Analysis
-
max time kernel
118s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231201-en -
resource tags
arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2023, 05:56
Behavioral task
behavioral1
Sample
44e2a2a697477c436112954794761cc0.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
44e2a2a697477c436112954794761cc0.exe
Resource
win10v2004-20231201-en
General
-
Target
44e2a2a697477c436112954794761cc0.exe
-
Size
1.1MB
-
MD5
44e2a2a697477c436112954794761cc0
-
SHA1
87195428fd9e65ea14889e4853dc44f391088963
-
SHA256
90f403c6304240465460ace49b8db9d46c7d28bc36fd49b89f4722ee497bd2dd
-
SHA512
c2040c04ec3d743941c2ba059f572f07d5df2a043c5302b3cf6e13d74610025457be22c3b8d9a1943873b99ac72e5972830a5c17becc52fdc19582e0d58911c4
-
SSDEEP
24576:U2G/nvxW3Ww0titP01wNiMXBlVJX3NSdGKJg6U8HC:UbA30KP0XMXHX38dPDi
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3084 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 732 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4052 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3256 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4988 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3784 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3892 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3272 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3488 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3920 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4540 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4960 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3752 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3212 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4016 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3308 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4836 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4820 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4828 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3416 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 4012 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 4012 schtasks.exe 97 -
resource yara_rule behavioral2/files/0x00070000000231e7-10.dat dcrat behavioral2/files/0x00070000000231e7-11.dat dcrat behavioral2/memory/3680-12-0x0000000000260000-0x0000000000336000-memory.dmp dcrat behavioral2/files/0x00090000000231fb-17.dat dcrat behavioral2/files/0x0006000000023225-53.dat dcrat behavioral2/files/0x0006000000023225-54.dat dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation 44e2a2a697477c436112954794761cc0.exe Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation intoperf.exe -
Executes dropped EXE 2 IoCs
pid Process 3680 intoperf.exe 4668 explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe intoperf.exe File created C:\Program Files\Microsoft Office\fontdrvhost.exe intoperf.exe File created C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe intoperf.exe File created C:\Program Files (x86)\Windows Portable Devices\ea9f0e6c9e2dcd intoperf.exe File created C:\Program Files\Microsoft Office\5b884080fd4f94 intoperf.exe File created C:\Program Files (x86)\Internet Explorer\ja-JP\e1ef82546f0b02 intoperf.exe File created C:\Program Files\VideoLAN\VLC\lua\http\System.exe intoperf.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\System.exe intoperf.exe File created C:\Program Files (x86)\Windows Multimedia Platform\121e5b5079f7c0 intoperf.exe File created C:\Program Files\VideoLAN\VLC\lua\http\27d1bcfc3c54e0 intoperf.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\eddb19405b7ce1 intoperf.exe File created C:\Program Files (x86)\Internet Explorer\ja-JP\SppExtComObj.exe intoperf.exe File created C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe intoperf.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\GameBarPresenceWriter\7a0fd90576e088 intoperf.exe File created C:\Windows\GameBarPresenceWriter\explorer.exe intoperf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2316 schtasks.exe 4808 schtasks.exe 3064 schtasks.exe 4540 schtasks.exe 2940 schtasks.exe 3892 schtasks.exe 3752 schtasks.exe 820 schtasks.exe 3308 schtasks.exe 3416 schtasks.exe 3084 schtasks.exe 3272 schtasks.exe 5036 schtasks.exe 3920 schtasks.exe 2280 schtasks.exe 4828 schtasks.exe 2208 schtasks.exe 1956 schtasks.exe 2172 schtasks.exe 1976 schtasks.exe 4960 schtasks.exe 832 schtasks.exe 1968 schtasks.exe 4988 schtasks.exe 3784 schtasks.exe 2148 schtasks.exe 2204 schtasks.exe 4016 schtasks.exe 2944 schtasks.exe 1740 schtasks.exe 536 schtasks.exe 1220 schtasks.exe 2116 schtasks.exe 3212 schtasks.exe 2992 schtasks.exe 732 schtasks.exe 1000 schtasks.exe 3256 schtasks.exe 1436 schtasks.exe 4836 schtasks.exe 3940 schtasks.exe 4176 schtasks.exe 4052 schtasks.exe 3488 schtasks.exe 4820 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000_Classes\Local Settings 44e2a2a697477c436112954794761cc0.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 3680 intoperf.exe 3680 intoperf.exe 3680 intoperf.exe 3680 intoperf.exe 3680 intoperf.exe 3680 intoperf.exe 3680 intoperf.exe 3680 intoperf.exe 3680 intoperf.exe 3680 intoperf.exe 3680 intoperf.exe 3680 intoperf.exe 3680 intoperf.exe 3680 intoperf.exe 3680 intoperf.exe 3680 intoperf.exe 3680 intoperf.exe 3680 intoperf.exe 3680 intoperf.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4668 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3680 intoperf.exe Token: SeDebugPrivilege 4668 explorer.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1020 wrote to memory of 3368 1020 44e2a2a697477c436112954794761cc0.exe 87 PID 1020 wrote to memory of 3368 1020 44e2a2a697477c436112954794761cc0.exe 87 PID 1020 wrote to memory of 3368 1020 44e2a2a697477c436112954794761cc0.exe 87 PID 3368 wrote to memory of 2928 3368 WScript.exe 94 PID 3368 wrote to memory of 2928 3368 WScript.exe 94 PID 3368 wrote to memory of 2928 3368 WScript.exe 94 PID 2928 wrote to memory of 3680 2928 cmd.exe 96 PID 2928 wrote to memory of 3680 2928 cmd.exe 96 PID 3680 wrote to memory of 4668 3680 intoperf.exe 143 PID 3680 wrote to memory of 4668 3680 intoperf.exe 143 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\44e2a2a697477c436112954794761cc0.exe"C:\Users\Admin\AppData\Local\Temp\44e2a2a697477c436112954794761cc0.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgewin\j1qIwrxR5PWhzH3rYbChGhv1rfV.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\bridgewin\aVtauS9Ns.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\bridgewin\intoperf.exe"C:\bridgewin\intoperf.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\GameBarPresenceWriter\explorer.exe"C:\Windows\GameBarPresenceWriter\explorer.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\lua\http\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\http\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\http\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\All Users\Documents\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Downloads\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\odt\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Pictures\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Pictures\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\bridgewin\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\bridgewin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\bridgewin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\odt\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\GameBarPresenceWriter\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\GameBarPresenceWriter\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
27B
MD59563bdb4457bb726008ec17163dcefe6
SHA17c2927cc8ae633484e96cf0926eabadcffe44554
SHA256f7016b9d9c3f1d7b89e0a4c06b1183e0d7207be92bad7e7cc960e976758fac4c
SHA5125e5cb09ac2017366cbc024e452983ea783b763b837e00c67e450a86a7b83fbc5bf97da87b19d41f0393e8faf5d97491529d55a52e4556868a249d299bc002591
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
195B
MD5bcb81ae961fe26cc730d5429caee2a15
SHA15eee2200e5a5d79aa54e9de51a5e7332d26b32fc
SHA256d8fe32ec91d7d9e865ce5f3a3382d6093ea78fbeb4dfe521021ad918f6f64bc3
SHA512aaea8d450d6ca80ff0b6d82b8585a9e808863891fbc2de9387ad0220263d98898c89bebca90d331bef7eb900718c8625d4a259c0034b05246524e6d83fe5599d