Analysis
-
max time kernel
137s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2023, 00:06
Behavioral task
behavioral1
Sample
3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe
Resource
win10v2004-20231023-en
General
-
Target
3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe
-
Size
2.0MB
-
MD5
9b57b45ad1b718ed5e83fb62a8b726c3
-
SHA1
25e29ba21022424a4d74f2d184238f288a788f32
-
SHA256
3dd0a5685e10ef6d63758cafee7c651f8ae80a47664158976ace7b80c825a032
-
SHA512
f9b439d71536513bd8a190774cd4c3c6a5729ecf54f5f70e7abbbffde54485188998c3537b5955f98dac4a390742bfddf2b4ef6f257729e46565bcf862de3209
-
SSDEEP
24576:JB432G/nvxW3Ww0tLXA/ZohBQTRtWpekBST0Z3jJWOyFFgU91cD0knE4BTi:QbA30DDhBQNxkk0pljyF2U911qi
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 368 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4892 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4568 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3556 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3520 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3604 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1080 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4524 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3332 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4016 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 440 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4740 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4172 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4928 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4284 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4228 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4908 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4316 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5076 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4108 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1020 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 828 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3148 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3796 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 3824 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3212 3824 schtasks.exe 96 -
resource yara_rule behavioral2/files/0x0007000000022d82-4.dat dcrat behavioral2/files/0x0007000000022d82-7.dat dcrat behavioral2/files/0x0007000000022d82-16.dat dcrat behavioral2/memory/3740-14-0x0000000000400000-0x00000000005FF000-memory.dmp dcrat behavioral2/files/0x0006000000022d91-27.dat dcrat behavioral2/files/0x0006000000022d91-28.dat dcrat behavioral2/memory/3172-29-0x00000000001A0000-0x00000000002D2000-memory.dmp dcrat behavioral2/files/0x0007000000022d99-38.dat dcrat behavioral2/files/0x0006000000022dae-78.dat dcrat behavioral2/files/0x0006000000022dae-79.dat dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation 3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation bridgeWebdll.exe -
Executes dropped EXE 4 IoCs
pid Process 1372 DCRatBuild.exe 3108 RakLaunch.exe 3172 bridgeWebdll.exe 5080 conhost.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9 bridgeWebdll.exe File created C:\Program Files\Windows Photo Viewer\bridgeWebdll.exe bridgeWebdll.exe File created C:\Program Files\Windows Photo Viewer\9ff02be898d660 bridgeWebdll.exe File created C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe bridgeWebdll.exe File created C:\Program Files\Microsoft Office 15\ClientX64\eddb19405b7ce1 bridgeWebdll.exe File created C:\Program Files (x86)\Windows Multimedia Platform\services.exe bridgeWebdll.exe File created C:\Program Files (x86)\Windows Multimedia Platform\c5b4cb5e9653cc bridgeWebdll.exe File created C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe bridgeWebdll.exe File created C:\Program Files (x86)\Windows Multimedia Platform\e6c9b481da804f bridgeWebdll.exe File created C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe bridgeWebdll.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\fontdrvhost.exe bridgeWebdll.