Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 03:20
Behavioral task
behavioral1
Sample
Gamesense.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Gamesense.exe
Resource
win10v2004-20240611-en
General
-
Target
Gamesense.exe
-
Size
2.5MB
-
MD5
6e292e2932951e7a1cb7dfc313121a6b
-
SHA1
72cf74f7ecf405b1f72fd3e42f541c30b2ff9fba
-
SHA256
ebcefb989d32ca643f3560d4223e47cbbe2ea3c97755cf93b9b3fbabaf3545cf
-
SHA512
ba6dda938a6c1beb724277b9c1b819d54467ce125de99619d19438d432f2273e785b94cd8c02ee747ceafe91159ce27d6fc891ba57f6365e2d4ff3afb1f06ed9
-
SSDEEP
49152:UbA30sHoNElLsaAB3Olt0BSXYAnjE5fqpCUdwUencN9:UbgHjlLsxeAIj5pCweO
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 112 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 568 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1392 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 288 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 268 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1012 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2508 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2508 schtasks.exe -
Processes:
resource yara_rule \bridgeFont\Blockdriverhost.exe dcrat behavioral1/memory/2612-13-0x00000000000E0000-0x000000000030E000-memory.dmp dcrat behavioral1/memory/2280-67-0x0000000000D90000-0x0000000000FBE000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
Blockdriverhost.exewininit.exepid process 2612 Blockdriverhost.exe 2280 wininit.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2748 cmd.exe 2748 cmd.exe -
Drops file in Program Files directory 15 IoCs
Processes:
Blockdriverhost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\taskhost.exe Blockdriverhost.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\taskhost.exe Blockdriverhost.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe Blockdriverhost.exe File created C:\Program Files (x86)\Windows Portable Devices\csrss.exe Blockdriverhost.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\56085415360792 Blockdriverhost.exe File created C:\Program Files\Windows Media Player\es-ES\cmd.exe Blockdriverhost.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe Blockdriverhost.exe File created C:\Program Files\Windows Media Player\es-ES\ebf1f9fa8afd6d Blockdriverhost.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\b75386f1303e64 Blockdriverhost.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\6203df4a6bafc7 Blockdriverhost.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\wininit.exe Blockdriverhost.exe File created C:\Program Files (x86)\Microsoft Sync Framework\conhost.exe Blockdriverhost.exe File created C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e Blockdriverhost.exe File created C:\Program Files (x86)\Microsoft Sync Framework\088424020bedd6 Blockdriverhost.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\27d1bcfc3c54e0 Blockdriverhost.exe -
Drops file in Windows directory 4 IoCs
Processes:
Blockdriverhost.exedescription ioc process File created C:\Windows\L2Schemas\explorer.exe Blockdriverhost.exe File created C:\Windows\L2Schemas\7a0fd90576e088 Blockdriverhost.exe File created C:\Windows\Globalization\ELS\Transliteration\winlogon.exe Blockdriverhost.exe File created C:\Windows\Globalization\ELS\Transliteration\cc11b995f2a76d Blockdriverhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2312 schtasks.exe 748 schtasks.exe 1784 schtasks.exe 1660 schtasks.exe 288 schtasks.exe 2144 schtasks.exe 2912 schtasks.exe 2400 schtasks.exe 1592 schtasks.exe 112 schtasks.exe 1392 schtasks.exe 1764 schtasks.exe 1800 schtasks.exe 1676 schtasks.exe 3064 schtasks.exe 880 schtasks.exe 