Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 08:11
Behavioral task
behavioral1
Sample
460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe
Resource
win10v2004-20240426-en
General
-
Target
460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe
-
Size
1.5MB
-
MD5
0aa11032569ed0cb4b5dc419ff4a9546
-
SHA1
231c007ce085606499eea34174fd92911852848c
-
SHA256
460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249
-
SHA512
27ceefa9ff530a84e5375aa45ad00b76039d28a35bed79f5f504952401bdde41834ae668790d4c83a9d2f4d61b20d78e425b9badddf27273c35779a088137079
-
SSDEEP
24576:U2G/nvxW3Ww0trsehgyBX9ONFTyvQa3bGl//rqtI1kg+QwZ0aHaCgPu8RYaJ:UbA30rscgjApSZWtI1t+QihaCUhYu
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exewinIntocrt.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4544 schtasks.exe 2328 schtasks.exe 3164 schtasks.exe 4112 schtasks.exe 5072 schtasks.exe 4584 schtasks.exe 4088 schtasks.exe 620 schtasks.exe 4188 schtasks.exe 4384 schtasks.exe 952 schtasks.exe File created C:\Windows\DigitalLocker\en-US\9e8d7a4ca61bd9 winIntocrt.exe 4708 schtasks.exe 376 schtasks.exe 1020 schtasks.exe 3160 schtasks.exe 4284 schtasks.exe 804 schtasks.exe 220 schtasks.exe 4932 schtasks.exe 4624 schtasks.exe File created C:\Program Files (x86)\Windows NT\TableTextService\f3b6ecef712a24 winIntocrt.exe 4336 schtasks.exe 944 schtasks.exe 388 schtasks.exe 524 schtasks.exe 388 schtasks.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\29c1c3cc0f7685 winIntocrt.exe 1952 schtasks.exe 4948 schtasks.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\9e8d7a4ca61bd9 winIntocrt.exe 4488 schtasks.exe 4712 schtasks.exe File created C:\Windows\Sun\Java\Deployment\886983d96e3d3e winIntocrt.exe 3832 schtasks.exe 4712 schtasks.exe 4832 schtasks.exe 1720 schtasks.exe 4660 schtasks.exe 4540 schtasks.exe File created C:\Windows\Setup\27d1bcfc3c54e0 winIntocrt.exe File created C:\Windows\en-US\5940a34987c991 winIntocrt.exe 4368 schtasks.exe File created C:\Windows\Speech_OneCore\Engines\Lexicon\38384e6a620884 winIntocrt.exe 4908 schtasks.exe 1384 schtasks.exe 4112 schtasks.exe 4628 schtasks.exe 4344 schtasks.exe 3496 schtasks.exe 3300 schtasks.exe 944 schtasks.exe 712 schtasks.exe 216 schtasks.exe 3428 schtasks.exe 1260 schtasks.exe 5092 schtasks.exe 5092 schtasks.exe 1036 schtasks.exe 3184 schtasks.exe 4876 schtasks.exe 5008 schtasks.exe 5048 schtasks.exe 4176 schtasks.exe -
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3688 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 620 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 220 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4832 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3300 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 216 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4708 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 388 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4624 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1384 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4112 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4640 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 944 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3964 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3496 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4188 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3728 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4336 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 712 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4308 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4088 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3184 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5008 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3428 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4368 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4480 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3832 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3140 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4540 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4344 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4908 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 952 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3088 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 212 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1020 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4584 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3160 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3924 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4284 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4628 2508 schtasks.exe -
