Analysis

  • max time kernel
    145s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2023, 17:12

General

  • Target

    Yar.exe

  • Size

    1.1MB

  • MD5

    ff3751454ca1658a428b889e398d188f

  • SHA1

    104448a398139e9972431cbf78a584cc9119c304

  • SHA256

    e7786686b2b48fd0e29d9c18ffeebb816a75f4e5704170fb9858f7bb9e6d3ff1

  • SHA512

    0aed38bf2ccada7c32f49fe215de0e92c38f0139ffe6dbff55cc7b5c8efb478a9310674ba9bbcf575e16798f948573cb2c51ed1caab9fd11d387c6cfdc785826

  • SSDEEP

    12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbvDUUKAIBaZd3xgruwn2oKPOileholldz8mU:U2G/nvxW3Ww0t7xKAIBaCryOike7dzdU

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Yar.exe
    "C:\Users\Admin\AppData\Local\Temp\Yar.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Bridgehypersurrogate\mtYSF.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4396
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Bridgehypersurrogate\vhpRdxgjT8JEEAKHpAXjiDc8va.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1552
        • C:\Bridgehypersurrogate\portsurrogatemonitor.exe
          "C:\Bridgehypersurrogate\portsurrogatemonitor.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1504
          • C:\Bridgehypersurrogate\portsurrogatemonitor.exe
            "C:\Bridgehypersurrogate\portsurrogatemonitor.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3404
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N453jLUqHI.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2412
              • C:\Bridgehypersurrogate\portsurrogatemonitor.exe
                "C:\Bridgehypersurrogate\portsurrogatemonitor.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1636
                • C:\Windows\de-DE\MoUsoCoreWorker.exe
                  "C:\Windows\de-DE\MoUsoCoreWorker.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4256
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Bridgehypersurrogate\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4344
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Bridgehypersurrogate\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4792
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Bridgehypersurrogate\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5032
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Bridgehypersurrogate\backgroundTaskHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:2672
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Bridgehypersurrogate\backgroundTaskHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4940
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default\NetHood\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2440
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2268
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3144
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:4636
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4472
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4496
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3740
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:4288
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:3636
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4400
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:844
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:2772
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1072
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:4780
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\WaaSMedicAgent.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4772
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:3608
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\NetHood\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1316
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\WaaSMedicAgent.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1424
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\WaaSMedicAgent.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4116
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Bridgehypersurrogate\backgroundTaskHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:4708
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3552
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:772
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2168
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\SendTo\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1208
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\OfficeClickToRun.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:1972
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SearchApp.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3252
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4436
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1768
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1900
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3300
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\OfficeClickToRun.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4688
  • C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    1⤵
      PID:976
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2848
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      PID:2268
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3608
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1964
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3144
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4636
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\MSBuild\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3156
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3600
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4892
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\odt\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3888
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Bridgehypersurrogate\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:2516
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Bridgehypersurrogate\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4268
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\OfficeClickToRun.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:368
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Bridgehypersurrogate\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      PID:3388
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Bridgehypersurrogate\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4440
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:3528
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Bridgehypersurrogate\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3284
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\odt\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3276
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:4108
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4860
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1112
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\de-DE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:3252
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\MoUsoCoreWorker.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:1208
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:4556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1900
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:3568
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\explorer.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:1748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:4436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1452
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\dllhost.exe'" /rl HIGHEST /f
      1⤵
        PID:2788
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\dllhost.exe'" /f
        1⤵
          PID:4800
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Bridgehypersurrogate\dwm.exe'" /f
          1⤵
          • Creates scheduled task(s)
          PID:3088
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\StartMenuExperienceHost.exe'" /f
          1⤵
          • Creates scheduled task(s)
          PID:4292
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:404
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:1296
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:552
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
            PID:400

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Bridgehypersurrogate\backgroundTaskHost.exe

                  Filesize

                  828KB

                  MD5

                  9177dc1235ce8da32d20e3367b018637

                  SHA1

                  9785e90b1869e793af72f4f9b0ef0ae16ec8c68d

                  SHA256

                  98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d

                  SHA512

                  a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

                • C:\Bridgehypersurrogate\mtYSF.vbe

                  Filesize

                  224B

                  MD5

                  72f05710288e42849e3835e7f5cb7748

                  SHA1

                  e866b3ff38d5109cf5e1e16c692358bceef4473d

                  SHA256

                  acceb8a17863212277b22f009d76118e4d9aa5e76ca66fe2602b02fe2fcb9c3b

                  SHA512

                  52fd1010e2455c65fb9eef4000b096af5aee79561260e7d238cd261ac28377402d26ff57aa5e86fc18156a5ab273f0aba2c25f7c899d6359b47dcfe3e0c7f0b0

