Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 03:50
Behavioral task
behavioral1
Sample
121e3de90abf2278d3dba0701045616a.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
121e3de90abf2278d3dba0701045616a.exe
Resource
win10v2004-20220812-en
General
-
Target
121e3de90abf2278d3dba0701045616a.exe
-
Size
1.6MB
-
MD5
121e3de90abf2278d3dba0701045616a
-
SHA1
5f1b0812c4c62f8e84ac02cede638ea65ef15e34
-
SHA256
2b59699aca914b83391346f826e48c6f74f0208de0abdbf53773f82c35e9ff83
-
SHA512
d0eb995ffcb6bddf4b795880fb98c10eda0f440abdc41aabc46a99c6654b953921788d773168a7c63b1da51b3344979d1d9d9934154c1529ffd8653d23a33487
-
SSDEEP
49152:shNgwNHGuumlxR/uTxaMm3BMsP71Lx9N:85lDpjr9
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3184 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5032 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4928 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3664 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3124 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4220 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 204 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 432 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4624 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4300 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4296 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3092 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4408 4544 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 4544 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/956-132-0x0000000000B20000-0x0000000000CBA000-memory.dmp dcrat C:\odt\fontdrvhost.exe dcrat C:\odt\fontdrvhost.exe dcrat behavioral2/memory/4360-161-0x0000000000200000-0x000000000039A000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
fontdrvhost.exepid process 4360 fontdrvhost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
121e3de90abf2278d3dba0701045616a.exefontdrvhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 121e3de90abf2278d3dba0701045616a.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation fontdrvhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 12 IoCs
Processes:
121e3de90abf2278d3dba0701045616a.exesetup.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\spoolsv.exe 121e3de90abf2278d3dba0701045616a.exe File opened for modification C:\Program Files\7-Zip\Lang\RCXDB83.tmp 121e3de90abf2278d3dba0701045616a.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\5c7e5939-c507-4c9d-85fc-13652c32975f.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\RCXCE5C.tmp 121e3de90abf2278d3dba0701045616a.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\f3b6ecef712a24 121e3de90abf2278d3dba0701045616a.exe File created C:\Program Files\7-Zip\Lang\sppsvc.exe 121e3de90abf2278d3dba0701045616a.exe File created C:\Program Files\7-Zip\Lang\0a1fd5f707cd16 121e3de90abf2278d3dba0701045616a.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\RCXCDDE.tmp 121e3de90abf2278d3dba0701045616a.exe File opened for modification C:\Program Files\7-Zip\Lang\RCXDAF6.tmp 121e3de90abf2278d3dba0701045616a.exe File opened for modification C:\Program Files\7-Zip\Lang\sppsvc.exe 121e3de90abf2278d3dba0701045616a.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220925055213.pma setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\spoolsv.exe 121e3de90abf2278d3dba0701045616a.exe -
Drops file in Windows directory 16 IoCs
Processes:
121e3de90abf2278d3dba0701045616a.exedescription ioc process File created C:\Windows\Media\fontdrvhost.exe 121e3de90abf2278d3dba0701045616a.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\ee2ad38f3d4382 121e3de90abf2278d3dba0701045616a.exe File created C:\Windows\CSC\RuntimeBroker.exe 121e3de90abf2278d3dba0701045616a.exe File created C:\Windows\es-ES\Idle.exe 121e3de90abf2278d3dba0701045616a.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\RCXE134.tmp 121e3de90abf2278d3dba0701045616a.exe File opened for modification C:\Windows\es-ES\RCXE59C.tmp 121e3de90abf2278d3dba0701045616a.exe File created C:\Windows\es-ES\6ccacd8608530f 121e3de90abf2278d3dba0701045616a.exe File opened for modification C:\Windows\Media\RCXC781.tmp 121e3de90abf2278d3dba0701045616a.exe File opened for modification C:\Windows\Media\fontdrvhost.exe 121e3de90abf2278d3dba0701045616a.exe File opened for modification C:\Windows\Media\RCXC81E.tmp 121e3de90abf2278d3dba0701045616a.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\RCXE20F.tmp 121e3de90abf2278d3dba0701045616a.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\Registry.exe 121e3de90abf2278d3dba0701045616a.exe File opened for modification C:\Windows\es-ES\RCXE4A1.tmp 121e3de90abf2278d3dba0701045616a.exe File opened for modification C:\Windows\es-ES\Idle.exe 121e3de90abf2278d3dba0701045616a.exe File created C:\Windows\Media\5b884080fd4f94 121e3de90abf2278d3dba0701045616a.