Processes:
resource yara_rule C:\portfontruntimedhcpcommon\winIntocrt.exe dcrat behavioral2/memory/4988-13-0x0000000000960000-0x0000000000A96000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exeWScript.exewinIntocrt.exewinIntocrt.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation winIntocrt.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation winIntocrt.exe -
Executes dropped EXE 3 IoCs
Processes:
winIntocrt.exewinIntocrt.exeStartMenuExperienceHost.exepid process 4988 winIntocrt.exe 464 winIntocrt.exe 4596 StartMenuExperienceHost.exe -
Drops file in Program Files directory 13 IoCs
Processes:
winIntocrt.exewinIntocrt.exedescription ioc process File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\29c1c3cc0f7685 winIntocrt.exe File created C:\Program Files (x86)\Windows NT\TableTextService\f3b6ecef712a24 winIntocrt.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\9e8d7a4ca61bd9 winIntocrt.exe File created C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e winIntocrt.exe File created C:\Program Files (x86)\Windows Portable Devices\csrss.exe winIntocrt.exe File created C:\Program Files\Microsoft Office 15\ClientX64\StartMenuExperienceHost.exe winIntocrt.exe File created C:\Program Files\Microsoft Office 15\ClientX64\55b276f4edf653 winIntocrt.exe File created C:\Program Files\Mozilla Firefox\uninstall\9e8d7a4ca61bd9 winIntocrt.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe winIntocrt.exe File created C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe winIntocrt.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe winIntocrt.exe File created C:\Program Files\WindowsApps\MoUsoCoreWorker.exe winIntocrt.exe File created C:\Program Files\Mozilla Firefox\uninstall\RuntimeBroker.exe winIntocrt.exe -
Drops file in Windows directory 17 IoCs
Processes:
winIntocrt.exewinIntocrt.exedescription ioc process File created C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe winIntocrt.exe File created C:\Windows\LiveKernelReports\9e8d7a4ca61bd9 winIntocrt.exe File created C:\Windows\Sun\Java\Deployment\886983d96e3d3e winIntocrt.exe File created C:\Windows\Speech_OneCore\Engines\Lexicon\SearchApp.exe winIntocrt.exe File created C:\Windows\Setup\27d1bcfc3c54e0 winIntocrt.exe File created C:\Windows\Sun\Java\Deployment\csrss.exe winIntocrt.exe File created C:\Windows\Setup\System.exe winIntocrt.exe File created C:\Windows\CSC\explorer.exe winIntocrt.exe File created C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\pris\wininit.exe winIntocrt.exe File created C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\pris\56085415360792 winIntocrt.exe File created C:\Windows\DigitalLocker\en-US\9e8d7a4ca61bd9 winIntocrt.exe File created C:\Windows\Speech_OneCore\Engines\Lexicon\38384e6a620884 winIntocrt.exe File created C:\Windows\ModemLogs\sihost.exe winIntocrt.exe File created C:\Windows\LiveKernelReports\RuntimeBroker.exe winIntocrt.exe File created C:\Windows\en-US\dllhost.exe winIntocrt.exe File created C:\Windows\en-US\5940a34987c991 winIntocrt.exe File created C:\Windows\ModemLogs\66fc9ff0ee96c2 winIntocrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1720 schtasks.exe 4112 schtasks.exe 4488 schtasks.exe 4712 schtasks.exe 4660 schtasks.exe 3088 schtasks.exe 4712 schtasks.exe 4628 schtasks.exe 216 schtasks.exe 3184 schtasks.exe 804 schtasks.exe 2328 schtasks.exe 3164 schtasks.exe 1952 schtasks.exe 712 schtasks.exe 1260 schtasks.exe 4876 schtasks.exe 3496 schtasks.exe 3428 schtasks.exe 5072 schtasks.exe 1792 schtasks.exe 4384 schtasks.exe 4932 schtasks.exe 4344 schtasks.exe 952 schtasks.exe 944 schtasks.exe 4708 schtasks.exe 1384 schtasks.exe 4112 schtasks.exe 1036 schtasks.exe 3728 schtasks.exe 3832 schtasks.exe 1064 schtasks.exe 3924 schtasks.exe 4176 schtasks.exe 4832 schtasks.exe 4308 schtasks.exe 4540 schtasks.exe 4984 schtasks.exe 4908 schtasks.exe 2852 schtasks.exe 3964 schtasks.exe 4188 schtasks.exe 5008 schtasks.exe 5048 schtasks.exe 388 schtasks.exe 5092 schtasks.exe 396 schtasks.exe 5092 schtasks.exe 3300 schtasks.exe 4336 schtasks.exe 4604 schtasks.exe 1020 schtasks.exe 4584 schtasks.exe 2028 schtasks.exe 524 schtasks.exe 1416 schtasks.exe 4624 schtasks.exe 392 schtasks.exe 4088 schtasks.exe 4480 schtasks.exe 4544 schtasks.exe 4384 schtasks.exe 4948 schtasks.exe -