892 schtasks.exe 2220 schtasks.exe 2292 schtasks.exe 2052 schtasks.exe 1956 schtasks.exe 2232 schtasks.exe 2036 schtasks.exe 2468 schtasks.exe 1228 schtasks.exe 2868 schtasks.exe 1556 schtasks.exe 1040 schtasks.exe 1260 schtasks.exe 900 schtasks.exe 2424 schtasks.exe 1444 schtasks.exe 2368 schtasks.exe 2184 schtasks.exe 1524 schtasks.exe 1684 schtasks.exe 1500 schtasks.exe 268 schtasks.exe 1988 schtasks.exe 1184 schtasks.exe 2976 schtasks.exe 1796 schtasks.exe 2272 schtasks.exe 1564 schtasks.exe 1964 schtasks.exe 1132 schtasks.exe 2576 schtasks.exe 772 schtasks.exe 2452 schtasks.exe 2940 schtasks.exe 1012 schtasks.exe 2816 schtasks.exe 568 schtasks.exe 2124 schtasks.exe 2880 schtasks.exe 2396 schtasks.exe 1436 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Blockdriverhost.exewininit.exepid process 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2612 Blockdriverhost.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe 2280 wininit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
wininit.exepid process 2280 wininit.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Blockdriverhost.exewininit.exevssvc.exedescription pid process Token: SeDebugPrivilege 2612 Blockdriverhost.exe Token: SeDebugPrivilege 2280 wininit.exe Token: SeBackupPrivilege 1800 vssvc.exe Token: SeRestorePrivilege 1800 vssvc.exe Token: SeAuditPrivilege 1800 vssvc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Gamesense.exeWScript.execmd.exeBlockdriverhost.exewininit.exedescription pid process target process PID 2312 wrote to memory of 2304 2312 Gamesense.exe WScript.exe PID 2312 wrote to memory of 2304 2312 Gamesense.exe WScript.exe PID 2312 wrote to memory of 2304 2312 Gamesense.exe WScript.exe PID 2312 wrote to memory of 2304 2312 Gamesense.exe WScript.exe PID 2304 wrote to memory of 2748 2304 WScript.exe cmd.exe PID 2304 wrote to memory of 2748 2304 WScript.exe cmd.exe PID 2304 wrote to memory of 2748 2304 WScript.exe cmd.exe PID 2304 wrote to memory of 2748 2304 WScript.exe cmd.exe PID 2748 wrote to memory of 2612 2748 cmd.exe Blockdriverhost.exe PID 2748 wrote to memory of 2612 2748 cmd.exe Blockdriverhost.exe PID 2748 wrote to memory of 2612 2748 cmd.exe Blockdriverhost.exe PID 2748 wrote to memory of 2612 2748 cmd.exe Blockdriverhost.exe PID 2612 wrote to memory of 2280 2612 Blockdriverhost.exe wininit.exe PID 2612 wrote to memory of 2280 2612 Blockdriverhost.exe wininit.exe PID 2612 wrote to memory of 2280 2612 Blockdriverhost.exe wininit.exe PID 2280 wrote to memory of 1724 2280 wininit.exe WScript.exe PID 2280 wrote to memory of 1724 2280 wininit.exe WScript.exe PID 2280 wrote to memory of 1724 2280 wininit.exe WScript.exe PID 2280 wrote to memory of 1588 2280 wininit.exe WScript.exe PID 2280 wrote to memory of 1588 2280 wininit.exe WScript.exe PID 2280 wrote to memory of 1588 2280 wininit.exe WScript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Gamesense.exe"C:\Users\Admin\AppData\Local\Temp\Gamesense.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeFont\8kIXiGVnjvW92YDIHYq.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeFont\A6eEKUh9zDmgALE.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\bridgeFont\Blockdriverhost.exe"C:\bridgeFont\Blockdriverhost.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Program Files (x86)\Windows Photo Viewer\de-DE\wininit.exe"C:\Program Files (x86)\Windows Photo Viewer\de-DE\wininit.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\406eb397-f2a4-41d2-96e5-98254a608383.vbs"6⤵PID:1724
