Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
-
submitted
22/03/2025, 06:15
General
-
Target
ab89f9e5fc235d4e0bf6b72be96e777b.exe
-
Size
5.9MB
-
MD5
ab89f9e5fc235d4e0bf6b72be96e777b
-
SHA1
c714d6e77c07fa5c3f5ba33f5696e1c537db4a24
-
SHA256
a51a0a522e7881f8eafb519d98f0560f0aa4ec99cea8d9766d018de6fa6085ca
-
SHA512
7f1b46016e1af5bdb80ec16f5936c076fcb17785f5e03df23c11f203b533419f4919d3aa41f160c586a674b6e71c86b1e3552c1c46e667be002634622326dc94
-
SSDEEP
98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4S:RyeU11Rvqmu8TWKnF6N/1wz
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 12 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 8 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Drops file in Program Files directory 20 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 4 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
-
System policy modification 1 TTPs 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab89f9e5fc235d4e0bf6b72be96e777b.exe"C:\Users\Admin\AppData\Local\Temp\ab89f9e5fc235d4e0bf6b72be96e777b.exe"1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/87efddaf44110a3d80760c508da79ad7/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ebea8a0c5b7ebb8dc5b60da7/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90e9445a-ce15-4227-a389-2573b178bd6b.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3e30a7a-2c65-47e2-9db9-3d1412e6450c.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e5911fd-8475-4c07-a800-a042eeb43a73.vbs"7⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec98e4c8-05ed-41e6-beb8-10d63f0d8136.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e4fff4d-114c-48de-a9e4-7b2a4bade180.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21653861-9ecb-4d1e-b120-b9dc8753fa59.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4752_384041223\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4752_384041223\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4752_384041223\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\87efddaf44110a3d80760c508da79ad7\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\87efddaf44110a3d80760c508da79ad7\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\87efddaf44110a3d80760c508da79ad7\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\87efddaf44110a3d80760c508da79ad7\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\87efddaf44110a3d80760c508da79ad7\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\87efddaf44110a3d80760c508da79ad7\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ab89f9e5fc235d4e0bf6b72be96e777ba" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\ab89f9e5fc235d4e0bf6b72be96e777b.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ab89f9e5fc235d4e0bf6b72be96e777b" /sc ONLOGON /tr "'C:\Users\All Users\ab89f9e5fc235d4e0bf6b72be96e777b.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ab89f9e5fc235d4e0bf6b72be96e777ba" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\ab89f9e5fc235d4e0bf6b72be96e777b.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\87efddaf44110a3d80760c508da79ad7\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\87efddaf44110a3d80760c508da79ad7\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Cookies\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Cookies\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Landscape\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Media\Landscape\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Media\Landscape\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD564ddca8132b7423e67d2e873fc7c60e4