Modifies registry class 3 IoCs
Processes:
460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exewinIntocrt.exewinIntocrt.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings 460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings winIntocrt.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings winIntocrt.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
winIntocrt.exewinIntocrt.exeStartMenuExperienceHost.exepid process 4988 winIntocrt.exe 4988 winIntocrt.exe 4988 winIntocrt.exe 4988 winIntocrt.exe 4988 winIntocrt.exe 4988 winIntocrt.exe 4988 winIntocrt.exe 4988 winIntocrt.exe 464 winIntocrt.exe 464 winIntocrt.exe 464 winIntocrt.exe 464 winIntocrt.exe 464 winIntocrt.exe 464 winIntocrt.exe 464 winIntocrt.exe 4596 StartMenuExperienceHost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
winIntocrt.exewinIntocrt.exeStartMenuExperienceHost.exedescription pid process Token: SeDebugPrivilege 4988 winIntocrt.exe Token: SeDebugPrivilege 464 winIntocrt.exe Token: SeDebugPrivilege 4596 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exeWScript.execmd.exewinIntocrt.execmd.exewinIntocrt.execmd.exedescription pid process target process PID 1104 wrote to memory of 2736 1104 460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe WScript.exe PID 1104 wrote to memory of 2736 1104 460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe WScript.exe PID 1104 wrote to memory of 2736 1104 460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe WScript.exe PID 2736 wrote to memory of 3760 2736 WScript.exe cmd.exe PID 2736 wrote to memory of 3760 2736 WScript.exe cmd.exe PID 2736 wrote to memory of 3760 2736 WScript.exe cmd.exe PID 3760 wrote to memory of 4988 3760 cmd.exe winIntocrt.exe PID 3760 wrote to memory of 4988 3760 cmd.exe winIntocrt.exe PID 4988 wrote to memory of 3740 4988 winIntocrt.exe cmd.exe PID 4988 wrote to memory of 3740 4988 winIntocrt.exe cmd.exe PID 3760 wrote to memory of 4592 3760 cmd.exe reg.exe PID 3760 wrote to memory of 4592 3760 cmd.exe reg.exe PID 3760 wrote to memory of 4592 3760 cmd.exe reg.exe PID 3740 wrote to memory of 1076 3740 cmd.exe w32tm.exe PID 3740 wrote to memory of 1076 3740 cmd.exe w32tm.exe PID 3740 wrote to memory of 464 3740 cmd.exe winIntocrt.exe PID 3740 wrote to memory of 464 3740 cmd.exe winIntocrt.exe PID 464 wrote to memory of 1712 464 winIntocrt.exe cmd.exe PID 464 wrote to memory of 1712 464 winIntocrt.exe cmd.exe PID 1712 wrote to memory of 1864 1712 cmd.exe w32tm.exe PID 1712 wrote to memory of 1864 1712 cmd.exe w32tm.exe PID 1712 wrote to memory of 4596 1712 cmd.exe StartMenuExperienceHost.exe PID 1712 wrote to memory of 4596 1712 cmd.exe StartMenuExperienceHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe"C:\Users\Admin\AppData\Local\Temp\460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portfontruntimedhcpcommon\2AtjMgNakJRkKYjukYN.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\portfontruntimedhcpcommon\ZlA6L6tE0pGuNWSWZqbtTT.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\portfontruntimedhcpcommon\winIntocrt.exe"C:\portfontruntimedhcpcommon\winIntocrt.exe"4⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ItcKxYHdV0.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1076
-
C:\portfontruntimedhcpcommon\winIntocrt.exe"C:\portfontruntimedhcpcommon\winIntocrt.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OFxjZIxk2T.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1864
-
