Overview
overview
10Static
static
101d90d6c35e...9c.exe
windows7-x64
101d90d6c35e...9c.exe
windows10-2004-x64
101dbfa6282e...68.exe
windows7-x64
81dbfa6282e...68.exe
windows10-2004-x64
81dc47906f1...32.exe
windows7-x64
101dc47906f1...32.exe
windows10-2004-x64
31df5615c53...d6.exe
windows7-x64
101df5615c53...d6.exe
windows10-2004-x64
101e02f6a6c6...83.exe
windows7-x64
71e02f6a6c6...83.exe
windows10-2004-x64
71e055435ef...e4.exe
windows7-x64
101e055435ef...e4.exe
windows10-2004-x64
101e320ed242...cb.exe
windows7-x64
101e320ed242...cb.exe
windows10-2004-x64
101ec4b8acdc...65.exe
windows7-x64
11ec4b8acdc...65.exe
windows10-2004-x64
11ecd5f6fdf...82.exe
windows7-x64
101ecd5f6fdf...82.exe
windows10-2004-x64
101f0343adab...d3.exe
windows7-x64
101f0343adab...d3.exe
windows10-2004-x64
101f1f2a5e82...ba.exe
windows7-x64
101f1f2a5e82...ba.exe
windows10-2004-x64
101f2f396008...f5.exe
windows7-x64
101f2f396008...f5.exe
windows10-2004-x64
101f824bf7c7...67.exe
windows7-x64
101f824bf7c7...67.exe
windows10-2004-x64
101fb433aec1...59.exe
windows7-x64
101fb433aec1...59.exe
windows10-2004-x64
101fe86f0bbb...3e.exe
windows7-x64
101fe86f0bbb...3e.exe
windows10-2004-x64
10201b2bf97d...42.exe
windows7-x64
10201b2bf97d...42.exe
windows10-2004-x64
10Analysis
-
max time kernel
59s -
max time network
66s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 20:33
Behavioral task
behavioral1
Sample
1d90d6c35e9237c9b00a3c2b3e7ff1d0cfe709efdf26f5665743ec2533645f9c.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
1d90d6c35e9237c9b00a3c2b3e7ff1d0cfe709efdf26f5665743ec2533645f9c.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral3
Sample
1dbfa6282eedc723ebe57ace23fd6b68.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
1dbfa6282eedc723ebe57ace23fd6b68.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
1dc47906f130f9bcf0c314005fc34842a4c89f93b18acfbc2fcd8ff856ceca32.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
1dc47906f130f9bcf0c314005fc34842a4c89f93b18acfbc2fcd8ff856ceca32.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
1e02f6a6c634da6b94dfe93259fe6c83.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
1e02f6a6c634da6b94dfe93259fe6c83.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral11
Sample
1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Resource
win7-20241023-en
Behavioral task
behavioral12
Sample
1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
1e320ed242153c25553c2a0c1901ddfa69f0a747cb278608e43043311649b5cb.exe
Resource
win7-20250207-en
Behavioral task
behavioral14
Sample
1e320ed242153c25553c2a0c1901ddfa69f0a747cb278608e43043311649b5cb.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
1ec4b8acdc518e88f254db69a6886065.exe
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
1ec4b8acdc518e88f254db69a6886065.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
Resource
win7-20241023-en
Behavioral task
behavioral18
Sample
1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral19
Sample
1f0343adab1970d928320ce2aa587fd3.exe
Resource
win7-20250207-en
Behavioral task
behavioral20
Sample
1f0343adab1970d928320ce2aa587fd3.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
1f1f2a5e827f18875756710c0bc7c9016d4f1caf2f046c77abf55ec2b1c06eba.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
1f1f2a5e827f18875756710c0bc7c9016d4f1caf2f046c77abf55ec2b1c06eba.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
1f2f39600815db1ee39333ed0b8df3ac2850e3e5aed5277635655b95cdd06ff5.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
1f2f39600815db1ee39333ed0b8df3ac2850e3e5aed5277635655b95cdd06ff5.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
1fb433aec18f49dd4aaed65148cb184e0b7051e23b89fdd7475e4258d013dc59.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
