Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
01/11/2022, 11:42
Behavioral task
behavioral1
Sample
26349dc06d51f089cd42c5a28c946abaa7bf24537ad6dab87d78aba0ca60fbe1.exe
Resource
win10-20220812-en
General
-
Target
26349dc06d51f089cd42c5a28c946abaa7bf24537ad6dab87d78aba0ca60fbe1.exe
-
Size
1.3MB
-
MD5
2af0634106773de6f37b00d610e08bfa
-
SHA1
dc954e4759f7f342dabda5a598c6e81b44637c7d
-
SHA256
26349dc06d51f089cd42c5a28c946abaa7bf24537ad6dab87d78aba0ca60fbe1
-
SHA512
9306e893f49350420c513a428799eb6a5809ab3e99b6cebbe63126b104572a85048a9c4111414832a018b770794bdddd243a63d2577bd8f3a1fc191446598501
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4572 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4616 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3660 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5040 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4300 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3644 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4500 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4440 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4412 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 756 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4672 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3908 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3912 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 4896 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 4896 schtasks.exe 70 -
resource yara_rule behavioral1/files/0x000800000001abe9-279.dat dcrat behavioral1/files/0x000800000001abe9-280.dat dcrat behavioral1/memory/4272-281-0x00000000007D0000-0x00000000008E0000-memory.dmp dcrat behavioral1/files/0x000600000001ac11-313.dat dcrat behavioral1/files/0x000600000001ac11-312.dat dcrat behavioral1/files/0x000600000001ac11-645.dat dcrat behavioral1/files/0x000600000001ac11-652.dat dcrat behavioral1/files/0x000600000001ac11-658.dat dcrat behavioral1/files/0x000600000001ac11-663.dat dcrat -
Executes dropped EXE 6 IoCs
pid Process 4272 DllCommonsvc.exe 2392 fontdrvhost.exe 3524 fontdrvhost.exe 1740 fontdrvhost.exe 2284 fontdrvhost.exe 4216 fontdrvhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office 15\ClientX64\5b884080fd4f94 DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\fr-FR\spoolsv.exe DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\fr-FR\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\Windows Defender Advanced Threat Protection\cmd.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender Advanced Threat Protection\ebf1f9fa8afd6d DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ShellExperiences\OfficeClickToRun.exe DllCommonsvc.exe File created C:\Windows\ShellExperiences\e6c9b481da804f DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2020 schtasks.exe 2776 schtasks.exe 2892 schtasks.exe 3028 schtasks.exe 4500 schtasks.exe 5040 schtasks.exe 1048 schtasks.exe 4544 schtasks.exe 3912 schtasks.exe 2772 schtasks.exe 4300 schtasks.exe 3644 schtasks.exe 4440 schtasks.exe 4940 schtasks.exe 4536 schtasks.exe 4488 schtasks.exe 4412 schtasks.exe 4672 schtasks.exe 3660 schtasks.exe 5020 schtasks.exe 4512 schtasks.exe 756 schtasks.exe 3908 schtasks.exe 4328 schtasks.exe 4616 schtasks.exe 2872 schtasks.exe 4572 schtasks.