090c25818d6ea852eb23ae287e9
-
Filesize
709B
MD5d889547bcba95d7b1d54364a2b23979c
SHA1e25a656faef7ecb45f99fe1e8a0045a1cad06bb9
SHA2565073b478a425f13250f7f3de2013ebf68de7d4f503c66827f536521c7503c572
SHA51294ac7e36e24adca6ebffb74a2296a1bc658e4cf90e0d4e7dea8d3a677289d9c154c973115b72d893a5a7b357cb9a9ba471d6d73a03c289cf53e6705b4c7340a0
-
Filesize
709B
MD5895ad1781b16ff615f14c38526e8e086
SHA1098f6eee76a6648085623753baf3dda9a1edc0ff
SHA2566e9009f07463d91b0d9b46fecd3170baec07fb799fd964be3573932560b41b0f
SHA512359c5de994b3efc47d6ce587281ef303c7dae7ba81fa0e7ad61861aa413c2ffff6e90da4f37198b8c634417e29422ba76ac666f1f8d4ecbeb8910eac928447dd
-
Filesize
709B
MD53e2eb75cd8321ccdea1d817cbc550602
SHA15b3217d22c7f263da73d35a3348461e5bc305fff
SHA2566aea6f99f4cd653adf62d6cae88febb0b80e0aa9d8f19d8b59d8b899191226ac
SHA512ca190558a1e63c1ef47d20b526cee2522d78aa0919a03cf61952363af39cc68d53e6e4a1b6978a4370329b60afece86ca5ea290928c5b5d7bf83c22aaef269ee
-
Filesize
709B
MD5bcfd98b7584f0ee1798228b717f1e97c
SHA10fd5bd357612f92ef473aa05abad7025469eb974
SHA2562351dd3b15529072bffae88247f1caab36a2431879c8e8619edc9292d905b3df
SHA5126f3120bb879f8243c853db74d2ef211236e1642d312b2a9332a9d17d276bd8bcee022d9c4402dc8e29df5227f4995852663ea09cd6b8bdeb832be4aaa6627cbb
-
Filesize
709B
MD5e6e1131f8e71077bd362cc53a3ef91a0
SHA15cae00e804f47a647b623df197cd8357a5f13e3c
SHA2568c07ce90213fa781bb581ff48994b6537f0d8c1a95b2b4cfd7507a115f4baec6
SHA512a100b2e5543f1d8c1366b28ddd4d5c20fbfe2d6545e22028fff5865daece626e3a9e9a78049d8e34a1b476dbcbac2a11673014f9b55b30d92314c601b5251587
-
Filesize
197B
MD587a4dedac10669c5e67b823a430b75d9
SHA1a528b9adc9624749fd3c4e046a5969948064fbdb
SHA256a9ed61f3c9622fd07a47fc0140502e5a4126ec9d0c97aca8cfd7e237598a98ae
SHA5123bfaa01e93b851fca0348141607af0ab9d75ded18caeb646a512add484043f4d0dc265a41a7157eea628222d8ce73952c735c22e69183f53c84d79960c8ce5d2
-
Filesize
136KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB