Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
01/11/2022, 11:43
Behavioral task
behavioral1
Sample
b37c1251dd690732dc9d6bb71148890e0f0d1fc442d32662d2dac4e14daf3c24.exe
Resource
win10-20220812-en
General
-
Target
b37c1251dd690732dc9d6bb71148890e0f0d1fc442d32662d2dac4e14daf3c24.exe
-
Size
1.3MB
-
MD5
7019c18aa25bdcc747be930118855e1f
-
SHA1
c639dceec11f5ffff5b45f8e5ecef93dc73dc01e
-
SHA256
b37c1251dd690732dc9d6bb71148890e0f0d1fc442d32662d2dac4e14daf3c24
-
SHA512
70aa7ecee4f6b5fd3688b8643b704d93989aedda519caae15d6352cd3abd69dc557e1b264a5e2e6148ef73edd70b6a87c0e72465aaee43b39a65e6597bfcfac2
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3900 4668 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4960 4668 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4344 4668 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4764 4668 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 4668 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4484 4668 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4596 4668 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4716 4668 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 4668 schtasks.exe 70 -
resource yara_rule behavioral1/files/0x000800000001abec-282.dat dcrat behavioral1/files/0x000800000001abec-283.dat dcrat behavioral1/memory/3200-284-0x00000000004A0000-0x00000000005B0000-memory.dmp dcrat behavioral1/files/0x000600000001abf5-436.dat dcrat behavioral1/files/0x000600000001abf5-435.dat dcrat behavioral1/files/0x000600000001abf5-441.dat dcrat behavioral1/files/0x000600000001abf5-448.dat dcrat behavioral1/files/0x000600000001abf5-453.dat dcrat behavioral1/files/0x000600000001abf5-459.dat dcrat behavioral1/files/0x000600000001abf5-465.dat dcrat behavioral1/files/0x000600000001abf5-470.dat dcrat behavioral1/files/0x000600000001abf5-475.dat dcrat behavioral1/files/0x000600000001abf5-480.dat dcrat behavioral1/files/0x000600000001abf5-485.dat dcrat behavioral1/files/0x000600000001abf5-490.dat dcrat behavioral1/files/0x000600000001abf5-495.dat dcrat behavioral1/files/0x000600000001abf5-500.dat dcrat -
Executes dropped EXE 14 IoCs
pid Process 3200 DllCommonsvc.exe 1456 fontdrvhost.exe 4832 fontdrvhost.exe 3168 fontdrvhost.exe 3788 fontdrvhost.exe 732 fontdrvhost.exe 504 fontdrvhost.exe 3160 fontdrvhost.exe 3552 fontdrvhost.exe 1676 fontdrvhost.exe 1500 fontdrvhost.exe 2816 fontdrvhost.exe 4028 fontdrvhost.exe 1388 fontdrvhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\security\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\security\cmd.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4344 schtasks.exe 4484 schtasks.exe 4596 schtasks.exe 4716 schtasks.exe 3900 schtasks.exe 4960 schtasks.exe 4764 schtasks.exe 2800 schtasks.exe 4984 schtasks.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings b37c1251dd690732dc9d6bb71148890e0f0d1fc442d32662d2dac4e14daf3c24.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings fontdrvhost.