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\Registry.exe 121e3de90abf2278d3dba0701045616a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4624 schtasks.exe 392 schtasks.exe 4952 schtasks.exe 5032 schtasks.exe 4220 schtasks.exe 1404 schtasks.exe 4928 schtasks.exe 2208 schtasks.exe 204 schtasks.exe 1152 schtasks.exe 4300 schtasks.exe 4408 schtasks.exe 1240 schtasks.exe 1412 schtasks.exe 1576 schtasks.exe 2096 schtasks.exe 3124 schtasks.exe 4384 schtasks.exe 3228 schtasks.exe 2420 schtasks.exe 1396 schtasks.exe 3184 schtasks.exe 1108 schtasks.exe 2276 schtasks.exe 4660 schtasks.exe 4296 schtasks.exe 3092 schtasks.exe 2824 schtasks.exe 1136 schtasks.exe 1664 schtasks.exe 3004 schtasks.exe 432 schtasks.exe 1044 schtasks.exe 3664 schtasks.exe 1456 schtasks.exe 2988 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 3 IoCs
Processes:
121e3de90abf2278d3dba0701045616a.exefontdrvhost.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 121e3de90abf2278d3dba0701045616a.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
121e3de90abf2278d3dba0701045616a.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 956 121e3de90abf2278d3dba0701045616a.exe 736 powershell.exe 736 powershell.exe 3272 powershell.exe 3272 powershell.exe 3452 powershell.exe 3452 powershell.exe 3712 powershell.exe 3712 powershell.exe 2400 powershell.exe 2400 powershell.exe 3392 powershell.exe 3392 powershell.exe 3960 powershell.exe 3960 powershell.exe 4348 powershell.exe 4348 powershell.exe 3672 powershell.exe 3672 powershell.exe 4616 powershell.exe 4616 powershell.exe 1804 powershell.exe 1804 powershell.exe 1608 powershell.exe 1608 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 736 powershell.exe 736 powershell.exe 3272 powershell.exe 3272 powershell.exe 3452 powershell.exe 3452 powershell.exe 3712 powershell.exe 3712 powershell.exe 2400 powershell.exe 2400 powershell.exe 3392 powershell.exe 3960 powershell.exe 4348 powershell.exe 1608 powershell.exe 4616 powershell.exe 3672 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
fontdrvhost.exepid process 4360 fontdrvhost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
121e3de90abf2278d3dba0701045616a.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exedescription pid process Token: SeDebugPrivilege 956 121e3de90abf2278d3dba0701045616a.exe Token: SeDebugPrivilege 736 powershell.exe Token: SeDebugPrivilege 3272 powershell.exe Token: SeDebugPrivilege 3452 powershell.exe Token: SeDebugPrivilege 3712 powershell.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 3392 powershell.exe Token: SeDebugPrivilege 3960 powershell.exe Token: SeDebugPrivilege 4348 powershell.exe Token: SeDebugPrivilege 3672 powershell.exe Token: SeDebugPrivilege 4616 powershell.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 4360 fontdrvhost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
121e3de90abf2278d3dba0701045616a.exefontdrvhost.exemsedge.exedescription pid process target process PID 956 wrote to memory of 736 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 736 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 3452 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 3452 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 3712 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 3712 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 3272 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 3272 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 3392 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 3392 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 2400 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 2400 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 3960 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 3960 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 4348 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 4348 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 3672 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 3672 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 4616 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 4616 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 2624 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 2624 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 1804 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 1804 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 1608 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 1608 956 121e3de90abf2278d3dba0701045616a.exe powershell.exe PID 956 wrote to memory of 4360 956 121e3de90abf2278d3dba0701045616a.exe fontdrvhost.exe PID 956 wrote to memory of 4360 956 121e3de90abf2278d3dba0701045616a.exe fontdrvhost.exe PID 4360 wrote to memory of 1064 4360 fontdrvhost.exe WScript.exe PID 4360 wrote to memory of 1064 4360 fontdrvhost.exe WScript.exe PID 4360 wrote to memory of 5040 4360 fontdrvhost.exe WScript.exe PID 4360 wrote to memory of 5040 4360 fontdrvhost.exe WScript.exe PID 4360 wrote to memory of 2392 4360 fontdrvhost.exe msedge.exe PID 4360 wrote to memory of 2392 4360 fontdrvhost.exe msedge.exe PID 2392 wrote to memory of 1200 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1200 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 2196 2392 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\121e3de90abf2278d3dba0701045616a.exe"C:\Users\Admin\AppData\Local\Temp\121e3de90abf2278d3dba0701045616a.