Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
31/10/2022, 22:51
Behavioral task
behavioral1
Sample
25e416eef752ed69d16f90f0f66fe006b211c6b008a94312240bbac9203717b1.exe
Resource
win10-20220812-en
General
-
Target
25e416eef752ed69d16f90f0f66fe006b211c6b008a94312240bbac9203717b1.exe
-
Size
1.3MB
-
MD5
dcbec1c5fc91549eb4a7d4db9ae2e585
-
SHA1
48e9416a77d79a134fa6e0a83d98dab4dacd43ab
-
SHA256
25e416eef752ed69d16f90f0f66fe006b211c6b008a94312240bbac9203717b1
-
SHA512
426379745a6eb6f22d4206671008fb3321b4afded327c39871c8c7275a6096de006545168eb88e5d7be0b81e95d8a00e492ec60fcc8cfff420fa691c5c29cda0
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 388 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3252 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3292 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4240 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 352 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3888 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3332 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3288 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3976 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4048 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4668 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4540 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4528 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 3484 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4440 3484 schtasks.exe 70 -
resource yara_rule behavioral1/files/0x000b00000001ac0b-279.dat dcrat behavioral1/files/0x000b00000001ac0b-280.dat dcrat behavioral1/memory/4980-281-0x0000000000D10000-0x0000000000E20000-memory.dmp dcrat behavioral1/files/0x000600000001ac29-322.dat dcrat behavioral1/files/0x000600000001ac29-324.dat dcrat -
Executes dropped EXE 2 IoCs
pid Process 4980 DllCommonsvc.exe 2376 fontdrvhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\ea9f0e6c9e2dcd DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3976 schtasks.exe 4048 schtasks.exe 4540 schtasks.exe 4660 schtasks.exe 4440 schtasks.exe 1420 schtasks.exe 3292 schtasks.exe 5072 schtasks.exe 5092 schtasks.exe 4668 schtasks.exe 4488 schtasks.exe 4528 schtasks.exe 352 schtasks.exe 5028 schtasks.exe 4956 schtasks.exe 4448 schtasks.exe 5068 schtasks.exe 3888 schtasks.exe 3332 schtasks.exe 3288 schtasks.exe 4536 schtasks.exe 388 schtasks.exe 3252 schtasks.exe 4240 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings 25e416eef752ed69d16f90f0f66fe006b211c6b008a94312240bbac9203717b1.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 4980 DllCommonsvc.exe 4980 DllCommonsvc.exe 4980 DllCommonsvc.exe 4980 DllCommonsvc.exe 4980 DllCommonsvc.exe 4980 DllCommonsvc.exe 4980 DllCommonsvc.exe 1480 powershell.exe 656 powershell.exe 4680 powershell.exe 584 powershell.exe 1684 powershell.exe 1184 powershell.exe 1480 powershell.exe 2376 fontdrvhost.exe 1684 powershell.exe 4680 powershell.exe 584 powershell.exe 1184 powershell.exe 656 powershell.exe 384 powershell.exe 1480 powershell.exe 4672 powershell.exe 1416 powershell.exe 1684 powershell.exe 656 powershell.exe 4680 powershell.exe 584 powershell.exe 1184 powershell.exe 384 powershell.exe 4672 powershell.exe 1416 powershell.exe 384 powershell.exe 4672 powershell.exe 1416 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4980 DllCommonsvc.