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings 26349dc06d51f089cd42c5a28c946abaa7bf24537ad6dab87d78aba0ca60fbe1.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 4272 DllCommonsvc.exe 4272 DllCommonsvc.exe 4272 DllCommonsvc.exe 4272 DllCommonsvc.exe 4272 DllCommonsvc.exe 4272 DllCommonsvc.exe 4272 DllCommonsvc.exe 612 powershell.exe 1256 powershell.exe 1380 powershell.exe 908 powershell.exe 508 powershell.exe 1732 powershell.exe 612 powershell.exe 220 powershell.exe 312 powershell.exe 1256 powershell.exe 2252 powershell.exe 2212 powershell.exe 2392 fontdrvhost.exe 1256 powershell.exe 612 powershell.exe 1380 powershell.exe 908 powershell.exe 220 powershell.exe 508 powershell.exe 312 powershell.exe 1732 powershell.exe 2212 powershell.exe 2212 powershell.exe 2252 powershell.exe 2252 powershell.exe 1380 powershell.exe 1380 powershell.exe 908 powershell.exe 908 powershell.exe 508 powershell.exe 508 powershell.exe 1732 powershell.exe 1732 powershell.exe 220 powershell.exe 220 powershell.exe 312 powershell.exe 312 powershell.exe 2212 powershell.exe 2252 powershell.exe 3524 fontdrvhost.exe 1740 fontdrvhost.exe 2284 fontdrvhost.exe 4216 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4272 DllCommonsvc.exe Token: SeDebugPrivilege 612 powershell.exe Token: SeDebugPrivilege 1256 powershell.exe Token: SeDebugPrivilege 1380 powershell.exe Token: SeDebugPrivilege 908 powershell.exe Token: SeDebugPrivilege 508 powershell.exe Token: SeDebugPrivilege 2392 fontdrvhost.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 220 powershell.exe Token: SeDebugPrivilege 312 powershell.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 2212 powershell.exe Token: SeIncreaseQuotaPrivilege 1256 powershell.exe Token: SeSecurityPrivilege 1256 powershell.exe Token: SeTakeOwnershipPrivilege 1256 powershell.exe Token: SeLoadDriverPrivilege 1256 powershell.exe Token: SeSystemProfilePrivilege 1256 powershell.exe Token: SeSystemtimePrivilege 1256 powershell.exe Token: SeProfSingleProcessPrivilege 1256 powershell.exe Token: SeIncBasePriorityPrivilege 1256 powershell.exe Token: SeCreatePagefilePrivilege 1256 powershell.exe Token: SeBackupPrivilege 1256 powershell.exe Token: SeRestorePrivilege 1256 powershell.exe Token: SeShutdownPrivilege 1256 powershell.exe Token: SeDebugPrivilege 1256 powershell.exe Token: SeSystemEnvironmentPrivilege 1256 powershell.exe Token: SeRemoteShutdownPrivilege 1256 powershell.exe Token: SeUndockPrivilege 1256 powershell.exe Token: SeManageVolumePrivilege 1256 powershell.exe Token: 33 1256 powershell.exe Token: 34 1256 powershell.exe Token: 35 1256 powershell.exe Token: 36 1256 powershell.exe Token: SeIncreaseQuotaPrivilege 612 powershell.exe Token: SeSecurityPrivilege 612 powershell.exe Token: SeTakeOwnershipPrivilege 612 powershell.exe Token: SeLoadDriverPrivilege 612 powershell.exe Token: SeSystemProfilePrivilege 612 powershell.exe Token: SeSystemtimePrivilege 