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\121e3de90abf2278d3dba0701045616a.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\fontdrvhost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Videos\upfc.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\spoolsv.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\lsass.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\Registry.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\sppsvc.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\Idle.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\odt\fontdrvhost.exe"C:\odt\fontdrvhost.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0d07b5c-28c8-4b9a-a214-d18a95a203a6.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f494903-b350-45d5-8080-b760afd2fd9b.vbs"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:13225/3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd09f346f8,0x7ffd09f34708,0x7ffd09f347184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,10981404700274038315,4310480283124958691,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,10981404700274038315,4310480283124958691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2584 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,10981404700274038315,4310480283124958691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3076 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10981404700274038315,4310480283124958691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10981404700274038315,4310480283124958691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,10981404700274038315,4310480283124958691,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5356 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,10981404700274038315,4310480283124958691,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5184 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10981404700274038315,4310480283124958691,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10981404700274038315,4310480283124958691,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10981404700274038315,4310480283124958691,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,10981404700274038315,4310480283124958691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7d2b75460,0x7ff7d2b75470,0x7ff7d2b754805⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,10981404700274038315,4310480283124958691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10981404700274038315,4310480283124958691,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10981404700274038315,4310480283124958691,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10981404700274038315,4310480283124958691,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1920 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,10981404700274038315,4310480283124958691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:84⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\odt\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Videos\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Videos\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Media\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Media\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\odt\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\odt\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5293a5e452e148112857e22e746feff34
SHA17a5018bf98a3e38970809531288a7e3efb979532
SHA25605e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551
SHA5127332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5293a5e452e148112857e22e746feff34
SHA17a5018bf98a3e38970809531288a7e3efb979532
SHA25605e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551
SHA5127332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
C:\Users\Admin\AppData\Local\Temp\9f494903-b350-45d5-8080-b760afd2fd9b.vbsFilesize
474B
MD5f99d7dd3464e08c6bbc0b22b2369d466
SHA1c3653d0f202760eda73332d6fc96fddbd60a7ae4
SHA25642aafda42f99c4902c93a9b8495ff155e184308bd99a71754bb7d14b4a9aaac6
SHA51204d14c42f8c6aa2d87c69aac9417e50b1ace0504b7ecb12ba929e91593225d6ef5c672fb86e82b3b72bb96abc5d55507452743b41addab5b58ec75e8a8d34da8
-
C:\Users\Admin\AppData\Local\Temp\a0d07b5c-28c8-4b9a-a214-d18a95a203a6.vbsFilesize
698B
MD53b8c0ad0328ed096b510af93346d9ab3
SHA1664b0cfc44b069ea30315ba91dce3b1968c7a935
SHA256dce15106f236146d846ab9a2ff16ec6425e4d86c332e134bf1bf5a3f555c9b22