SHA185d28d4a9bdb452cca422cc31bad44c39cb5278a
SHA25632a1f9b71d032111de3286820313ef2f960dc4f34fc8610e592db1512741ff13
SHA5126099f181f13afdd7ce9bd25586166e605819ffe0536e2f3632188b413ec4a3832ca2cb5058cb1b09898cee7a545299f4eff61109f07868e4181ef6aba81d4b12
-
Filesize
5.9MB
MD5ab89f9e5fc235d4e0bf6b72be96e777b
SHA1c714d6e77c07fa5c3f5ba33f5696e1c537db4a24
SHA256a51a0a522e7881f8eafb519d98f0560f0aa4ec99cea8d9766d018de6fa6085ca
SHA5127f1b46016e1af5bdb80ec16f5936c076fcb17785f5e03df23c11f203b533419f4919d3aa41f160c586a674b6e71c86b1e3552c1c46e667be002634622326dc94
-
Filesize
5.9MB
MD56454738aba25d8b7990399f202284460
SHA14f7610931a37fb5b9eb5654f31ddc5433943a36f
SHA25674ec47d9ef0e54e15cda6118f0eb8dc5abce8ea47a0db452889f0a4d3a012294
SHA512cc31336b9fcba022ea626ad2ac1dd3bc7ead7bf2f0d45d8708cfbc38f8c7e8e5636bbc9394313982310c546cd163d4214cf4ebd03e8757e3daafa5753ec21347
-
Filesize
5.9MB
MD5a3da5b412df3f17479613106d745b617
SHA154244f14a8916a0c78f49e246ce686a6b4f25fc3
SHA256590e2ded233d9ed196222889eee6d652d5ab8dee75cda0174eb66f18476eb2cc
SHA51205a2052a0200fe1514c7f076a72c85643e640045d5f8436057a2584bf2d03707a4563611830a00a0ad78da61cbdab0db1cf6b6efc08e0256742174173cfc28cf
-
Filesize
5.9MB
MD54b32f4c39253cd7311c2af9012d5e2fa
SHA1fcf78fdf89a0d871aa565134aaff5d87bab0c268
SHA256f300a3b6bda4ec60a4770f35cbd55a10710cfa749164f998a6716cfebef4b42b
SHA512f368df4df66b00db6d396f5272646a07eaf40decd37c0019589e432b4f3eda873331e3f2c8726a210c2509585f24072bdc1425fc56baac5bd6df37c3ca8faa73
-
Filesize
5.9MB
MD5ec6cba6089f2539a7cc3b1b137ec6824
SHA13a883fed8bf036f894a8d450ba3e9010ddf3f6a1
SHA256e3ed388726aa351bda2b1db1cac6884334362307bd322476ae2347afb6b274b4
SHA512571eea198c6148015770b9ed237721cff9d715135e75fe6ef35ae6094b2544d2e94c3df2ce0b9b64c2b7e46596346a7b26a706e82ed54228d8b8ab0855709760
-
Filesize
1KB
MD5229da4b4256a6a948830de7ee5f9b298
SHA18118b8ddc115689ca9dc2fe8c244350333c5ba8b
SHA2563d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11
SHA5123a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d2e14ffaec8328ef6b85925ed5fc2c9b
SHA1f42699edcf4fea12a6f3301141f996c2b8ecaf5d
SHA256a75bb133d71f078fb9d5fa46ae46b5d23bfaacd382b0dadb4da59567f6749ccd
SHA512335a0c6e8a6b1620b5644962c7deb43cef5e5ecb7f4d84816671cac12bd42d2fd6311e1c6ebe9c3a9bf5bc49c170760ba42d7045a74a38ec0963badacd72beff
-
Filesize
944B
MD54ee21a21f8b414c5a89db56be6641dd5
SHA12403dc36f95bcc4536ac61057a9ce76e11b470f9
SHA25649cd0e958905a47f71f38c2211bacb5607f7903ae593a6e7f8156a1bab364d71
SHA512996352f4281526569825fbbf6de92fd01b724ebe3dff34516df65c9986cff7cc9ebdba5b3068808740087441508a0678e44bce158f9f998431b441b5d31aa7aa
-
Filesize
944B
MD5c63980b62b932c2336743babc337af85
SHA10ef001498596b702a9fd8944795d7ccb7aac5333
SHA25659df6f476d34b7f08f279482dea01d2331665c987406de593ebcfd4bcbe73665
SHA51271dab1d77cdefe2b22c6fd787dedf6c5296f05d450878d550ea9cd1f30fc575c6a234a1f798bb53815715f7f2d3db456358c1173f605f1eeabf41d921e94d067
-
Filesize
944B
MD53fe089fecc1a7897c40a12707d788ca9