1fb433aec18f49dd4aaed65148cb184e0b7051e23b89fdd7475e4258d013dc59.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
1fe86f0bbb009253ce910b58986a7e3e.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
1fe86f0bbb009253ce910b58986a7e3e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
201b2bf97ddea77b00751cc452d4e9075c96d457f044b15577048454430f0742.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
201b2bf97ddea77b00751cc452d4e9075c96d457f044b15577048454430f0742.exe
Resource
win10v2004-20250314-en
General
-
Target
1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
-
Size
1.6MB
-
MD5
517861702fe0a89aa5e3af35d9f96661
-
SHA1
50101d8bff153320694baf54bc7b68e585720d4d
-
SHA256
1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4
-
SHA512
da7ee6a8120f6a874c3f018580c05d37412a3cf7ec4346ffcee861bd9a415937c89734864b7d9fc84f09c6262a66f7a945377cf589831a765a2b3d90a48ea488
-
SSDEEP
24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4704 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5428 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4180 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4520 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4596 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4720 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4744 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4732 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4840 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4848 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4480 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5192 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4792 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4376 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3180 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3296 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4872 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4900 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4820 2844 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 2844 schtasks.exe 86 -
resource yara_rule behavioral12/memory/1612-1-0x0000000000430000-0x00000000005D2000-memory.dmp dcrat behavioral12/files/0x000700000002429f-26.dat dcrat behavioral12/files/0x00070000000242b2-61.dat dcrat behavioral12/files/0x0008000000024296-83.dat dcrat behavioral12/files/0x000b0000000242b5-130.dat dcrat behavioral12/files/0x00090000000242ab-141.dat dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5188 powershell.exe 3636 powershell.exe 5932 powershell.exe 5052 powershell.exe 4100 powershell.exe 5608 powershell.exe 2736 powershell.exe 4128 powershell.exe 2696 powershell.exe 1892 powershell.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation TextInputHost.exe -
Executes dropped EXE 5 IoCs
pid Process 5704 TextInputHost.exe 3248 TextInputHost.exe 5952 TextInputHost.exe 1664 TextInputHost.exe 3116 TextInputHost.exe -
Drops file in Program Files directory 25 IoCs
description ioc Process File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dwm.exe 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File created C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX6A64.tmp 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dwm.exe 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\6cb0b6c459d5d3 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File created C:\Program Files (x86)\Windows Photo Viewer\sysmon.exe 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File created C:\Program Files (x86)\Windows Photo Viewer\121e5b5079f7c0 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File opened for modification C:\Program Files\Crashpad\attachments\TextInputHost.exe 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\sysmon.exe 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File