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 3200 DllCommonsvc.exe 3200 DllCommonsvc.exe 3200 DllCommonsvc.exe 3200 DllCommonsvc.exe 3200 DllCommonsvc.exe 4288 powershell.exe 4968 powershell.exe 3328 powershell.exe 4848 powershell.exe 4288 powershell.exe 3328 powershell.exe 4848 powershell.exe 4968 powershell.exe 3328 powershell.exe 4848 powershell.exe 4968 powershell.exe 4288 powershell.exe 1456 fontdrvhost.exe 4832 fontdrvhost.exe 3168 fontdrvhost.exe 3788 fontdrvhost.exe 732 fontdrvhost.exe 504 fontdrvhost.exe 3160 fontdrvhost.exe 3552 fontdrvhost.exe 1676 fontdrvhost.exe 1500 fontdrvhost.exe 2816 fontdrvhost.exe 4028 fontdrvhost.exe 1388 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3200 DllCommonsvc.exe Token: SeDebugPrivilege 4288 powershell.exe Token: SeDebugPrivilege 4968 powershell.exe Token: SeDebugPrivilege 4848 powershell.exe Token: SeDebugPrivilege 3328 powershell.exe Token: SeIncreaseQuotaPrivilege 4288 powershell.exe Token: SeSecurityPrivilege 4288 powershell.exe Token: SeTakeOwnershipPrivilege 4288 powershell.exe Token: SeLoadDriverPrivilege 4288 powershell.exe Token: SeSystemProfilePrivilege 4288 powershell.exe Token: SeSystemtimePrivilege 4288 powershell.exe Token: SeProfSingleProcessPrivilege 4288 powershell.exe Token: SeIncBasePriorityPrivilege 4288 powershell.exe Token: SeCreatePagefilePrivilege 4288 powershell.exe Token: SeBackupPrivilege 4288 powershell.exe Token: SeRestorePrivilege 4288 powershell.exe Token: SeShutdownPrivilege 4288 powershell.exe Token: SeDebugPrivilege 4288 powershell.exe Token: SeSystemEnvironmentPrivilege 4288 powershell.exe Token: SeRemoteShutdownPrivilege 4288 powershell.exe Token: SeUndockPrivilege 4288 powershell.exe Token: SeManageVolumePrivilege 4288 powershell.exe Token: 33 4288 powershell.exe Token: 34 4288 powershell.exe Token: 35 4288 powershell.exe Token: 36 4288 powershell.exe Token: SeIncreaseQuotaPrivilege 4848 powershell.exe Token: SeSecurityPrivilege 4848 powershell.exe Token: SeTakeOwnershipPrivilege 4848 powershell.exe Token: SeLoadDriverPrivilege 4848 powershell.exe Token: SeSystemProfilePrivilege 4848 powershell.exe Token: SeSystemtimePrivilege 4848 powershell.exe Token: SeProfSingleProcessPrivilege 4848 powershell.exe Token: SeIncBasePriorityPrivilege 4848 powershell.exe Token: SeCreatePagefilePrivilege 4848 powershell.exe Token: SeBackupPrivilege 4848 powershell.exe Token: SeRestorePrivilege 4848 powershell.exe Token: SeShutdownPrivilege 4848 powershell.exe Token: SeDebugPrivilege 4848 powershell.exe Token: SeSystemEnvironmentPrivilege 4848 powershell.exe Token: SeRemoteShutdownPrivilege 4848 powershell.exe Token: SeUndockPrivilege 4848 powershell.exe Token: SeManageVolumePrivilege 4848 powershell.exe Token: 33 4848 powershell.exe Token: 34 4848 powershell.exe Token: 35 4848 powershell.exe Token: 36 4848 powershell.exe Token: SeIncreaseQuotaPrivilege 4968 powershell.exe Token: SeSecurityPrivilege 4968 powershell.exe Token: SeTakeOwnershipPrivilege 4968 powershell.exe Token: SeLoadDriverPrivilege 4968 powershell.exe Token: SeSystemProfilePrivilege 4968 powershell.exe Token: SeSystemtimePrivilege 4968 powershell.exe Token: SeProfSingleProcessPrivilege 4968 powershell.exe Token: SeIncBasePriorityPrivilege 4968 powershell.exe Token: SeCreatePagefilePrivilege 4968 powershell.exe Token: SeBackupPrivilege 4968 powershell.exe Token: SeRestorePrivilege 4968 powershell.exe Token: SeShutdownPrivilege 4968 powershell.exe Token: SeDebugPrivilege 4968 powershell.exe Token: SeSystemEnvironmentPrivilege 4968 powershell.exe Token: SeRemoteShutdownPrivilege 4968 powershell.exe Token: SeUndockPrivilege 4968 powershell.exe Token: SeManageVolumePrivilege 4968 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2248 wrote to memory of 4512 2248 b37c1251dd690732dc9d6bb71148890e0f0d1fc442d32662d2dac4e14daf3c24.exe 66 PID 2248 wrote to memory of 4512 2248 b37c1251dd690732dc9d6bb71148890e0f0d1fc442d32662d2dac4e14daf3c24.exe 66 PID 2248 wrote to memory of 4512 2248 b37c1251dd690732dc9d6bb71148890e0f0d1fc442d32662d2dac4e14daf3c24.exe 66 PID 4512 wrote to memory of 4272 4512 WScript.exe 67 PID 4512 wrote to memory of 4272 4512 WScript.exe 67 PID 4512 wrote to memory of 4272 4512 WScript.exe 67 PID 4272 wrote to memory of 3200 4272 cmd.exe 69 PID 4272 wrote to memory of 3200 4272 cmd.exe 69 PID 3200 wrote to memory of 4968 3200 DllCommonsvc.exe 80 PID 3200 wrote to memory of 4968 3200 DllCommonsvc.exe 80 PID 3200 wrote to memory of 4288 3200 DllCommonsvc.exe 82 PID 3200 wrote to memory of 4288 3200 DllCommonsvc.exe 82 PID 3200 wrote to memory of 4848 3200 DllCommonsvc.exe 84 PID 3200 wrote to memory of 4848 3200 DllCommonsvc.exe 84 PID 3200 wrote to memory of 3328 3200 DllCommonsvc.exe 86 PID 3200 wrote to memory of 3328 3200 DllCommonsvc.exe 86 PID 3200 wrote to memory of 188 3200 DllCommonsvc.exe 88 PID 3200 wrote to memory of 188 3200 DllCommonsvc.exe 88 PID 188 wrote to memory of 728 188 cmd.exe 90 PID 188 wrote to memory of 728 188 cmd.exe 90 PID 188 wrote to memory of 1456 188 cmd.exe 92 PID 188 wrote to memory of 1456 188 cmd.exe 92 PID 1456 wrote to memory of 3564 1456 fontdrvhost.exe 93 PID 1456 wrote to memory of 3564 1456 fontdrvhost.exe 93 PID 3564 wrote to memory of 3476 3564 cmd.exe 95 PID 3564 wrote to memory of 3476 3564 cmd.exe 95 PID 3564 wrote to memory of 4832 3564 cmd.exe 96 PID 3564 wrote to memory of 4832 3564 cmd.exe 96 PID 4832 wrote to memory of 4768 4832 fontdrvhost.exe 97 PID 4832 wrote to memory of 4768 4832 fontdrvhost.exe 97 PID 4768 wrote to memory of 4136 4768 cmd.exe 99 PID 4768 wrote to memory of 4136 4768 cmd.exe 99 PID 4768 wrote to memory of 3168 4768 cmd.exe 100 PID 4768 wrote to memory of 3168 4768 cmd.exe 100 PID 3168 wrote to memory of 3264 3168 fontdrvhost.exe 101 PID 3168 wrote to memory of 3264 3168 fontdrvhost.exe 101 PID 3264 wrote to memory of 692 3264 cmd.exe 103 PID 3264 wrote to memory of 692 3264 cmd.exe 103 PID 3264 wrote to memory of 3788 3264 cmd.exe 104 PID 3264 wrote to memory of 3788 3264 cmd.exe 104 PID 3788 wrote to memory of 4984 3788 fontdrvhost.exe 105 PID 3788 wrote to memory of 4984 3788 fontdrvhost.exe 105 PID 4984 wrote to memory of 2232 4984 cmd.exe 107 PID 4984 wrote to memory of 2232 4984 cmd.exe 107 PID 4984 wrote to memory of 732 4984 cmd.exe 108 PID 4984 wrote to memory of 732 4984 cmd.exe 108 PID 732 wrote to memory of 1900 732 fontdrvhost.exe 109 PID 732 wrote to memory of 1900 732 fontdrvhost.exe 109 PID 1900 wrote to memory of 4596 1900 cmd.exe 111 PID 1900 wrote to memory of 4596 1900 cmd.exe 111 PID 1900 wrote to memory of 504 1900 cmd.exe 112 PID 1900 wrote to memory of 504 1900 cmd.exe 112 PID 504 wrote to memory of 2428 504 fontdrvhost.exe 113 PID 504 wrote to memory of 2428 504 fontdrvhost.exe 113 PID 2428 wrote to memory of 4032 2428 cmd.exe 115 PID 2428 wrote to memory of 4032 2428 cmd.exe 115 PID 2428 wrote to memory of 3160 2428 cmd.exe 116 PID 2428 wrote to memory of 3160 2428 cmd.exe 116 PID 3160 wrote to memory of 4792 3160 fontdrvhost.exe 118 PID 3160 wrote to memory of 4792 3160 fontdrvhost.exe 118 PID 4792 wrote to memory of 4632 4792 cmd.exe 119 PID 4792 wrote to memory of 4632 4792 cmd.exe 119 PID 4792 wrote to memory of 3552 4792 cmd.exe 120 PID 4792 wrote to memory of 3552 4792 cmd.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\b37c1251dd690732dc9d6bb71148890e0f0d1fc442d32662d2dac4e14daf3c24.exe"C:\Users\Admin\AppData\Local\Temp\b37c1251dd690732dc9d6bb71148890e0f0d1fc442d32662d2dac4e14daf3c24.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\fontdrvhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\cmd.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\My Pictures\SearchUI.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RDNeSBVcnB.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:188 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:728
-
-
C:\Users\Admin\Links\fontdrvhost.exe"C:\Users\Admin\Links\fontdrvhost.exe"6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3476
-
-
C:\Users\Admin\Links\fontdrvhost.exe"C:\Users\Admin\Links\fontdrvhost.exe"8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:4136
-
-
C:\Users\Admin\Links\fontdrvhost.exe"C:\Users\Admin\Links\fontdrvhost.exe"10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:692
-
-
C:\Users\Admin\Links\fontdrvhost.exe"C:\Users\Admin\Links\fontdrvhost.exe"12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fa1oyizme.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2232
-
-
C:\Users\Admin\Links\fontdrvhost.exe"C:\Users\Admin\Links\fontdrvhost.exe"14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMiKQlKjHz.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:4596
-
-
C:\Users\Admin\Links\fontdrvhost.exe"C:\Users\Admin\Links\fontdrvhost.exe"16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:504 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8OW3hmLaVA.bat"17⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:4032
-
-
C:\Users\Admin\Links\fontdrvhost.exe"C:\Users\Admin\Links\fontdrvhost.exe"18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat"19⤵
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:4632
-
-
C:\Users\Admin\Links\fontdrvhost.exe"C:\Users\Admin\Links\fontdrvhost.exe"20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3552 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mxrgiezM67.bat"21⤵PID:4904
-
C:\Users\Admin\Links\fontdrvhost.exe"C:\Users\Admin\Links\fontdrvhost.exe"22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat"23⤵PID:4384
-
C:\Users\Admin\Links\fontdrvhost.exe"C:\Users\Admin\Links\fontdrvhost.exe"24⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1500 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat"25⤵PID:3192