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 656 powershell.exe Token: SeDebugPrivilege 4680 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 1184 powershell.exe Token: SeDebugPrivilege 584 powershell.exe Token: SeDebugPrivilege 2376 fontdrvhost.exe Token: SeDebugPrivilege 384 powershell.exe Token: SeDebugPrivilege 4672 powershell.exe Token: SeDebugPrivilege 1416 powershell.exe Token: SeIncreaseQuotaPrivilege 1684 powershell.exe Token: SeSecurityPrivilege 1684 powershell.exe Token: SeTakeOwnershipPrivilege 1684 powershell.exe Token: SeLoadDriverPrivilege 1684 powershell.exe Token: SeSystemProfilePrivilege 1684 powershell.exe Token: SeSystemtimePrivilege 1684 powershell.exe Token: SeProfSingleProcessPrivilege 1684 powershell.exe Token: SeIncBasePriorityPrivilege 1684 powershell.exe Token: SeCreatePagefilePrivilege 1684 powershell.exe Token: SeBackupPrivilege 1684 powershell.exe Token: SeRestorePrivilege 1684 powershell.exe Token: SeShutdownPrivilege 1684 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeSystemEnvironmentPrivilege 1684 powershell.exe Token: SeRemoteShutdownPrivilege 1684 powershell.exe Token: SeUndockPrivilege 1684 powershell.exe Token: SeManageVolumePrivilege 1684 powershell.exe Token: 33 1684 powershell.exe Token: 34 1684 powershell.exe Token: 35 1684 powershell.exe Token: 36 1684 powershell.exe Token: SeIncreaseQuotaPrivilege 4680 powershell.exe Token: SeSecurityPrivilege 4680 powershell.exe Token: SeTakeOwnershipPrivilege 4680 powershell.exe Token: SeLoadDriverPrivilege 4680 powershell.exe Token: SeSystemProfilePrivilege 4680 powershell.exe Token: SeSystemtimePrivilege 4680 powershell.exe Token: SeProfSingleProcessPrivilege 4680 powershell.exe Token: SeIncBasePriorityPrivilege 4680 powershell.exe Token: SeCreatePagefilePrivilege 4680 powershell.exe Token: SeBackupPrivilege 4680 powershell.exe Token: SeRestorePrivilege 4680 powershell.exe Token: SeShutdownPrivilege 4680 powershell.exe Token: SeDebugPrivilege 4680 powershell.exe Token: SeSystemEnvironmentPrivilege 4680 powershell.exe Token: SeRemoteShutdownPrivilege 4680 powershell.exe Token: SeUndockPrivilege 4680 powershell.exe Token: SeManageVolumePrivilege 4680 powershell.exe Token: 33 4680 powershell.exe Token: 34 4680 powershell.exe Token: 35 4680 powershell.exe Token: 36 4680 powershell.exe Token: SeIncreaseQuotaPrivilege 1480 powershell.exe Token: SeSecurityPrivilege 1480 powershell.exe Token: SeTakeOwnershipPrivilege 1480 powershell.exe Token: SeLoadDriverPrivilege 1480 powershell.exe Token: SeSystemProfilePrivilege 1480 powershell.exe Token: SeSystemtimePrivilege 1480 powershell.exe Token: SeProfSingleProcessPrivilege 1480 powershell.exe Token: SeIncBasePriorityPrivilege 1480 powershell.exe Token: SeCreatePagefilePrivilege 1480 powershell.exe Token: SeBackupPrivilege 1480 powershell.exe Token: SeRestorePrivilege 1480 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2704 wrote to memory of 4792 2704 25e416eef752ed69d16f90f0f66fe006b211c6b008a94312240bbac9203717b1.exe 66 PID 2704 wrote to memory of 4792 2704 25e416eef752ed69d16f90f0f66fe006b211c6b008a94312240bbac9203717b1.exe 66 PID 2704 wrote to memory of 4792 2704 25e416eef752ed69d16f90f0f66fe006b211c6b008a94312240bbac9203717b1.exe 66 PID 4792 wrote to memory of 4140 4792 WScript.exe 67 PID 4792 wrote to memory of 4140 4792 WScript.exe 67 PID 4792 wrote to memory of 4140 4792 WScript.exe 67 PID 4140 wrote to memory of 4980 4140 cmd.exe 69 PID 4140 wrote to memory of 4980 4140 cmd.exe 69 PID 4980 wrote to memory of 4680 4980 DllCommonsvc.exe 95 PID 4980 wrote to memory of 4680 4980 DllCommonsvc.exe 95 PID 4980 wrote to memory of 656 4980 DllCommonsvc.exe 98 PID 4980 wrote to memory of 656 4980 DllCommonsvc.exe 98 PID 4980 wrote to memory of 584 4980 DllCommonsvc.exe 97 PID 4980 wrote to memory of 584 4980 DllCommonsvc.exe 97 PID 4980 wrote to memory of 1684 4980 DllCommonsvc.exe 99 PID 4980 wrote to memory of 1684 4980 DllCommonsvc.exe 99 PID 4980 wrote to memory of 1184 4980 DllCommonsvc.exe 101 PID 4980 wrote to memory of 1184 4980 DllCommonsvc.exe 101 PID 4980 wrote to memory of 1480 4980 DllCommonsvc.exe 103 PID 4980 wrote to memory of 1480 4980 DllCommonsvc.exe 103 PID 4980 wrote to memory of 384 4980 DllCommonsvc.exe 105 PID 4980 wrote to memory of 384 4980 DllCommonsvc.exe 105 PID 4980 wrote to memory of 1416 4980 DllCommonsvc.exe 106 PID 4980 wrote to memory of 1416 4980 DllCommonsvc.exe 106 PID 4980 wrote to memory of 4672 4980 DllCommonsvc.exe 109 PID 4980 wrote to memory of 4672 4980 DllCommonsvc.exe 109 PID 4980 wrote to memory of 2376 4980 DllCommonsvc.exe 111 PID 4980 wrote to memory of 2376 4980 DllCommonsvc.