SHA197f8ab9020333729ec191b3dbd044c57227b84fc
SHA25670d80df3a3a68fa45dd114205f58cc05df07e22940ec0f0f6172abfccf671e7c
SHA5124e4feebea709ed3bbfd82ed507d04566593e9cb7bb02ca1056d8ecb6cbcd3b5118be5dee4ee80bf158565a009c05b217bd4c885fb1e01c7d61f5e3d430c940cb
-
Filesize
944B
MD5dc05a4f71923730b4eed5cb63f86aeed
SHA1798199489ad94c55021a92ec812b320ed90b5711
SHA256557afa6640a2b8ba319b55ac8d6b4b79e8e4bcda916870baa5f74dc9bd937650
SHA512fe0bfd9ffdfebf5c10320e0701a3dad1da28b826395154ba95f53ea76b2e68a3e6504e539b504aa24a276877ebdbfd1e3fc6c1a2763bb80d17bc69471388656b
-
Filesize
944B
MD5e0078bc2219e520ee1d62e54060a457a
SHA1a0e9bb02e3ee7c6eb3c8f6ff43b91eadff5d4140
SHA256b75060b74dbcc80d09dc2edc05b47459f88ad048c6fad56544bb0dca56ac2f42
SHA512874051d5887e0db3d39096c0a3d19ce7ca0deb63f22d37f1cd877b64784af076f6e243cbcb7dd0fb6e8c9393b5e713c80057dc73ae39d7ae6f8d28fdcb3161d8
-
Filesize
944B
MD5c926b492b1d39d04f6e9656ec7f5877d
SHA1c2cb3c49c5aa9b0616a7ddb11c9a1453855b352a
SHA256b0beda1f817ee65a341d4792f15dbd70be363835d7ebc3af6302b771295bc907
SHA512df815fe9c34f85a90c3692534993955ca3c6f57a317f46bd9366152993c5918cd6f376678f9957ae43317bb7f1f5ba65ae175dce8f5e9735749263214e1fe74e
-
Filesize
944B
MD5aaf0080989fabad865a080216418fbf2
SHA1935075309ff07f95b5c2ff643661fef989526e15
SHA25686e6ca8dc0b47aadbc45bbb2a31b758ec729e69998ababdb1a4350924621de9c
SHA51221721722c94447b4f0d20f03856ea1171c774eb59a8fd239809480ead6c5b7c5a3e43d1e79dfd1bd1dbdadb65269595e9376b3053c1bd6a54bac91e04536e676
-
Filesize
709B
MD532a5a4914653e1532a5b5a31267c3607
SHA1a4b392f72717911d60e099efe77379688a1740c2
SHA256a103175b10c2465c0b1eb907f20220e6699e2288b5a51fefd521b6a8c5e61c08
SHA51235e57a78ec79029c26066476b32e99516ba4e142f2788379bec27be34f2e4ae92f5721d4397bcb76e335c9cbc2e042203863b3eecb62896e8bbb44e8d595f9a1
-
Filesize
486B
MD53bf20cb4e5ae5735687750163034e552
SHA1b9b5f9e5ec4e2a018fb794f8cd535c695425dbcc
SHA256c78bae0a5fa11f6c2a0b1e40b14d1119e2289d6ca6a4844654ea0f213b2c24ff
SHA512700497cbe86dd6a8ce5a10a5525a1e9d2d36ee62e25577b047524f8e0783963ab9c8fa9ef86db1ef2f0a366d96e3fffb49cabf8e35f690004390876f3fb6a967
-
Filesize
710B
MD51f6ac86bd2a778d8c8f695322469c59a
SHA12c3b08048a4ede6fd4cb807bbd9e4a131489803f
SHA256a60ab550618dd607f5a9c3804ad7b46336b8f21bbab7dbdcf2cc1b0b6abb39b1
SHA51238d33d6568d0343e939c8e115755b5518db3d3ef10963abd8d74b276c14864a3a9352d50acc096a074a7377da3e69479215d3dd9d0f5e5397f6d057da6dc58be
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
709B
MD5b848a200b3f2039cda21f5977ce950fd
SHA11fde12eb7b8b45ad64051a7c2780e048a326dbf7
SHA256ef64e313a1dbb1ca8d254a08efc238bc2730f4af7248935d520feda52bd8156c
SHA5127768b88fb12124172aa4e37b59a8e3ce63be60726f96dd840fc7369228bf54a3d285e2f212a7737744dd12f6f3b53da05adffd509333d4a669453074230d40df
-
Filesize
5.9MB
MD53afc364c023a8a075f4d508bf5f05eba
SHA1da4c48ae3e5f410845fabfcdf2f45cc37d781d7b
SHA256c6ea02a8aa66566e2c705802fd1077e04de9ef9b10e1b60fcbf0ee1d07dd59db
SHA512938da9de9e8708053c63464f4ddad79dc108b0b893beb6ed7bba03f90d60be07514e421b398f6798e9b2f9ca164ba4de0ea6a0980354b649da21066138e4e706
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
136KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
5.2MB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
344KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
4KB
-
Filesize
9.0MB