                • C:\Bridgehypersurrogate\portsurrogatemonitor.exe

                  Filesize

                  828KB

                  MD5

                  9177dc1235ce8da32d20e3367b018637

                  SHA1

                  9785e90b1869e793af72f4f9b0ef0ae16ec8c68d

                  SHA256

                  98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d

                  SHA512

                  a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

                • C:\Bridgehypersurrogate\portsurrogatemonitor.exe

                  Filesize

                  828KB

                  MD5

                  9177dc1235ce8da32d20e3367b018637

                  SHA1

                  9785e90b1869e793af72f4f9b0ef0ae16ec8c68d

                  SHA256

                  98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d

                  SHA512

                  a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

                • C:\Bridgehypersurrogate\portsurrogatemonitor.exe

                  Filesize

                  828KB

                  MD5

                  9177dc1235ce8da32d20e3367b018637

                  SHA1

                  9785e90b1869e793af72f4f9b0ef0ae16ec8c68d

                  SHA256

                  98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d

                  SHA512

                  a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

                • C:\Bridgehypersurrogate\portsurrogatemonitor.exe

                  Filesize

                  828KB

                  MD5

                  9177dc1235ce8da32d20e3367b018637

                  SHA1

                  9785e90b1869e793af72f4f9b0ef0ae16ec8c68d

                  SHA256

                  98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d

                  SHA512

                  a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

                • C:\Bridgehypersurrogate\vhpRdxgjT8JEEAKHpAXjiDc8va.bat

                  Filesize

                  50B

                  MD5

                  8340b7a68f0e70aca070b138792520d4

                  SHA1

                  aeea5b3aabda84add611832ccb2badd157e8444e

                  SHA256

                  f747e81cbf3144de5af7f620fcfc64daf38f43bb8a1ac3ba35d14805665f6c12

                  SHA512

                  4e96073d06dcca9cf6d8ac52f7dbebd0ac106e7108f1c3ffb23425e176feb2306efe2d2b846aa13c7365f33499c75a14167bd6d4b4c61fbf223ed99b968e771f

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\portsurrogatemonitor.exe.log

                  Filesize

                  1KB

                  MD5

                  7f3c0ae41f0d9ae10a8985a2c327b8fb

                  SHA1

                  d58622bf6b5071beacf3b35bb505bde2000983e3

                  SHA256

                  519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

                  SHA512

                  8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

                • C:\Users\Admin\AppData\Local\Temp\N453jLUqHI.bat

                  Filesize

                  213B

                  MD5

                  83a00618e44d1fe31302aaa45a35c5f2

                  SHA1

                  575b1481438f283eecfedfb04b7983c36f7fd68d

                  SHA256

                  46194d5e33b9b8be66aba56f5d15bfe7a0554d4d0b0def5948b07ac393bd5520

                  SHA512

                  ab707023b1c30c992185b1c803e0b5dfaf433b78703eebccb8a9df1ded2774fdbbc23747d2a34d1cbecd2254eb5eee4b0ca20760fbc105ff9f1bbc3d9dd1d1d9

                • C:\Windows\de-DE\MoUsoCoreWorker.exe

                  Filesize

                  828KB

                  MD5

                  9177dc1235ce8da32d20e3367b018637

                  SHA1

                  9785e90b1869e793af72f4f9b0ef0ae16ec8c68d

                  SHA256

                  98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d

                  SHA512

                  a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

                • C:\Windows\de-DE\MoUsoCoreWorker.exe

                  Filesize

                  828KB

                  MD5

                  9177dc1235ce8da32d20e3367b018637

                  SHA1

                  9785e90b1869e793af72f4f9b0ef0ae16ec8c68d

                  SHA256

                  98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d

                  SHA512

                  a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

                • memory/1504-14-0x000000001B510000-0x000000001B520000-memory.dmp

                  Filesize

                  64KB

                • memory/1504-37-0x00007FFB7D810000-0x00007FFB7E2D1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1504-12-0x00000000007B0000-0x0000000000886000-memory.dmp

                  Filesize

                  856KB

                • memory/1504-13-0x00007FFB7D810000-0x00007FFB7E2D1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1636-94-0x00007FFB7D810000-0x00007FFB7E2D1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1636-54-0x00007FFB7D810000-0x00007FFB7E2D1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1636-55-0x000000001B720000-0x000000001B730000-memory.dmp

                  Filesize

                  64KB

                • memory/3404-52-0x00007FFB7D810000-0x00007FFB7E2D1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3404-36-0x00007FFB7D810000-0x00007FFB7E2D1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3404-38-0x000000001B730000-0x000000001B740000-memory.dmp

                  Filesize

                  64KB

                • memory/4256-95-0x00007FFB7D810000-0x00007FFB7E2D1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4256-96-0x0000000001790000-0x00000000017A0000-memory.dmp

                  Filesize

                  64KB

                • memory/4256-97-0x00007FFB7D810000-0x00007FFB7E2D1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4256-98-0x0000000001790000-0x00000000017A0000-memory.dmp

                  Filesize

                  64KB