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\sysmon.exe bridgeWebdll.exe File created C:\Windows\OCR\en-us\conhost.exe bridgeWebdll.exe File created C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\pris\fontdrvhost.exe bridgeWebdll.exe File created C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\pris\5b884080fd4f94 bridgeWebdll.exe File created C:\Windows\Fonts\csrss.exe bridgeWebdll.exe File created C:\Windows\Fonts\886983d96e3d3e bridgeWebdll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1648 schtasks.exe 1516 schtasks.exe 1372 schtasks.exe 4016 schtasks.exe 4740 schtasks.exe 2092 schtasks.exe 2880 schtasks.exe 368 schtasks.exe 2848 schtasks.exe 4976 schtasks.exe 440 schtasks.exe 1280 schtasks.exe 4524 schtasks.exe 4172 schtasks.exe 4228 schtasks.exe 2064 schtasks.exe 3332 schtasks.exe 880 schtasks.exe 3556 schtasks.exe 2360 schtasks.exe 4448 schtasks.exe 1260 schtasks.exe 2276 schtasks.exe 1712 schtasks.exe 4108 schtasks.exe 1960 schtasks.exe 828 schtasks.exe 4552 schtasks.exe 2972 schtasks.exe 4076 schtasks.exe 4892 schtasks.exe 2020 schtasks.exe 3520 schtasks.exe 4984 schtasks.exe 4908 schtasks.exe 1020 schtasks.exe 3212 schtasks.exe 1824 schtasks.exe 3028 schtasks.exe 4092 schtasks.exe 2552 schtasks.exe 4284 schtasks.exe 4316 schtasks.exe 5076 schtasks.exe 3604 schtasks.exe 3148 schtasks.exe 3796 schtasks.exe 4568 schtasks.exe 1080 schtasks.exe 2960 schtasks.exe 4928 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings bridgeWebdll.exe Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings schtasks.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 3172 bridgeWebdll.exe 3172 bridgeWebdll.exe 3172 bridgeWebdll.exe 3172 bridgeWebdll.exe 3172 bridgeWebdll.exe 3172 bridgeWebdll.exe 3172 bridgeWebdll.exe 3172 bridgeWebdll.exe 3172 bridgeWebdll.exe 3172 bridgeWebdll.exe 3172 bridgeWebdll.exe 3172 bridgeWebdll.exe 3172 bridgeWebdll.exe 3172 bridgeWebdll.exe 3172 bridgeWebdll.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe 5080 conhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3172 bridgeWebdll.exe Token: SeDebugPrivilege 5080 conhost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3740 wrote to memory of 1372 3740 3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe 84 PID 3740 wrote to memory of 1372 3740 3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe 84 PID 3740 wrote to memory of 1372 3740 3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe 84 PID 3740 wrote to memory of 3108 3740 3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe 85 PID 3740 wrote to memory of 3108 3740 3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe 85 PID 3740 wrote to memory of 3108 3740 3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe 85 PID 1372 wrote to memory of 4600 1372 schtasks.exe 87 PID 1372 wrote to memory of 4600 1372 schtasks.exe 87 PID 1372 wrote to memory of 4600 1372 schtasks.exe 87 PID 4600 wrote to memory of 2192 4600 WScript.exe 92 PID 4600 wrote to memory of 2192 4600 WScript.exe 92 PID 4600 wrote to memory of 2192 4600 WScript.exe 92 PID 2192 wrote to memory of 3172 2192 cmd.exe 95 PID 2192 wrote to memory of 3172 2192 cmd.exe 95 PID 3172 wrote to memory of 3856 3172 bridgeWebdll.exe 149 PID 3172 wrote to memory of 3856 3172 bridgeWebdll.exe 149 PID 3856 wrote to memory of 3440 3856 cmd.exe 151 PID 3856 wrote to memory of 3440 3856 cmd.exe 151 PID 3856 wrote to memory of 5080 3856 cmd.exe 154 PID 3856 wrote to memory of 5080 3856 cmd.exe 154 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe"C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"2⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\fontintosessionsvc\AtbmE4.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\fontintosessionsvc\aWM6CbC4aFWBvDgJSFPV9Iz.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\fontintosessionsvc\bridgeWebdll.exe"C:\fontintosessionsvc\bridgeWebdll.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pfPAM1z6vu.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3440
-
-
C:\Users\Default\conhost.exe"C:\Users\Default\conhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe"C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe"2⤵
- Executes dropped EXE
PID:3108