created C:\Program Files\Microsoft Office 15\ClientX64\22eafd247d37c3 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File opened for modification C:\Program Files\Crashpad\attachments\RCX6F0D.tmp 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\RCX7422.tmp 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\RCX7CE3.tmp 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX6A65.tmp 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\StartMenuExperienceHost.exe 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\StartMenuExperienceHost.exe 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\55b276f4edf653 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File created C:\Program Files\Crashpad\attachments\22eafd247d37c3 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\RCX7626.tmp 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\RCX7627.tmp 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\RCX7D51.tmp 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File created C:\Program Files\Crashpad\attachments\TextInputHost.exe 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File opened for modification C:\Program Files\Crashpad\attachments\RCX6F0C.tmp 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\RCX7421.tmp 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings TextInputHost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2344 schtasks.exe 4548 schtasks.exe 4520 schtasks.exe 4596 schtasks.exe 4720 schtasks.exe 4744 schtasks.exe 4732 schtasks.exe 4840 schtasks.exe 4704 schtasks.exe 2036 schtasks.exe 5428 schtasks.exe 4180 schtasks.exe 4848 schtasks.exe 5092 schtasks.exe 4480 schtasks.exe 5192 schtasks.exe 4792 schtasks.exe 4376 schtasks.exe 5020 schtasks.exe 4900 schtasks.exe 4820 schtasks.exe 4536 schtasks.exe 3180 schtasks.exe 4924 schtasks.exe 3296 schtasks.exe 4872 schtasks.exe 5060 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 3636 powershell.exe 3636 powershell.exe 5052 powershell.exe 5052 powershell.exe 5608 powershell.exe 5608 powershell.exe 4100 powershell.exe 4100 powershell.exe 1892 powershell.exe 1892 powershell.exe 2736 powershell.exe 5188 powershell.exe 2736 powershell.exe 5188 powershell.exe 2696 powershell.exe 2696 powershell.exe 5932 powershell.exe 5932 powershell.exe 4128 powershell.exe 4128 powershell.exe 5052 powershell.exe 2696 powershell.exe 5608 powershell.exe 4128 powershell.exe 5932 powershell.exe 4100 powershell.exe 3636 powershell.exe 2736 powershell.exe 5188 powershell.exe 1892 powershell.exe 5704 TextInputHost.exe 3248 TextInputHost.exe 5952 TextInputHost.exe 1664 TextInputHost.exe 3116 TextInputHost.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe Token: SeDebugPrivilege 3636 powershell.exe Token: SeDebugPrivilege 5052 powershell.exe Token: SeDebugPrivilege 5608 powershell.exe Token: SeDebugPrivilege 4100 powershell.exe Token: SeDebugPrivilege 5932 powershell.exe Token: SeDebugPrivilege 5188 powershell.exe Token: SeDebugPrivilege 1892 powershell.exe Token: SeDebugPrivilege 4128 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 5704 TextInputHost.exe Token: SeDebugPrivilege 3248 TextInputHost.exe Token: SeDebugPrivilege 5952 TextInputHost.exe Token: SeDebugPrivilege 1664 TextInputHost.exe Token: SeDebugPrivilege 3116 TextInputHost.