Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 02:07
Behavioral task
behavioral1
Sample
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe
Resource
win10v2004-20240226-en
General
-
Target
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe
-
Size
829KB
-
MD5
3bd8d1abdfdf35856a1b35c6824bd6f2
-
SHA1
3e6e83f044690b2e5ffec74ebdef0ec9d4e8a02b
-
SHA256
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4
-
SHA512
11387da3bb436ce4968eeaa03d0880b2eaa5cba780a8e393c060b0828e187d9527c24dd545f8fe3f8ad02a834cc0831d78d70e823047bf758ba42da01e0fc797
-
SSDEEP
12288:Qu1cCMKdiaT3Ok1MVBFdpkj6fe9BSbwfKyw8:VOlKUaT3O7VBFdpLWQEfKyP
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1088 schtasks.exe 3460 schtasks.exe 5036 schtasks.exe 2240 schtasks.exe 3628 schtasks.exe 4880 schtasks.exe 3876 schtasks.exe 4760 schtasks.exe 5008 schtasks.exe 2764 schtasks.exe 2568 schtasks.exe 4056 schtasks.exe 4924 schtasks.exe 3000 schtasks.exe 4376 schtasks.exe 4844 schtasks.exe 2800 schtasks.exe 4508 schtasks.exe 3284 schtasks.exe 2724 schtasks.exe 3064 schtasks.exe 4992 schtasks.exe 3896 schtasks.exe 2272 schtasks.exe 4244 schtasks.exe File created C:\Windows\bcastdvr\SearchApp.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\bcastdvr\38384e6a620884 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 1376 schtasks.exe 4588 schtasks.exe 2428 schtasks.exe 4148 schtasks.exe 4576 schtasks.exe 816 schtasks.exe 3884 schtasks.exe 1332 schtasks.exe 3864 schtasks.exe 2228 schtasks.exe 1840 schtasks.exe File created C:\Windows\ModemLogs\6cb0b6c459d5d3 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 3976 schtasks.exe 3972 schtasks.exe 976 schtasks.exe 2328 schtasks.exe 4476 schtasks.exe 3444 schtasks.exe 3248 schtasks.exe 3168 schtasks.exe 3260 schtasks.exe 2776 schtasks.exe 3084 schtasks.exe 1764 schtasks.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\22eafd247d37c3 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 2216 schtasks.exe 3696 schtasks.exe 832 schtasks.exe 1528 schtasks.exe 4276 schtasks.exe 3960 schtasks.exe 2032 schtasks.exe 728 schtasks.exe 3484 schtasks.exe 3228 schtasks.exe 3276 schtasks.exe 4844 schtasks.exe -
Process spawned unexpected child process 63 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4844 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3960 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4576 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3084 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3260 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3628 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3276 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4880 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3976 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3876 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3284 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4760 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3864 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 976 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4056 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3552 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4588 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3248 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3888 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3696 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4992 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 728 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4376 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3896 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4476 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5008 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 816 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4244 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3484 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4148 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3168 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4844 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4060 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3444 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4276 916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3884 916 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/568-1-0x0000000000B50000-0x0000000000C26000-memory.dmp dcrat C:\Program Files (x86)\Windows Sidebar\smss.exe dcrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe -
Executes dropped EXE 1 IoCs
Processes:
Registry.exepid process 2948 Registry.exe -
Drops file in Program Files directory 9 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exedescription ioc process File created C:\Program Files\Windows NT\TableTextService\explorer.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files\Windows NT\TableTextService\7a0fd90576e088 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\Windows Sidebar\69ddcba757bf72 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\TextInputHost.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\22eafd247d37c3 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\TextInputHost.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\22eafd247d37c3 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\Windows Sidebar\smss.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\smss.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe -
Drops file in Windows directory 11 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exedescription ioc process File created C:\Windows\bcastdvr\SearchApp.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File opened for modification C:\Windows\bcastdvr\SearchApp.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\ModemLogs\6cb0b6c459d5d3 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\twain_32\SearchApp.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\twain_32\38384e6a620884 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\bcastdvr\38384e6a620884 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\ModemLogs\dwm.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\Vss\Writers\Application\System.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\Vss\Writers\Application\27d1bcfc3c54e0 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\Logs\smss.