612 powershell.exe Token: SeProfSingleProcessPrivilege 612 powershell.exe Token: SeIncBasePriorityPrivilege 612 powershell.exe Token: SeCreatePagefilePrivilege 612 powershell.exe Token: SeBackupPrivilege 612 powershell.exe Token: SeRestorePrivilege 612 powershell.exe Token: SeShutdownPrivilege 612 powershell.exe Token: SeDebugPrivilege 612 powershell.exe Token: SeSystemEnvironmentPrivilege 612 powershell.exe Token: SeRemoteShutdownPrivilege 612 powershell.exe Token: SeUndockPrivilege 612 powershell.exe Token: SeManageVolumePrivilege 612 powershell.exe Token: 33 612 powershell.exe Token: 34 612 powershell.exe Token: 35 612 powershell.exe Token: 36 612 powershell.exe Token: SeIncreaseQuotaPrivilege 1380 powershell.exe Token: SeSecurityPrivilege 1380 powershell.exe Token: SeTakeOwnershipPrivilege 1380 powershell.exe Token: SeLoadDriverPrivilege 1380 powershell.exe Token: SeSystemProfilePrivilege 1380 powershell.exe Token: SeSystemtimePrivilege 1380 powershell.exe Token: SeProfSingleProcessPrivilege 1380 powershell.exe Token: SeIncBasePriorityPrivilege 1380 powershell.exe Token: SeCreatePagefilePrivilege 1380 powershell.exe Token: SeBackupPrivilege 1380 powershell.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 2748 wrote to memory of 4848 2748 26349dc06d51f089cd42c5a28c946abaa7bf24537ad6dab87d78aba0ca60fbe1.exe 66 PID 2748 wrote to memory of 4848 2748 26349dc06d51f089cd42c5a28c946abaa7bf24537ad6dab87d78aba0ca60fbe1.exe 66 PID 2748 wrote to memory of 4848 2748 26349dc06d51f089cd42c5a28c946abaa7bf24537ad6dab87d78aba0ca60fbe1.exe 66 PID 4848 wrote to memory of 3872 4848 WScript.exe 67 PID 4848 wrote to memory of 3872 4848 WScript.exe 67 PID 4848 wrote to memory of 3872 4848 WScript.exe 67 PID 3872 wrote to memory of 4272 3872 cmd.exe 69 PID 3872 wrote to memory of 4272 3872 cmd.exe 69 PID 4272 wrote to memory of 612 4272 DllCommonsvc.exe 98 PID 4272 wrote to memory of 612 4272 DllCommonsvc.exe 98 PID 4272 wrote to memory of 1380 4272 DllCommonsvc.exe 99 PID 4272 wrote to memory of 1380 4272 DllCommonsvc.exe 99 PID 4272 wrote to memory of 1256 4272 DllCommonsvc.exe 104 PID 4272 wrote to memory of 1256 4272 DllCommonsvc.exe 104 PID 4272 wrote to memory of 908 4272 DllCommonsvc.exe 100 PID 4272 wrote to memory of 908 4272 DllCommonsvc.exe 100 PID 4272 wrote to memory of 1732 4272 DllCommonsvc.exe 101 PID 4272 wrote to memory of 1732 4272 DllCommonsvc.exe 101 PID 4272 wrote to memory of 508 4272 DllCommonsvc.exe 106 PID 4272 wrote to memory of 508 4272 DllCommonsvc.exe 106 PID 4272 wrote to memory of 312 4272 DllCommonsvc.exe 107 PID 4272 wrote to memory of 312 4272 DllCommonsvc.exe 107 PID 4272 wrote to memory of 220 4272 DllCommonsvc.exe 112 PID 4272 wrote to memory of 220 4272 DllCommonsvc.exe 112 PID 4272 wrote to memory of 2252 4272 DllCommonsvc.exe 110 PID 4272 wrote to memory of 2252 4272 DllCommonsvc.exe 110 PID 4272 wrote to memory of 2212 4272 DllCommonsvc.exe 114 PID 4272 wrote to memory of 2212 4272 DllCommonsvc.exe 114 PID 4272 wrote to memory of 2392 4272 DllCommonsvc.exe 118 PID 4272 wrote to memory of 2392 4272 DllCommonsvc.exe 