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 1612 wrote to memory of 5932 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 118 PID 1612 wrote to memory of 5932 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 118 PID 1612 wrote to memory of 5052 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 119 PID 1612 wrote to memory of 5052 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 119 PID 1612 wrote to memory of 5188 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 120 PID 1612 wrote to memory of 5188 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 120 PID 1612 wrote to memory of 4100 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 121 PID 1612 wrote to memory of 4100 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 121 PID 1612 wrote to memory of 3636 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 122 PID 1612 wrote to memory of 3636 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 122 PID 1612 wrote to memory of 5608 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 123 PID 1612 wrote to memory of 5608 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 123 PID 1612 wrote to memory of 2736 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 124 PID 1612 wrote to memory of 2736 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 124 PID 1612 wrote to memory of 1892 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 125 PID 1612 wrote to memory of 1892 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 125 PID 1612 wrote to memory of 2696 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 126 PID 1612 wrote to memory of 2696 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 126 PID 1612 wrote to memory of 4128 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 127 PID 1612 wrote to memory of 4128 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 127 PID 1612 wrote to memory of 2272 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 138 PID 1612 wrote to memory of 2272 1612 1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe 138 PID 2272 wrote to memory of 4748 2272 cmd.exe 140 PID 2272 wrote to memory of 4748 2272 cmd.exe 140 PID 2272 wrote to memory of 5704 2272 cmd.exe 143 PID 2272 wrote to memory of 5704 2272 cmd.exe 143 PID 5704 wrote to memory of 1988 5704 TextInputHost.exe 144 PID 5704 wrote to memory of 1988 5704 TextInputHost.exe 144 PID 5704 wrote to memory of 5860 5704 TextInputHost.exe 145 PID 5704 wrote to memory of 5860 5704 TextInputHost.exe 145 PID 1988 wrote to memory of 3248 1988 WScript.exe 146 PID 1988 wrote to memory of 3248 1988 WScript.exe 146 PID 3248 wrote to memory of 608 3248 TextInputHost.exe 147 PID 3248 wrote to memory of 608 3248 TextInputHost.exe 147 PID 3248 wrote to memory of 3480 3248 TextInputHost.exe 148 PID 3248 wrote to memory of 3480 3248 TextInputHost.exe 148 PID 608 wrote to memory of 5952 608 WScript.exe 151 PID 608 wrote to memory of 5952 608 WScript.exe 151 PID 5952 wrote to memory of 5404 5952 TextInputHost.exe 152 PID 5952 wrote to memory of 5404 5952 TextInputHost.exe 152 PID 5952 wrote to memory of 5980 5952 TextInputHost.exe 154 PID 5952 wrote to memory of 5980 5952 TextInputHost.exe 154 PID 5404 wrote to memory of 1664 5404 WScript.exe 161 PID 5404 wrote to memory of 1664 5404 WScript.exe 161 PID 1664 wrote to memory of 436 1664 TextInputHost.exe 162 PID 1664 wrote to memory of 436 1664 TextInputHost.exe 162 PID 1664 wrote to memory of 3292 1664 TextInputHost.exe 163 PID 1664 wrote to memory of 3292 1664 TextInputHost.exe 163 PID 436 wrote to memory of 3116 436 WScript.exe 164 PID 436 wrote to memory of 3116 436 WScript.exe 164 PID 3116 wrote to memory of 5248 3116 TextInputHost.exe 165 PID 3116 wrote to memory of 5248 3116 TextInputHost.exe 165 PID 3116 wrote to memory of 5520 3116 TextInputHost.exe 166 PID 3116 wrote to memory of 5520 3116 TextInputHost.exe 166 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe"C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\StartMenuExperienceHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\TextInputHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\sysmon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\TextInputHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4128