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2776
-
-
C:\Users\Admin\Links\fontdrvhost.exe"C:\Users\Admin\Links\fontdrvhost.exe"26⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2816 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat"27⤵PID:1124
-
C:\Users\Admin\Links\fontdrvhost.exe"C:\Users\Admin\Links\fontdrvhost.exe"28⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat"29⤵PID:4216
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:4300
-
-
C:\Users\Admin\Links\fontdrvhost.exe"C:\Users\Admin\Links\fontdrvhost.exe"30⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Links\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Links\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\security\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\security\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\security\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Documents\My Pictures\SearchUI.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Pictures\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\My Pictures\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:21⤵PID:680
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:21⤵PID:4820
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:21⤵PID:4192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d63ff49d7c92016feb39812e4db10419
SHA12307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA51200f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD56bae30481db65844ad0782d31b40f9ca
SHA121830d8da6cc62d82840f29e8bd3421c1945b128
SHA256dbbb01236f3e58071375220d1c81b9e57e43bda57597633a5e4fd7428153d21c
SHA5122e40d3d57a78b64b779420de7426b16dd8a45de8bb29ba22f1a139901d9f3a2d4f7bbe0dd1790332eb7883a8986ba12c2fc66122e8f580631bbcb72630b1788a
-
Filesize
1KB
MD56bae30481db65844ad0782d31b40f9ca
SHA121830d8da6cc62d82840f29e8bd3421c1945b128
SHA256dbbb01236f3e58071375220d1c81b9e57e43bda57597633a5e4fd7428153d21c
SHA5122e40d3d57a78b64b779420de7426b16dd8a45de8bb29ba22f1a139901d9f3a2d4f7bbe0dd1790332eb7883a8986ba12c2fc66122e8f580631bbcb72630b1788a
-
Filesize
1KB
MD5c492bc991bfad9c03febe497847113ac
SHA11de2ad71e1f0cbfdcf9b231c27ec003f2fd7c74d
SHA25617f749f04c4f4e5f7b815f23ec0bca5a40d29a7420b5200bfc3a5ec704dc1c32
SHA512bb648145d3f60091b6e08181b7f9d52682fd7519db13c4e46aeceba61ff366fae73d7dd8b082ec12d155142a23109128db995ecbbabbf225fdf7baa8e5e0a626
-
Filesize
201B
MD56566c208f5ea3951164af4df99c9bdc4
SHA108c2371707751840378fa276cc6895447af72f97
SHA256ec89d6ad214a8662ef7d79ef3ec730310cf7de331690c9f9f9448c34a9f8b20d
SHA512d2f9a4240215d3ab6b27aa49145d2cdb9a165f284a6c13d9c769eaed908e1066f3904e155f7321eb66fbda4a17d7a2e7d9376e276620c0c1d84608a49124d6a1
-
Filesize
201B
MD5d9343deb8843d38e3fa399c0fb7f3eee
SHA1a698e9c89e8c9b9c326fe8cca42c20e109f8c6e8
SHA25675417f34a760bf5a076f07e05c9d4a6f73e2a53f8d393990c893756c02d29e69
SHA512ee6e14410cc59d1ff65d1518667a08af636f7b0934ed48cb6bf0bed72e73e2458ba29a10b3aee99bd36b6b4b3eb2be30508133d02b4477de609a9b10a3c0e043
-
Filesize
201B
MD5850c31b89766643e5101022f14592a26
SHA1f85d6b11bfea758234662f3ebbabd5eb2f33f503
SHA256bfd4af0f79749dfa4e3a0ccf60c583ff7146c768e8a8df823587bd2d6a9b07ca
