dcrat | 82810f4111ffd31d329542d9f55c6301f7ba6fc5dd0ce77e140af29fcf510bfc

Analysis

max time kernel
134s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2023 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82810f4111ffd31d329542d9f55c6301f7ba6fc5dd0ce77e140af29fcf510bfc.exe
Size

1.5MB
MD5

d2a93b8b0c87c60f03a15fb4064a70ed
SHA1

06cf614ebc8d721f8b1a5ee9fee7e2f694510656
SHA256

82810f4111ffd31d329542d9f55c6301f7ba6fc5dd0ce77e140af29fcf510bfc
SHA512

e05924e3269f762d2a93171af26d766b093fe3e87927ad2c2e913b3753b042e591ded5b8ef955de9149dee3ee9741dcd221a2c4f2697b830936f5bbde0e8d9a8
SSDEEP

24576:U2G/nvxW3Ww0tMim6FJcBSADZw7K2pI3skCYJhnJh+c0UUZsQNw:UbA30MpuySigA6YJE1u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	312	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\hyperfont\brokerdll.exe	dcrat
C:\Users\Admin\AppData\Roaming\hyperfont\brokerdll.exe	dcrat
behavioral1/memory/3616-139-0x0000000000140000-0x0000000000274000-memory.dmp	dcrat
C:\Users\Admin\AppData\Roaming\hyperfont\brokerdll.exe	dcrat
C:\Recovery\WindowsRE\brokerdll.exe	dcrat
C:\Recovery\WindowsRE\brokerdll.exe	dcrat

Executes dropped EXE 3 IoCs

Processes:

brokerdll.exebrokerdll.exebrokerdll.exe

pid process

3616 brokerdll.exe
2244 brokerdll.exe
3792 brokerdll.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

82810f4111ffd31d329542d9f55c6301f7ba6fc5dd0ce77e140af29fcf510bfc.exeWScript.exebrokerdll.exebrokerdll.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	82810f4111ffd31d329542d9f55c6301f7ba6fc5dd0ce77e140af29fcf510bfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	brokerdll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	brokerdll.exe

Drops file in Program Files directory 23 IoCs

Processes:

brokerdll.exebrokerdll.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe	brokerdll.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\886983d96e3d3e	brokerdll.exe
File created	C:\Program Files\Windows Media Player\de-DE\5940a34987c991	brokerdll.exe
File created	C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe	brokerdll.exe
File created	C:\Program Files\Internet Explorer\de-DE\smss.exe	brokerdll.exe
File created	C:\Program Files\Windows Media Player\de-DE\e1ef82546f0b02	brokerdll.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\7a0fd90576e088	brokerdll.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\4705ECFD-ABBD-4089-8453-56EA3EB6E985\ea9f0e6c9e2dcd	brokerdll.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\upfc.exe	brokerdll.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\ea1d8f6d871115	brokerdll.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\services.exe	brokerdll.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe	brokerdll.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe	brokerdll.exe
File created	C:\Program Files\Windows Media Player\de-DE\dllhost.exe	brokerdll.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe	brokerdll.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\9e8d7a4ca61bd9	brokerdll.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\4705ECFD-ABBD-4089-8453-56EA3EB6E985\taskhostw.exe	brokerdll.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\c5b4cb5e9653cc	brokerdll.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\explorer.exe	brokerdll.exe
File created	C:\Program Files\Uninstall Information\55b276f4edf653	brokerdll.exe
File created	C:\Program Files\Internet Explorer\de-DE\69ddcba757bf72	brokerdll.exe
File created	C:\Program Files\Windows Media Player\de-DE\SppExtComObj.exe	brokerdll.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\5940a34987c991	brokerdll.exe

Drops file in Windows directory 6 IoCs

Processes:

brokerdll.exebrokerdll.exe

description	ioc	process
File created	C:\Windows\Globalization\Sorting\brokerdll.exe	brokerdll.exe
File created	C:\Windows\Globalization\Sorting\80f540f9ca3361	brokerdll.exe
File created	C:\Windows\L2Schemas\dllhost.exe	brokerdll.exe
File created	C:\Windows\L2Schemas\5940a34987c991	brokerdll.exe
File created	C:\Windows\CSC\dllhost.exe	brokerdll.exe
File created	C:\Windows\rescache\_merged\SearchApp.exe	brokerdll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4260	schtasks.exe
1320	schtasks.exe
752	schtasks.exe
4052	schtasks.exe
4212	schtasks.exe
4804	schtasks.exe
1296	schtasks.exe
1076	schtasks.exe
1300	schtasks.exe
684	schtasks.exe
4376	schtasks.exe
4864	schtasks.exe
3016	schtasks.exe
4132	schtasks.exe
3488	schtasks.exe
3440	schtasks.exe
1484	schtasks.exe
3788	schtasks.exe
448	schtasks.exe
1908	schtasks.exe
880	schtasks.exe
1824	schtasks.exe
4912	schtasks.exe
2260	schtasks.exe
3832	schtasks.exe
1468	schtasks.exe
5012	schtasks.exe
4868	schtasks.exe
4940	schtasks.exe
3076	schtasks.exe
1864	schtasks.exe
3776	schtasks.exe
3612	schtasks.exe
1712	schtasks.exe
1080	schtasks.exe
2200	schtasks.exe
3464	schtasks.exe
1040	schtasks.exe
5112	schtasks.exe
2760	schtasks.exe
444	schtasks.exe
1108	schtasks.exe
764	schtasks.exe
1864	schtasks.exe
3288	schtasks.exe
4908	schtasks.exe
5104	schtasks.exe
536	schtasks.exe
3620	schtasks.exe
3452	schtasks.exe
3564	schtasks.exe
2528	schtasks.exe
3044	schtasks.exe
2608	schtasks.exe
4592	schtasks.exe
5108	schtasks.exe
4620	schtasks.exe
3624	schtasks.exe
2508	schtasks.exe
1516	schtasks.exe
4852	schtasks.exe
3132	schtasks.exe
4316	schtasks.exe
1172	schtasks.exe

Modifies registry class 2 IoCs

Processes:

82810f4111ffd31d329542d9f55c6301f7ba6fc5dd0ce77e140af29fcf510bfc.exebrokerdll.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	82810f4111ffd31d329542d9f55c6301f7ba6fc5dd0ce77e140af29fcf510bfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	brokerdll.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

brokerdll.exebrokerdll.exebrokerdll.exe

pid	process
3616	brokerdll.exe
3616	brokerdll.exe
3616	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
2244	brokerdll.exe
3792	brokerdll.exe
3792	brokerdll.exe
3792	brokerdll.exe
3792	brokerdll.exe
3792	brokerdll.exe
3792	brokerdll.exe
3792	brokerdll.exe
3792	brokerdll.exe
3792	brokerdll.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

brokerdll.exe

pid process

3792 brokerdll.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

brokerdll.exebrokerdll.exebrokerdll.exe

description pid process

Token: SeDebugPrivilege 3616 brokerdll.exe
Token: SeDebugPrivilege 2244 brokerdll.exe
Token: SeDebugPrivilege 3792 brokerdll.exe

pid	process
3792	brokerdll.exe

description	pid	process
Token: SeDebugPrivilege	3616	brokerdll.exe
Token: SeDebugPrivilege	2244	brokerdll.exe
Token: SeDebugPrivilege	3792	brokerdll.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

82810f4111ffd31d329542d9f55c6301f7ba6fc5dd0ce77e140af29fcf510bfc.exeWScript.execmd.exebrokerdll.exebrokerdll.execmd.exe

description	pid	process	target process
PID 1800 wrote to memory of 4232	1800	82810f4111ffd31d329542d9f55c6301f7ba6fc5dd0ce77e140af29fcf510bfc.exe	WScript.exe
PID 1800 wrote to memory of 4232	1800	82810f4111ffd31d329542d9f55c6301f7ba6fc5dd0ce77e140af29fcf510bfc.exe	WScript.exe
PID 1800 wrote to memory of 4232	1800	82810f4111ffd31d329542d9f55c6301f7ba6fc5dd0ce77e140af29fcf510bfc.exe	WScript.exe
PID 4232 wrote to memory of 1660	4232	WScript.exe	cmd.exe
PID 4232 wrote to memory of 1660	4232	WScript.exe	cmd.exe
PID 4232 wrote to memory of 1660	4232	WScript.exe	cmd.exe
PID 1660 wrote to memory of 3616	1660	cmd.exe	brokerdll.exe
PID 1660 wrote to memory of 3616	1660	cmd.exe	brokerdll.exe
PID 3616 wrote to memory of 2244	3616	brokerdll.exe	brokerdll.exe
PID 3616 wrote to memory of 2244	3616	brokerdll.exe	brokerdll.exe
PID 2244 wrote to memory of 1356	2244	brokerdll.exe	cmd.exe
PID 2244 wrote to memory of 1356	2244	brokerdll.exe	cmd.exe
PID 1356 wrote to memory of 4632	1356	cmd.exe	w32tm.exe
PID 1356 wrote to memory of 4632	1356	cmd.exe	w32tm.exe
PID 1356 wrote to memory of 3792	1356	cmd.exe	brokerdll.exe
PID 1356 wrote to memory of 3792	1356	cmd.exe	brokerdll.exe