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DgHlPzdV8W.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4748
-
-
C:\Program Files\Crashpad\attachments\TextInputHost.exe"C:\Program Files\Crashpad\attachments\TextInputHost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5704 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\318b0323-ce3b-4baf-88c5-6052c8b4c485.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Program Files\Crashpad\attachments\TextInputHost.exe"C:\Program Files\Crashpad\attachments\TextInputHost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45e115ff-c56c-4748-ac83-ff5a9a4a17af.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Program Files\Crashpad\attachments\TextInputHost.exe"C:\Program Files\Crashpad\attachments\TextInputHost.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5952 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\625a154e-2df8-4f70-bbf0-b28188669def.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:5404 -
C:\Program Files\Crashpad\attachments\TextInputHost.exe"C:\Program Files\Crashpad\attachments\TextInputHost.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23e29485-28b5-4be0-8b1e-417b9e84b2d4.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Program Files\Crashpad\attachments\TextInputHost.exe"C:\Program Files\Crashpad\attachments\TextInputHost.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ce0279b-32cc-4cc4-83b5-6d9d365b453f.vbs"12⤵PID:5248
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d7b5903-a56f-45a4-8548-0f1902a8f478.vbs"12⤵PID:5520
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f39e23bc-cef8-4999-96d7-35c489ee43ea.vbs"10⤵PID:3292
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3cb4d79-ff29-48bc-ac17-a11dea753418.vbs"8⤵PID:5980
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a8d288d-d5ba-4c7b-8a09-d74a1407e281.vbs"6⤵PID:3480
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\137b26da-c7f6-4018-bbb5-0bee382c85f9.vbs"4⤵PID:5860
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\attachments\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\attachments\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\7e20f84d5244aba7145631d4073af8\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\7e20f84d5244aba7145631d4073af8\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\d25f591a00514bc9ba8441\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\d25f591a00514bc9ba8441\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5b8db8148308b7e3e1ffb4480429079e8
SHA169efa880835bd5ebe532123ba620cf6acf920ffa
SHA256491ce252356a152351e12d7bc9d1bbd0e8b7291a7d220668932a0917b9369d62
SHA5127a05ddac45bac389ee747254e66354c808475a42715aff3b1f8c1da8c04b87978cee0c4473144345157fa87d2f79a972b69c235a9a62026057b35a73f6f1c650
-
Filesize
1.6MB
MD5c07ec9e1f27259eb3e6e2ebbb6583311
SHA12eac6564bb33deb799eade538f1a0d14f5c1377c
SHA25681e020f984d5260df2a9fac670311f928cb7ea6361d46ae5f1463d4d588bb5a7
SHA5121d621361aae9a673fad8eed5ead76ac9d41e1c39b2d2d21e54f2fcb13d015ab05f15debad3fd994691f88f972299ac441bd81fb46a6153e96d8e3d7527fd30c9
-
Filesize
1.6MB
MD5517861702fe0a89aa5e3af35d9f96661
SHA150101d8bff153320694baf54bc7b68e585720d4d
SHA2561e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4
SHA512da7ee6a8120f6a874c3f018580c05d37412a3cf7ec4346ffcee861bd9a415937c89734864b7d9fc84f09c6262a66f7a945377cf589831a765a2b3d90a48ea488
-
Filesize
1KB
MD53690a1c3b695227a38625dcf27bd6dac
SHA1c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA2562ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA51215ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD58d1deade86a558baa0001eab3f74b16b
SHA13fa436638817cf90a5ddc691d6958b32c6e1f037
SHA256a6f2f05965718bc072ca71644afcbed776fdbd3db33e6c460a501177fa5e21e6