C:\Program Files\Microsoft Office 15\ClientX64\StartMenuExperienceHost.exe"C:\Program Files\Microsoft Office 15\ClientX64\StartMenuExperienceHost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:4592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\portfontruntimedhcpcommon\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\portfontruntimedhcpcommon\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\portfontruntimedhcpcommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sysmon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
PID:4640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Sun\Java\Deployment\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Sun\Java\Deployment\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Setup\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\ModemLogs\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\ModemLogs\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:3300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:4384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\uninstall\RuntimeBroker.exe'" /f1⤵
- DcRat
- Creates scheduled task(s)
PID:804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\uninstall\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Creates scheduled task(s)
PID:524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\pris\wininit.exe'" /f1⤵
- Creates scheduled task(s)
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\pris\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:4112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\pris\wininit.exe'" /rl HIGHEST /f1⤵PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\fontdrvhost.exe'" /f1⤵
- DcRat
- Creates scheduled task(s)
PID:4948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Downloads\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Downloads\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winIntocrt.exe.logFilesize
1KB
MD57800fca2323a4130444c572374a030f4
SHA140c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa
SHA25629f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e
SHA512c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554
-
C:\Users\Admin\AppData\Local\Temp\ItcKxYHdV0.batFilesize
208B
MD5d357e0778d70f6e2da53d5093242ceb0
SHA1fc18f026a3733548240be135ebbbf8e9abf33125
SHA25642b15ff7efbd24f0a3fbec1f1a2ebe25201b22d182c21f4d3c291ba5c8be7513
SHA5122d2c80c02165c15dffc1b7b75b2ad3663f1ae60fa2a7feb02bfd3bdd49facdf6041ead6ebb27b9a23ec99d45b718c7f8aa92c70e61692c6ea630970d33b8f047
-
C:\Users\Admin\AppData\Local\Temp\OFxjZIxk2T.batFilesize
239B
MD5440dcad8d5b168c95dc1815cb2b75a24
SHA1b5186030dafd76a2590826ed2e22145807b7246f
SHA256d5387208a9b3cf9a46c2f1634a6fb98121259177aa0a250829b89fc8061648b0
SHA512902f08da839e41125145f38b1d768f27c921b28dbc3ab0e0544b1348223e063bedefdad94693df3bce558317df861863515043443f27184d334f3344ea3aa7d7
-
C:\portfontruntimedhcpcommon\2AtjMgNakJRkKYjukYN.vbeFilesize
224B
MD52d592334ab65a88655a2f86417777486
SHA143316e128f8cd05f2e783c8a90192aa6f423f9a5
SHA256e6b379acb737d1fff313a9090bd4d8d582c4e98209d63691718b1fda2115d1cf
SHA512364ef08f42a2ba6b7290929f62a8f9bd6d5084054aca3f886d8ca7de472ef37b0e4ec57c666fbfa70ef52f47f0ed31c56452b840ae5e9dcfb85231930394c65a
-
C:\portfontruntimedhcpcommon\ZlA6L6tE0pGuNWSWZqbtTT.batFilesize
157B
MD537a07b949b9630d9845c522bbf15f97c
SHA1b60e22be8a2b81f733cd0b7d00f28ad3da79124b
SHA256fd589c262fef893181690d62411fa304e79cf9d8470c3db7ebec775774ca28fb
SHA512c4c519a2b57d44ee4a3871c1a08ca666016ace84648c180b1f9caa6efd67d3b0d1cd23b9bcd7f467a57504feed9ae203ec862ec65e1bd2077a7cb874557a3640
-
C:\portfontruntimedhcpcommon\winIntocrt.exeFilesize
1.2MB
MD55da27eb690e92471d9d9669287011a75
SHA16e7f72f61d868c27c3e487586d959f35a96aeefc
SHA25632346c2a4a55dc3c85e9712f8994480a826b209a00a9aedc7f181f6dd69e60d6
SHA5120e47bbb8e2d72d1468308308d6e1444f824048d17f714d06135ca4ed63a4e2887aa8b327d36e4ef6243b5d0d734a1be3aff8b2c9f45efa97b739d2131392a291
-
memory/4988-12-0x00007FFCDB323000-0x00007FFCDB325000-memory.dmpFilesize
8KB
-
memory/4988-13-0x0000000000960000-0x0000000000A96000-memory.dmpFilesize
1.2MB
-
memory/4988-14-0x000000001B6A0000-0x000000001B6BC000-memory.dmpFilesize
112KB
-
memory/4988-15-0x000000001BD50000-0x000000001BDA0000-memory.dmpFilesize
320KB
-
memory/4988-16-0x000000001B6C0000-0x000000001B6D6000-memory.dmpFilesize
88KB
-
memory/4988-17-0x000000001B6E0000-0x000000001B6EE000-memory.dmpFilesize
56KB