C:\Users\Admin\AppData\Local\Temp\82810f4111ffd31d329542d9f55c6301f7ba6fc5dd0ce77e140af29fcf510bfc.exe
"C:\Users\Admin\AppData\Local\Temp\82810f4111ffd31d329542d9f55c6301f7ba6fc5dd0ce77e140af29fcf510bfc.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\hyperfont\WNlRpzmYLWeUJpXMQ277C.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\hyperfont\X3f5A3sv8bVi61hRpGp0VQYL2xgKl.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Roaming\hyperfont\brokerdll.exe
"C:\Users\Admin\AppData\Roaming\hyperfont\brokerdll.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616

C:\Users\Admin\AppData\Roaming\hyperfont\brokerdll.exe
"C:\Users\Admin\AppData\Roaming\hyperfont\brokerdll.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RkRN1YiWQB.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:4632

C:\Recovery\WindowsRE\brokerdll.exe
"C:\Recovery\WindowsRE\brokerdll.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\odt\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Start Menu\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Start Menu\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\4705ECFD-ABBD-4089-8453-56EA3EB6E985\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\4705ECFD-ABBD-4089-8453-56EA3EB6E985\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\4705ECFD-ABBD-4089-8453-56EA3EB6E985\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Users\Default\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Default\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Users\Default\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "brokerdllb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\brokerdll.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "brokerdll" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\brokerdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "brokerdllb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\brokerdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\My Documents\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\My Documents\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "brokerdllb" /sc MINUTE /mo 9 /tr "'C:\Windows\Globalization\Sorting\brokerdll.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "brokerdll" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\brokerdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "brokerdllb" /sc MINUTE /mo 9 /tr "'C:\Windows\Globalization\Sorting\brokerdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\de-DE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\de-DE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\services.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f
1⤵
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
PID:420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\System.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Music\System.exe'" /rl HIGHEST /f
1⤵
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\System.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\USOShared\Logs\Registry.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\Registry.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\USOShared\Logs\Registry.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\brokerdll.exe
Filesize
1.2MB

MD5
cd212e488f66d696849024332e13b083

SHA1
93cd3f7ce16318ebafbef4fbfdc6143542c9139c

SHA256
64cc53c0537bdd83b5ba7e16352c780dcff7aaf23b7d5159decb607ab0618f35

SHA512
714a43093fdb396c343f782d5d803419e22934090cc6bb984562e79e5de6f63198ed820bca501177548e1d0b9871984994f9e134c1f09952651039dcb1bd1e62

Download Submit
C:\Recovery\WindowsRE\brokerdll.exe
Filesize
1.2MB

MD5
cd212e488f66d696849024332e13b083

SHA1
93cd3f7ce16318ebafbef4fbfdc6143542c9139c

SHA256
64cc53c0537bdd83b5ba7e16352c780dcff7aaf23b7d5159decb607ab0618f35

SHA512
714a43093fdb396c343f782d5d803419e22934090cc6bb984562e79e5de6f63198ed820bca501177548e1d0b9871984994f9e134c1f09952651039dcb1bd1e62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\brokerdll.exe.log
Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkRN1YiWQB.bat
Filesize
200B

MD5
ae50b3ee57b61f1297046c5723c5757c

SHA1
92b14e5c19864c3d27fceb5591371dce1467b196

SHA256
641eedcec13579f9a715fcee69fe2b231dea4f5d549d121d632adbe797095584

SHA512
a10b51610cbb8e9e26c4b7dc0d83ca802f87e8786efa53e2d38165d30f660e56af8f97db4d6db4bbf8a4d4db0797e184cb7b7eedd5e0088d4086d4f868b8318b

Download Submit
C:\Users\Admin\AppData\Roaming\hyperfont\WNlRpzmYLWeUJpXMQ277C.vbe
Filesize
222B