SHA5121d2eac199777a1fa0f4a39c28df940536883bd60c2d96c5902b9da7a55fe709ed81c6a8d82524ccbf3460feef9bfe1f9b240de11ec994c9f4c5c26a0dbc5e6c9
-
Filesize
944B
MD5e10ceaefa38a8a0c7cf27b2938747eae
SHA118dd07de4b7d6f6d0fb7e1feebd78f0a93f6c89e
SHA256d2f2ece67e3314a38df3789214221bbdd06f9f577470b543f6d094b621fba43b
SHA51284c811e7d313674fff4c24945d275f2aa88380955679bd3a60c7dbde83a370143f3b1b8a677a8b543a571c9069a9262a3f414ff5aff74a283adb81e6321138ed
-
Filesize
944B
MD519c1c95807d53fcb88e1e2289e645f0b
SHA1832c029a7433b229e66296b6f8a4ba56b0246298
SHA25673f393ffbdb24758131fa51669790c37ed233802f1ed85f7bdfd058e0b5fb83f
SHA512f528e937baf51c0b85aa25277bd8d12a10e5f8a78187b32eaaacd0dfceba6f3bf90cf21945e299f52fe1110e48ebabe1a8df868e94a72d8899e7f4f49848aa71
-
Filesize
944B
MD574dd0049bd5d21e75ac1c3b0c10097d0
SHA1e794714d21e43a59d8b5e716e16a4e7487175f33
SHA2561004fd2c6c615b7ff3142a351e240962e6998014e06e09a1c5e14cf1884b9f7c
SHA512a62cb83fe8500bfb1c72651ca7153eb4237b3fb7f17a2e52aec41b85f2dfbd85bd290c36349c1df40dcab8814df8bd751a02181faa4e03fa4e2ccf9271e46f1d
-
Filesize
507B
MD5b2eea89beb8d73bbabcae6d83726ffdd
SHA194cf1d609f57206b12f18e82b7ec53564d266d67
SHA256f4c863415d021f234fc0f3043b1f87ef75823206586361d06b40a2ac0a11350b
SHA512e034e0e575f2022a3c15bb4140cceaf76a32f9429fd8e17bc4492f9878b01c5dcc65aa4e3193ab1ef6d7b56e2e07e12c62e9b2e1218ebb7e72575060eb44dab6
-
Filesize
731B
MD59a90619cec99e8c78871154b6b496885
SHA1d901c7dc7a1b3a7c9cc613a667f5b527af2d8954
SHA25607fe7cda4f08ca50dead2123a74d5e331a2ad10b2442a805d908313cb6612f24
SHA512aed0966b4aa45a88df3628b3cce17aa261491c5145e8bf5c4df8f608a6fb61493bc381a1234ec2f791fdf3f5c0050ed6de605d5c9ac8f5464c58fd6085d4dd8b
-
Filesize
731B
MD5aa408e29a7e6113cd39fe5bf2086bfad
SHA1b9dd61d5a4830edb8e0996c4ed27473fe69d00e1
SHA256ae4f251a47e72c2bd4da40934183425a20037a3a494d694d7ff3c3d9cbb1474c
SHA512605605ada0b88f593d0f427a0c754f27859a5bb71f52c842c621c0070e33fe4c376c4c5f2faaa81161f020f72cc21373b9c77616d69fc0514b69184a7077a295
-
Filesize
731B
MD50d5a780ddaa9f916874060da57eddce7
SHA1f46c098dda56e16bdd6ac49285f4da5791c7cb0e
SHA2562f6e156b63e071565e0e3f1a058a0936e0ca20644e4a8ee6d79aa59922d103fb
SHA512286e8b7ad0a23c504bce8d1e099122aba36028e8de39e7b5d596f3a15632804f14ff51d0c3c7a03bb0d6e59bdae6fa372fa61cad60aebd9fed52c7481ec593cc
-
Filesize
731B
MD5164ccd4be79ce615e5eccf28d3970c00
SHA13ab876aa6bf3d4cabc5d23bca3b42c6f2d7a02d3
SHA256874d38bc086170e27e7369e669db609e7c9f39f654406e15a97e29a160cb27b1
SHA512b2dc51289873da7fb3d8b99f68ca1d7e8eb627f14b8c5d81c702430c91ea19b9f7b127024745cfcebf0270db1d005504867bb39ed306cad55304ebf3a7f1f730
-
Filesize
731B
MD57150d881fb1230540349fd7037a20cf8
SHA13e9ab3e9352f99b6da4c5a3b1fe9405285d0372e
SHA256638721f6bde24b8466d26771e202e06d1bab02ca30c1b5aadc995e04257a1bc7
SHA5120250d5bd7fa40e94251050a2de4f43442950e3310c9ac045053daea2d29fb000612b6e1360a4d95f61de8328757377ee32c5539712e8bfe4dc7db8f4e76550fb
-
Filesize
220B
MD5516e0379d552c14cff58136b1869ff9c
SHA1ded85201731885a80142baddcf6afd442b656bd0
SHA256f4816f5be257965f12f9ffaaca027d2c1691d88d3073e4236d8166bf17d27a9c
SHA512284ac29ad7b6be726a6c3adc462308fc05eca525754dc5e7981cbd9f8842c8e810eb2b721d0634dad42d9b4dfc8d8f7b98f305ec22b0f327b3dcdb4c9fd0c36e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.6MB
MD5dce6e93462ca0a252bc12eeb2acaeaf7
SHA124c8bf2e101cdff0b55befeae1ff2bc9405fab73
SHA2561551e044ea57412774ba942046d69aa1339c578481e81f61e1a6b06c668fd163
SHA5126e76ead1993169df6c0ea65e8071559ec14e509c530170481e96f35019c8dae3b6d12e2041003508702fc4e44d4b345c233d35cc7a98085816e6f110f4ff7232
-
Filesize
1.6MB
MD57fbf8edad5e2e1fafc2390e4e4ce0a52
SHA1cfa445b715fcd89d287b6f5f0b7ca0e48a52fe66
SHA25691fbfc3b231ea4f6e7fb7d61e95b343dc3006b9c0bc0bfb108cd07d2eab597e7
SHA5123d3877b74ada7513b78220caa81dd47f0bb50ad934a9da420b6fc02c242f2d4f0140a1b04705db7baf71e50d54de78e22f80abfb51a6138528ee008930a5f62a