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\fontintosessionsvc\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\fontintosessionsvc\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\fontintosessionsvc\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\pris\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\pris\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\pris\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft OneDrive\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft OneDrive\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Start Menu\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\odt\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\odt\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeWebdllb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\bridgeWebdll.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeWebdll" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\bridgeWebdll.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeWebdllb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\bridgeWebdll.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\odt\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD58548cc870e74723070353d67d1df6cba
SHA11e51a150d92378cecb1c60ffb4715da8838d9fa4
SHA25637a20cc147c98eb43b4532c1cb76e7b3358fc4b815d930aaa8507dc6ac3095b6
SHA512c236b7600429cebf88fecbb1815c7eac3b92891828d7c3646da10e93223490a31b6c7c50df70203ca5977d2cdb17d3135549b43ea866e05c25df62f1126c41c0
-
Filesize
1.5MB
MD58548cc870e74723070353d67d1df6cba
SHA11e51a150d92378cecb1c60ffb4715da8838d9fa4
SHA25637a20cc147c98eb43b4532c1cb76e7b3358fc4b815d930aaa8507dc6ac3095b6
SHA512c236b7600429cebf88fecbb1815c7eac3b92891828d7c3646da10e93223490a31b6c7c50df70203ca5977d2cdb17d3135549b43ea866e05c25df62f1126c41c0
-
Filesize
1.5MB
MD58548cc870e74723070353d67d1df6cba
SHA11e51a150d92378cecb1c60ffb4715da8838d9fa4
SHA25637a20cc147c98eb43b4532c1cb76e7b3358fc4b815d930aaa8507dc6ac3095b6
SHA512c236b7600429cebf88fecbb1815c7eac3b92891828d7c3646da10e93223490a31b6c7c50df70203ca5977d2cdb17d3135549b43ea866e05c25df62f1126c41c0
-
Filesize
336KB
MD573809a6768903e090178f10eb46ff2c1
SHA18449c27be4b36b4066996b50b9b3d6078a4f736c
SHA2560ed4df7c5b8324315b6625586bb0e2cd09cdb7db2d2278910cd377fe7f371ee5
SHA512dcdd5c6cf5e18bafcf1d8b478726777f6735d53ceb1356e90ad7016ed2462161a4cf1595db2d754dcfc20395564b8aa35029b4691067eccbc7c599d52aa4968e
-
Filesize
336KB
MD573809a6768903e090178f10eb46ff2c1
SHA18449c27be4b36b4066996b50b9b3d6078a4f736c
SHA2560ed4df7c5b8324315b6625586bb0e2cd09cdb7db2d2278910cd377fe7f371ee5
SHA512dcdd5c6cf5e18bafcf1d8b478726777f6735d53ceb1356e90ad7016ed2462161a4cf1595db2d754dcfc20395564b8aa35029b4691067eccbc7c599d52aa4968e
-
Filesize
336KB
MD573809a6768903e090178f10eb46ff2c1
SHA18449c27be4b36b4066996b50b9b3d6078a4f736c
SHA2560ed4df7c5b8324315b6625586bb0e2cd09cdb7db2d2278910cd377fe7f371ee5
SHA512dcdd5c6cf5e18bafcf1d8b478726777f6735d53ceb1356e90ad7016ed2462161a4cf1595db2d754dcfc20395564b8aa35029b4691067eccbc7c599d52aa4968e
-
Filesize
193B
MD5ebab391a7c17fb232c6e950f72ede442
SHA1a880a45ffb58477cd1291414fb31929a49b98e96
SHA25673415633ab112333ba2aec293bdc9ddea610e21cc80ae96bcb71cd82fea1b932
SHA512d0fda3299265f26a81ca5ec543b72842fa290ebaddb2813c2c55cc67a3c61a9833b3d994301de5b57babacff4750e3f144e4b189387e492a608c62706c94f88d
-
Filesize
1.2MB
MD5d241d05d6cc53887772cc12e93759c50
SHA1e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA2568099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712
-
Filesize
1.2MB
MD5d241d05d6cc53887772cc12e93759c50
SHA1e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA2568099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712
-
Filesize
1.2MB
MD5d241d05d6cc53887772cc12e93759c50
SHA1e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA2568099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712
-
Filesize
218B
MD5bfc4c3394520c5407a7a70e99743ca72
SHA1e6e32f2b7807d33f03d6e35a4fc77f4dfbe85d17
SHA256c37245170203c5ab6487bf1ec57aed0eba66da843a1ed5b87e3752b903381e6d
SHA5122ca69c9e6056a44cb097c95c32c7a93bf2c007766bbf81bd46f9da861d831eddee2d977103bd61c7efabfb967b6f4eb833e5166a85f33acd07ee38afe322cca1
-
Filesize
40B
MD572fa4f55254901b819a5996d5eff7bcb
SHA1950f1b3bf5a55a2d88fce41b03a3b5ab079d716d
SHA256962a03b716b55d4758553f335d4028caaa453667d6181f899db95ab1fc9f71e0
SHA512c4c090eb5f9584b88ce8a9052a8fe11c1bf9bce33bc7574347d0a161e551a374d7d41146a2b5e64242786e510fd73b3f6a194596d3ad6105b06c31965be32ce6
-
Filesize
1.2MB
MD5d241d05d6cc53887772cc12e93759c50
SHA1e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA2568099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712
-
Filesize
1.2MB
MD5d241d05d6cc53887772cc12e93759c50
SHA1e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA2568099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712