MD5
a3fb1ce8241d645a9b85706745a01c5b

SHA1
1e67ce9d09acdd7cc2ff9ce7f9cef525ee721a73

SHA256
2f994ecdfb67f1570f592d0a96fce9fc748df9bf2cf52780a34d5c661b0e1698

SHA512
c5a77dd36bdb8268c4b9e85b2064efb22cc2c12420373c6043908b66b08505624fc8a1c1e9c38d7e2fb94200d8b6ee6915726789715cbf8374a7fcfdb56b52b4

Download Submit
C:\Users\Admin\AppData\Roaming\hyperfont\X3f5A3sv8bVi61hRpGp0VQYL2xgKl.bat
Filesize
35B

MD5
d0cbbd0a7abca78982bf695b8334c33b

SHA1
462e18b502394ca9b2d178356a5eacb8b9809839

SHA256
4fb6879023d17f2c5d4baff4840baf57990f8e746163de40da7942a8ed494a44

SHA512
c8bb1f9cddd0be83cef81218973a11fd4025a773c17ef7572ea0a5d6532a788d46d6da77dde84ac935cdee300874798c7b60e688f154336ea444198b180e25ac

Download Submit
C:\Users\Admin\AppData\Roaming\hyperfont\brokerdll.exe
Filesize
1.2MB

MD5
cd212e488f66d696849024332e13b083

SHA1
93cd3f7ce16318ebafbef4fbfdc6143542c9139c

SHA256
64cc53c0537bdd83b5ba7e16352c780dcff7aaf23b7d5159decb607ab0618f35

SHA512
714a43093fdb396c343f782d5d803419e22934090cc6bb984562e79e5de6f63198ed820bca501177548e1d0b9871984994f9e134c1f09952651039dcb1bd1e62

Download Submit
C:\Users\Admin\AppData\Roaming\hyperfont\brokerdll.exe
Filesize
1.2MB

MD5
cd212e488f66d696849024332e13b083

SHA1
93cd3f7ce16318ebafbef4fbfdc6143542c9139c

SHA256
64cc53c0537bdd83b5ba7e16352c780dcff7aaf23b7d5159decb607ab0618f35

SHA512
714a43093fdb396c343f782d5d803419e22934090cc6bb984562e79e5de6f63198ed820bca501177548e1d0b9871984994f9e134c1f09952651039dcb1bd1e62

Download Submit
C:\Users\Admin\AppData\Roaming\hyperfont\brokerdll.exe
Filesize
1.2MB

MD5
cd212e488f66d696849024332e13b083

SHA1
93cd3f7ce16318ebafbef4fbfdc6143542c9139c

SHA256
64cc53c0537bdd83b5ba7e16352c780dcff7aaf23b7d5159decb607ab0618f35

SHA512
714a43093fdb396c343f782d5d803419e22934090cc6bb984562e79e5de6f63198ed820bca501177548e1d0b9871984994f9e134c1f09952651039dcb1bd1e62

Download Submit
memory/1356-146-0x0000000000000000-mapping.dmp

Download
memory/1660-135-0x0000000000000000-mapping.dmp

Download
memory/2244-141-0x0000000000000000-mapping.dmp

Download
memory/2244-149-0x00007FFA49D60000-0x00007FFA4A821000-memory.dmp

Filesize
10.8MB

Download
memory/2244-145-0x00007FFA49D60000-0x00007FFA4A821000-memory.dmp

Filesize
10.8MB

Download
memory/3616-136-0x0000000000000000-mapping.dmp

Download
memory/3616-144-0x00007FFA49D60000-0x00007FFA4A821000-memory.dmp

Filesize
10.8MB

Download
memory/3616-139-0x0000000000140000-0x0000000000274000-memory.dmp

Filesize
1.2MB

Download
memory/3616-140-0x00007FFA49D60000-0x00007FFA4A821000-memory.dmp

Filesize
10.8MB

Download
memory/3792-150-0x0000000000000000-mapping.dmp

Download
memory/3792-153-0x00007FFA49CB0000-0x00007FFA4A771000-memory.dmp

Filesize
10.8MB

Download
memory/3792-154-0x00007FFA49CB0000-0x00007FFA4A771000-memory.dmp

Filesize
10.8MB

Download
memory/4232-132-0x0000000000000000-mapping.dmp

Download
memory/4632-148-0x0000000000000000-mapping.dmp

Download