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\25e416eef752ed69d16f90f0f66fe006b211c6b008a94312240bbac9203717b1.exe"C:\Users\Admin\AppData\Local\Temp\25e416eef752ed69d16f90f0f66fe006b211c6b008a94312240bbac9203717b1.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\cmd.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchUI.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\ShellExperienceHost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\conhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\providercommon\SearchUI.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\providercommon\ShellExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\odt\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD5dac5943ff43e65d46fcda3fb827c0056
SHA1d45984f1dffde2e6ed561336bf579d9f87eadd15
SHA256958b856f55816c8fc3a2386bd652d66ad38baf5c8930f18c96f986cdbbc190e3
SHA512cc25bf146effefd438640db2b30f232a4e1e1baeaa5504cdecd7a88ddff718beaf4b4b36ad82c1ae5af352309edb0229a9fada5bbe8632884fed01cb8f2df9c2
-
Filesize
1KB
MD573d0236deda0b9fd31c345d01b92bc15
SHA19814fc5e90c5c87384abcae6ce205abe2d5bc8f1
SHA25653d8d20be2813c6c9daebcecaab53e66e69a4ac77b13dfe3658b809fcbfeaae9
SHA51208ea5e7da0f287349c4fdaf13cfceebc070d14bb7af075a43bc32d9136a67299fb2dfbca3086d55a354b86230330679174374dbd304cb3a23a563be4bb497066
-
Filesize
1KB
MD573d0236deda0b9fd31c345d01b92bc15
SHA19814fc5e90c5c87384abcae6ce205abe2d5bc8f1
SHA25653d8d20be2813c6c9daebcecaab53e66e69a4ac77b13dfe3658b809fcbfeaae9
SHA51208ea5e7da0f287349c4fdaf13cfceebc070d14bb7af075a43bc32d9136a67299fb2dfbca3086d55a354b86230330679174374dbd304cb3a23a563be4bb497066
-
Filesize
1KB
MD50c09987fe2e338760a78d9563cd95044
SHA1b97a65ca35f49879a682500666378775382d788c
SHA256b49dea66df6ed650cf6d631346cd37522442af59a431bc705d7e783425e930eb
SHA512dbf54cffcf80ea472ac4d7a7845acff153bc1f5c312d6b3925044fad3044f11af81e71dd84cd4b7c5a74f8dd11dde1dd7b438abec36f334f26555f1144e3e8d0
-
Filesize
1KB
MD51baaf2de8d2c17a084ce1f06ab642e2d
SHA103c89796e43648ea45249f552831e2891814eea1
SHA256a0ccfb2c49f59cf0a5f4dc530be55d2c1a058dcfbec20cb23a0a37d19291c9cd
SHA5128df2abfdba21fecb53368a859453546435b2335c4541ef16b0b2fc84cce925c590e83daf2087c89b5244560b03d8cf5227ff02005bdf603ab98e90e35d814ef7
-
Filesize
1KB
MD51baaf2de8d2c17a084ce1f06ab642e2d
SHA103c89796e43648ea45249f552831e2891814eea1
SHA256a0ccfb2c49f59cf0a5f4dc530be55d2c1a058dcfbec20cb23a0a37d19291c9cd
SHA5128df2abfdba21fecb53368a859453546435b2335c4541ef16b0b2fc84cce925c590e83daf2087c89b5244560b03d8cf5227ff02005bdf603ab98e90e35d814ef7
-
Filesize
1KB
MD5008aeb1af7bde7fa4de6aa0f8345f7fd
SHA1be9f829dd638a49b5682e5685814f8cba6ccf941
SHA2566c62b0c02fc7ae88c7447e86cbfc92f96a3e14e26cbec3bc3b6a36194d603e67
SHA51217e3834dcac559f32ff91b1d1d736ebd68c381e4e8c58211bfc11b515ccdd9fda0ea68a67d38b9ebde508f601265a282f5047a44f315772992327df05d7f3bd2
-
Filesize
1KB
MD5008aeb1af7bde7fa4de6aa0f8345f7fd
SHA1be9f829dd638a49b5682e5685814f8cba6ccf941
SHA2566c62b0c02fc7ae88c7447e86cbfc92f96a3e14e26cbec3bc3b6a36194d603e67
SHA51217e3834dcac559f32ff91b1d1d736ebd68c381e4e8c58211bfc11b515ccdd9fda0ea68a67d38b9ebde508f601265a282f5047a44f315772992327df05d7f3bd2
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478