SHA512132b4ea332e0b36fab7bfa62722cdbff3dbe50eb9ba5ebe50c9bbc87648f37d2dbeef38f0925daf57d3d11de05bcdec1a7daa3c97fd35720879dc00d56ab3f32
-
C:\odt\fontdrvhost.exeFilesize
1.6MB
MD5249c6b7de18078563932bc31aa0382c3
SHA18abc2c01ee33a3d6e2eaf3cbc3672e291c9d9af0
SHA256101f0176ebfa131a5deafa73dc6f9146c4cdba0cd4fa949890dabd24f340d100
SHA512556d89e94f3a43ac6f2ea3c70c48ab602076f95f665deda7b39297ca37a8e46501de038614054710f404a084dfea77e07b3b4a0c03b7fcd800b8e69107ecacb8
-
C:\odt\fontdrvhost.exeFilesize
1.6MB
MD5249c6b7de18078563932bc31aa0382c3
SHA18abc2c01ee33a3d6e2eaf3cbc3672e291c9d9af0
SHA256101f0176ebfa131a5deafa73dc6f9146c4cdba0cd4fa949890dabd24f340d100
SHA512556d89e94f3a43ac6f2ea3c70c48ab602076f95f665deda7b39297ca37a8e46501de038614054710f404a084dfea77e07b3b4a0c03b7fcd800b8e69107ecacb8
-
\??\pipe\LOCAL\crashpad_2392_CHYVGVVTFHKHRWNPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/736-150-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/736-136-0x0000000000000000-mapping.dmp
-
memory/736-149-0x000002774EE70000-0x000002774EE92000-memory.dmpFilesize
136KB
-
memory/736-181-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/880-232-0x0000000000000000-mapping.dmp
-
memory/956-135-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/956-134-0x000000001B7B0000-0x000000001B800000-memory.dmpFilesize
320KB
-
memory/956-164-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/956-133-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/956-132-0x0000000000B20000-0x0000000000CBA000-memory.dmpFilesize
1.6MB
-
memory/1064-195-0x0000000000000000-mapping.dmp
-
memory/1200-201-0x0000000000000000-mapping.dmp
-
memory/1608-148-0x0000000000000000-mapping.dmp
-
memory/1608-167-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/1608-191-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/1632-215-0x0000000000000000-mapping.dmp
-
memory/1724-228-0x0000000000000000-mapping.dmp
-
memory/1804-193-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/1804-166-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/1804-147-0x0000000000000000-mapping.dmp
-
memory/1896-209-0x0000000000000000-mapping.dmp
-
memory/2120-224-0x0000000000000000-mapping.dmp
-
memory/2196-203-0x0000000000000000-mapping.dmp
-
memory/2392-200-0x0000000000000000-mapping.dmp
-
memory/2400-155-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/2400-174-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/2400-141-0x0000000000000000-mapping.dmp
-
memory/2452-221-0x0000000000000000-mapping.dmp
-
memory/2624-165-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/2624-175-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/2624-146-0x0000000000000000-mapping.dmp
-
memory/2692-217-0x0000000000000000-mapping.dmp
-
memory/3052-204-0x0000000000000000-mapping.dmp
-
memory/3272-139-0x0000000000000000-mapping.dmp
-
memory/3272-176-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/3272-153-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/3392-183-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/3392-140-0x0000000000000000-mapping.dmp
-
memory/3392-154-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/3452-182-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/3452-137-0x0000000000000000-mapping.dmp
-
memory/3452-151-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/3672-144-0x0000000000000000-mapping.dmp
-
memory/3672-189-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/3672-162-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/3712-152-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/3712-184-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/3712-138-0x0000000000000000-mapping.dmp
-
memory/3784-223-0x0000000000000000-mapping.dmp
-
memory/3800-213-0x0000000000000000-mapping.dmp
-
memory/3960-156-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/3960-142-0x0000000000000000-mapping.dmp
-
memory/3960-185-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/4132-230-0x0000000000000000-mapping.dmp
-
memory/4156-222-0x0000000000000000-mapping.dmp
-
memory/4320-226-0x0000000000000000-mapping.dmp
-
memory/4348-160-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/4348-186-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/4348-143-0x0000000000000000-mapping.dmp
-
memory/4360-157-0x0000000000000000-mapping.dmp
-
memory/4360-199-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/4360-161-0x0000000000200000-0x000000000039A000-memory.dmpFilesize
1.6MB
-
memory/4360-168-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/4520-211-0x0000000000000000-mapping.dmp
-
memory/4596-219-0x0000000000000000-mapping.dmp
-
memory/4616-145-0x0000000000000000-mapping.dmp
-
memory/4616-163-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/4616-194-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/4832-207-0x0000000000000000-mapping.dmp
-
memory/5040-196-0x0000000000000000-mapping.dmp