118 PID 2392 wrote to memory of 4656 2392 fontdrvhost.exe 119 PID 2392 wrote to memory of 4656 2392 fontdrvhost.exe 119 PID 4656 wrote to memory of 4296 4656 cmd.exe 122 PID 4656 wrote to memory of 4296 4656 cmd.exe 122 PID 4656 wrote to memory of 3524 4656 cmd.exe 123 PID 4656 wrote to memory of 3524 4656 cmd.exe 123 PID 3524 wrote to memory of 4328 3524 fontdrvhost.exe 124 PID 3524 wrote to memory of 4328 3524 fontdrvhost.exe 124 PID 4328 wrote to memory of 2140 4328 cmd.exe 126 PID 4328 wrote to memory of 2140 4328 cmd.exe 126 PID 4328 wrote to memory of 1740 4328 cmd.exe 127 PID 4328 wrote to memory of 1740 4328 cmd.exe 127 PID 1740 wrote to memory of 2776 1740 fontdrvhost.exe 128 PID 1740 wrote to memory of 2776 1740 fontdrvhost.exe 128 PID 2776 wrote to memory of 4752 2776 cmd.exe 130 PID 2776 wrote to memory of 4752 2776 cmd.exe 130 PID 2776 wrote to memory of 2284 2776 cmd.exe 131 PID 2776 wrote to memory of 2284 2776 cmd.exe 131 PID 2284 wrote to memory of 4780 2284 fontdrvhost.exe 132 PID 2284 wrote to memory of 4780 2284 fontdrvhost.exe 132 PID 4780 wrote to memory of 1920 4780 cmd.exe 134 PID 4780 wrote to memory of 1920 4780 cmd.exe 134 PID 4780 wrote to memory of 4216 4780 cmd.exe 135 PID 4780 wrote to memory of 4216 4780 cmd.exe 135
Processes
-
C:\Users\Admin\AppData\Local\Temp\26349dc06d51f089cd42c5a28c946abaa7bf24537ad6dab87d78aba0ca60fbe1.exe"C:\Users\Admin\AppData\Local\Temp\26349dc06d51f089cd42c5a28c946abaa7bf24537ad6dab87d78aba0ca60fbe1.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\cmd.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\spoolsv.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellExperiences\OfficeClickToRun.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender Advanced Threat Protection\cmd.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\fontdrvhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4296
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2140
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:4752
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1920
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4216
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Desktop\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellExperiences\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellExperiences\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1KB
MD5d63ff49d7c92016feb39812e4db10419
SHA12307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA51200f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD5ffd043f3f8c7694b416c2da348c49036
SHA18583be877e9750e8b383debe482ea6921ddf2306
SHA25609c599763f4f352efba709f17cea86f58b332c7a706d45dce498b808b211b5bf
SHA512e4d4072b6a8fa325c47af315b4968c5be94249d9cab045d7e82a83235e4d0daf810673a16fa74901d36e8242864f167ee743ec8ad27e74987e038e4e49a87ac9
-
Filesize
1KB
MD538c2d8365957e871d6fa0fb606c7e0c0
SHA1e1c532eff731bb88a4d963ee33aba1a18863b06e
SHA256cebec67a4502d7efce3760fcf587d57ec6a313f7a296a8b22f59c2686423e354
SHA5121232667ac3d97f088b9951a24a2d939a5eaa499e2b377f62d210ef2bbc74b1e544dbb2bbaf613cefbbde71ec06bea8de3d8aba2af44f8874d995eb566947e5b3