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\Logs\69ddcba757bf72 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 63 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3884 schtasks.exe 2800 schtasks.exe 3460 schtasks.exe 3972 schtasks.exe 4924 schtasks.exe 1840 schtasks.exe 3484 schtasks.exe 3000 schtasks.exe 3260 schtasks.exe 3276 schtasks.exe 3064 schtasks.exe 4992 schtasks.exe 5008 schtasks.exe 3444 schtasks.exe 3628 schtasks.exe 2428 schtasks.exe 3976 schtasks.exe 2776 schtasks.exe 4576 schtasks.exe 4880 schtasks.exe 5036 schtasks.exe 2272 schtasks.exe 3960 schtasks.exe 3284 schtasks.exe 728 schtasks.exe 3896 schtasks.exe 1332 schtasks.exe 3888 schtasks.exe 3084 schtasks.exe 1376 schtasks.exe 2568 schtasks.exe 2032 schtasks.exe 4476 schtasks.exe 2216 schtasks.exe 3876 schtasks.exe 4588 schtasks.exe 4148 schtasks.exe 3228 schtasks.exe 1528 schtasks.exe 1088 schtasks.exe 3552 schtasks.exe 2328 schtasks.exe 3248 schtasks.exe 1764 schtasks.exe 976 schtasks.exe 4060 schtasks.exe 2240 schtasks.exe 2724 schtasks.exe 816 schtasks.exe 4244 schtasks.exe 4844 schtasks.exe 3864 schtasks.exe 4276 schtasks.exe 3696 schtasks.exe 832 schtasks.exe 4508 schtasks.exe 3168 schtasks.exe 4844 schtasks.exe 4056 schtasks.exe 2228 schtasks.exe 2764 schtasks.exe 4760 schtasks.exe 4376 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exeRegistry.exepid process 568 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 1904 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 1904 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 1904 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 1904 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 1904 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 1904 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 1904 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 1904 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 1904 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 1904 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 2948 Registry.exe 2948 Registry.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exeRegistry.exedescription pid process Token: SeDebugPrivilege 568 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe Token: SeDebugPrivilege 1904 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe Token: SeDebugPrivilege 2948 Registry.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.execmd.exe439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.execmd.exedescription pid process target process PID 568 wrote to memory of 3500 568 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe cmd.exe PID 568 wrote to memory of 3500 568 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe cmd.exe PID 3500 wrote to memory of 3584 3500 cmd.exe w32tm.exe PID 3500 wrote to memory of 3584 3500 cmd.exe w32tm.exe PID 3500 wrote to memory of 1904 3500 cmd.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe PID 3500 wrote to memory of 1904 3500 cmd.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe PID 1904 wrote to memory of 2448 1904 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe cmd.exe PID 1904 wrote to memory of 2448 1904 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe cmd.exe PID 2448 wrote to memory of 2220 2448 cmd.exe w32tm.exe PID 2448 wrote to memory of 2220 2448 cmd.exe w32tm.exe PID 2448 wrote to memory of 2948 2448 cmd.exe Registry.exe PID 2448 wrote to memory of 2948 2448 cmd.exe Registry.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe"C:\Users\Admin\AppData\Local\Temp\439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe"1⤵
- DcRat
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jns3fuIhcw.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3584
-
-
C:\Users\Admin\AppData\Local\Temp\439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe"C:\Users\Admin\AppData\Local\Temp\439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe"3⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0ax4NcS6Ce.bat"4⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵PID:2220
-
-
C:\odt\Registry.exe"C:\odt\Registry.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\bcastdvr\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\bcastdvr\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\bcastdvr\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\TextInputHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ModemLogs\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Application\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Writers\Application\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\odt\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Documents\My Pictures\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Documents\My Pictures\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\All Users\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Logs\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\odt\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\odt\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\TextInputHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\Crashpad\reports\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\Temp\Crashpad\reports\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\twain_32\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\odt\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d44" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Desktop\439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d44" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Desktop\439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3884
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:4992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
829KB
MD53bd8d1abdfdf35856a1b35c6824bd6f2
SHA13e6e83f044690b2e5ffec74ebdef0ec9d4e8a02b
SHA256439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4
SHA51211387da3bb436ce4968eeaa03d0880b2eaa5cba780a8e393c060b0828e187d9527c24dd545f8fe3f8ad02a834cc0831d78d70e823047bf758ba42da01e0fc797
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe.log
Filesize1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
184B
MD54ab9b95b11d8ca6bf1b66fc4307eee90
SHA17c71251ff88a5862212c9318b22f54f20131a3ae
SHA25643285614f53c0ad37274963dda3f84a7c2f7ca7653316bdd4830fa1aeb3976b2
SHA512b75468377e319b0673bbc3f7b17e5333e82e18e52228482ab97abdb2acebf24302cce00b1036255ffcbb7b0cd934029697ca5a53a9a28cee30f9e96067c6a908
-
Filesize
267B
MD5cc88683a4f4bd72b5952a4d54f4c39e8
SHA1830c5747896461f9480f10e662cb2266ee2a700d
SHA2566191d95d3164d57e8b64782d2532d0c39cb128415556e26589ecab6cb81d1552
SHA512e5916436087bf5d61acffe05a67494e377e82fa4410bc942fac85d8884f7281ab878d1f7ee8c8bde2b8f9345f98566111fb85bf5d9415b72c54056cea31237b9