SHA512d5055174072fbcdeb5fffaf084eab7c7385b301e17674156793fa9e6c7145805d2568c98d5bd745771e5a2faab74f68389d40abc377c4b49a047e92fd479b274
-
Filesize
201B
MD55c1bfbf4f796153f9ef00da271e4fda0
SHA180b8c9eff09d2b1fb5ce7d5e9d012916e859f768
SHA256123f5296b7289237929041af9851c550be9088b73231d0916bceed28fdfd0e7b
SHA512c1d24bb1dbceab382cfcf1ece14b569038e4d313bbb8533024c75475ed47ad529555d3fc1e7d1528882d0424b9c5254118478236a3130dcb769e96491eb737f2
-
Filesize
201B
MD5f5b29a71d5401dc956e1173ac46fbbd6
SHA1ae4c4f5e4b1e2d259f3f8adf007a885bfce8abdc
SHA256759f18633ec7f561b4a5ec662656602ceace4f4fa0482bfe93ff94e37ee3c530
SHA512f0ebfc38a5bfc5216d60bb10cd1714a972594760d9edd5ad53856a0be81968dea88c1880ca49fa1c2de54c33ffa108fe48f870fcbd7869d9ab94480d8a36ce3c
-
Filesize
201B
MD57f7d15ded93c2719e69f5192c859f239
SHA103af27ef38d587d4f3bdad9fecb028852dac10e8
SHA256fc8e47b6c996a23da8ba391b070a2165401f38dafc200d58b6de4acf78ffaf39
SHA5127d19e4a868fb19fa0920c62cf29d48dea08769c406d810ff90925bcc1f0330ea23b02dac9bdd6209d7fa2289016993b641ada9b76bd7ab6d41426cd24edb2c7d
-
Filesize
201B
MD5017c77fd2c587bbc3f01a312b1bb26bb
SHA18e9dae318cb7edc97deeb962184059b6eb129572
SHA256d0e499515d44eb6eb923bc35b5001312d82c77bd7f8037fdd5786787312ff94c
SHA51277231b551762dfb95b3cace7ba7f852f258b13f79a777711c71887e2b35c2d9cef91ab96753f2c37f18c78eb6486162697e2c02debdb79e6087793bb588f9313
-
Filesize
201B
MD506441b9a4ec0adf9e87833216d699167
SHA1273a3bd77d1faa658b844865ee6b76014517be68
SHA256b3440a3c7d02b9fcf4cbc6c9387eb9de25e3c690229e63a721332f197f7fbb99
SHA51230f89deedcb72f6703e4708e99c22f2a83bc51c0520469e925d5d1274537609e12f2ff23e848c15c64c53a290ec1fa11d5b1e0b6489c873cef0eb890ba0ab2bc
-
Filesize
201B
MD506441b9a4ec0adf9e87833216d699167
SHA1273a3bd77d1faa658b844865ee6b76014517be68
SHA256b3440a3c7d02b9fcf4cbc6c9387eb9de25e3c690229e63a721332f197f7fbb99
SHA51230f89deedcb72f6703e4708e99c22f2a83bc51c0520469e925d5d1274537609e12f2ff23e848c15c64c53a290ec1fa11d5b1e0b6489c873cef0eb890ba0ab2bc
-
Filesize
201B
MD56028b1ace15c62873c978ac23ddf3748
SHA1394203161adde48a23f19db16341bedbd38ffd9d
SHA2564ac46e3ac3ded33ca9b3a83eed80d260c5c45bc831d4934f0ee70f338c128f9d
SHA5122a6ba12e8fcf64e110b9202af56164d1f0f043ef86db11ffdac935d8e8da02a5c4f7de0d89e595c2136c7ffb791e143fd5bb0ff9e31332984736e2092ca606b4
-
Filesize
201B
MD5a6108e45f850e336391dba35a7e8dd9d
SHA18674c2463bf0ac4263d3b2d03dbee201bbc204d4
SHA256accfe021ac0d383639ea4979f4914ca36e9cd2ac8f7ce99ca4c3d1884c137b1b
SHA512cb927ce895b3cdbac9a9459809aa3ae8fa800141871c6d68df2ea0defba51e7fabc7cf680ecfaee3a96450925753c4bf9dd359633f5f2482f2a6d0ac1e0e9746
-
Filesize
201B
MD52718a5c8a37ce1a45f000554cb5eed1e
SHA1708cf02945f7dd97582d3c1a94531e25febaa86d
SHA2562084e37c6d5ed3bfee2a9f05bdc9c2a219c6f0c12ac242b5a6be79162cdd7c3c
SHA5122c2bd480e44801aff51bf4c857a001f6b657b229c5f2d1c9743bdaeb88fef4875d122d735b3ccdfb3ec1d4b272db67a00e494bcd9c7be724165fc443755ad3a0
-
Filesize
201B
MD5dd6f35f287ebb578f9f1ac83cee41691
SHA113e0d2489bb0bd0d5422fdd38a0811e36087078b
SHA25631dddc072c9ae262e6f3061164f3254103e7281720ba05b8a449b01224b11cd4
SHA5121deef14a420c415e3746ac2b4ec3d3ab47c31f93891daaca76f0293b20b18fb5596239511090eb0d5c80e8c69f6174f48be5b124fba507c2d053c2c0e5db3b47
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478