-
Filesize
1KB
MD538c2d8365957e871d6fa0fb606c7e0c0
SHA1e1c532eff731bb88a4d963ee33aba1a18863b06e
SHA256cebec67a4502d7efce3760fcf587d57ec6a313f7a296a8b22f59c2686423e354
SHA5121232667ac3d97f088b9951a24a2d939a5eaa499e2b377f62d210ef2bbc74b1e544dbb2bbaf613cefbbde71ec06bea8de3d8aba2af44f8874d995eb566947e5b3
-
Filesize
1KB
MD506fce4987ce1baafafd782fc2730145c
SHA10a31d56cef6ff89cc0e2f4af4658777d33cc2f84
SHA256abb9f2652e6752f4dff18cc0c919b35a307bff738b91d88685d5968e7efdafee
SHA51298a9a9327ba9fe4bfc66c6ea391353a3a26665edcf1d64a89a2f0940e8c34ee92de246f8be0fa7fbd6dcddf215cb621b01d77c253657bc411e6d53a2b059e317
-
Filesize
1KB
MD56a0f567719d1150ffaac40b69adb7f29
SHA115b17a74e6f36f9f742672290d68df25afb4b60f
SHA2567f08c84acd92ae6c394cdecf44427ff233984becb70bf9bf91efc2861082d1f3
SHA512e0ac049fd43fa40540e06a9fc638d3cfc179f2124d2ad9a3df5aa0ccb37dcd6c544b1e30c90cbe0f10990b8bd30a1c8b2e173ee540176d3fc410fe5d28d3901e
-
Filesize
1KB
MD56a0f567719d1150ffaac40b69adb7f29
SHA115b17a74e6f36f9f742672290d68df25afb4b60f
SHA2567f08c84acd92ae6c394cdecf44427ff233984becb70bf9bf91efc2861082d1f3
SHA512e0ac049fd43fa40540e06a9fc638d3cfc179f2124d2ad9a3df5aa0ccb37dcd6c544b1e30c90cbe0f10990b8bd30a1c8b2e173ee540176d3fc410fe5d28d3901e
-
Filesize
1KB
MD571241cb63397769f300f6a8045d6b04f
SHA1e1854560548ddcd6e96ed919a7077a89b632ad6b
SHA2564e2a352652262bbe86e17a8edf16e0b903fdd67f3ea4043156b25c45aa434c1d
SHA512b8322cc252114dbfedb31c1af36566cd91b5c76fa62a65ca68f65aea1ab585629fb68d3381a8120824d6fca2eb56771478e8d7c15bb8e88b0cc54a4a089631b1
-
Filesize
1KB
MD571241cb63397769f300f6a8045d6b04f
SHA1e1854560548ddcd6e96ed919a7077a89b632ad6b
SHA2564e2a352652262bbe86e17a8edf16e0b903fdd67f3ea4043156b25c45aa434c1d
SHA512b8322cc252114dbfedb31c1af36566cd91b5c76fa62a65ca68f65aea1ab585629fb68d3381a8120824d6fca2eb56771478e8d7c15bb8e88b0cc54a4a089631b1
-
Filesize
202B
MD5248df4e36ac98c4351e7788fb4933b2e
SHA1d747727573f804ee2cc50fd9dd17e1683e60cae1
SHA25690e15087212074cb4c9bc7338d1d107369d1cd856168810776d9fa64e662333d
SHA51208d404a0d9701838f77d663564b90fab46d7e9080cf94434b50aaa8e5309d8e2f962d2834f2f0c15c6fc3882d66c42892c305675142ffdd2f15e96430c1b1652
-
Filesize
202B
MD5de0841b90d70b5671ccdba8fb665349a
SHA1ef54275bf15a0ec9a5828d4db15b500cd2154d17
SHA256673ab4c42250f27831eea6f554d079feee14befc2618e66da2e571aadc5ffda9
SHA512513f3d56ad8a18421f1cab8084489f0d7fb070df675f310e086d22d901d3304b9d16ed5a15001be01d48c6711d50ab124871178acd4b3b5acb8f7081dc27e8e0
-
Filesize
202B
MD5f3dbb5549d3fd5bceef980bc253e1329
SHA196a7c7e70b74acf0395ea111fa84895467db7b58
SHA25605cea260f4707b40583cd251d8cf394095277ba38b43f23dd591026dbd30950a
SHA5123ae2801fb8c7102a8d5d4ba89c88056011c12eca380394fc4fe32620d5c20f5168a8c807f790953410ffc767b9ca1724317045e440ee94958cdc75ba070a7b94
-
Filesize
202B
MD5ce6746b7e18ed4267c3645f2471e46e7
SHA1dcc14543fecc5a4a7197e77058bcda45dd382131
SHA2564096d8b00da3cea934b5d46404d140a814f81963c5883f9bc6b23a779a71b080
SHA5125406bc599e671bd5f7365fbce50c8597376f193be8358d4dc3434155880da604fad8144334164700a79cba5e00791696cba9e1eadf386c808977f1cf8be2cbb2
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478