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b9e2128-7818-4809-a1d0-cae182329023.vbs"6⤵PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\bridgeFont\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\bridgeFont\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\bridgeFont\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\bridgeFont\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\bridgeFont\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\bridgeFont\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\bridgeFont\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\bridgeFont\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\bridgeFont\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\ELS\Transliteration\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\Transliteration\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\ELS\Transliteration\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BlockdriverhostB" /sc MINUTE /mo 8 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\Blockdriverhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Blockdriverhost" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\Blockdriverhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BlockdriverhostB" /sc MINUTE /mo 10 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\Blockdriverhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\es-ES\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\es-ES\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\406eb397-f2a4-41d2-96e5-98254a608383.vbsFilesize
737B
MD5ce51ae7d51da129a1646f504644c13d3
SHA1d951f8921f2f23f8d4c21ad10edfc9009e00691e
SHA256b1a7e8d7839f8f5563e0e49f8ebca518a36504cbddeb5fc0d36637b6cb93a4ff
SHA512166c3859f622039def97f6f9cd4314773c565c7b78b2d48efc43c5573ecb06b78506c774786ed1f7b27cce4183387a7a4408c97b583e0877e4c78952a44e6aea
-
C:\Users\Admin\AppData\Local\Temp\5b9e2128-7818-4809-a1d0-cae182329023.vbsFilesize
513B
MD505e94e53fe0f65db5a370eea95669819
SHA10fe0a56a6f4464da31ad6df0775786765c74cb5b
SHA25683ca6b5f622e08a45623032fc98ea5bbcb9a9a075c01b2c81d18d38554509b92
SHA512112dcca48cdc68d1d5eb900da003d9355b17653650905d853abe0a47b1b14318d9bbdba066f7fca542dbb10cc0d700a98a9d90a17c56ae09502bbaf13b974d7e
-
C:\bridgeFont\8kIXiGVnjvW92YDIHYq.vbeFilesize
203B
MD5f834877689aa9f2dbd0d2084bb779fb4
SHA15bcadc4ef4b14e7c41b7fb0b9cf8d918bfabea67
SHA25621f91b10a8abe860f6cc78e0c229737187e13f30f773af62f27e630534039768
SHA512abbade5f776f7e1515bee59b5c01d7d39f89c14f12f72795b5fed7d7c82efb6508c34cbd267a5f6b16e285ae590f5769e28db6522187e5556da14d2bc1886034
-
C:\bridgeFont\A6eEKUh9zDmgALE.batFilesize
35B
MD5a254cc5bfb66a33ccdee83d23ff8d10b
SHA140461cbacf4b71e94dd321fc30d7d69febd1e8ee
SHA256f34a02f3f74a210905c17a168415de23a429c4f33f1943fd6ff7d86421ddcf87
SHA512f5f9a32b0e5ace91ee1b4a113c8413a7d61b3d2cc9878b73256e89cb3c59896b8b91b98e9adfb711ffbdd21137d030ddf6489c7fdd587c1b2955a8e65afea05e
-
\bridgeFont\Blockdriverhost.exeFilesize
2.2MB
MD54021df69fad7e54ef1154a5322b1eece
SHA1ece1a3140a5a394c4a57f110609b9d494e6f59f5
SHA2563bf9e41b570eeb923ed1f44e1fffa81fbd3dfe9f0324c594327d2d271af8cc6f
SHA5120e0a18d8b319f2ff1de023ef8f43d905bbb47e08515ce91a02a868c5ed948fb02ee62576967512582c67da5593618526be8ae272a6e9b3fc4c664d40bd51e9d4
-
memory/2280-69-0x0000000000AB0000-0x0000000000AC2000-memory.dmpFilesize
72KB
-
memory/2280-68-0x0000000000A40000-0x0000000000A96000-memory.dmpFilesize
344KB
-
memory/2280-67-0x0000000000D90000-0x0000000000FBE000-memory.dmpFilesize
2.2MB
-
memory/2612-18-0x0000000000730000-0x0000000000742000-memory.dmpFilesize
72KB
-
memory/2612-19-0x0000000000870000-0x000000000087C000-memory.dmpFilesize
48KB
-
memory/2612-20-0x0000000000880000-0x000000000088A000-memory.dmpFilesize
40KB
-
memory/2612-21-0x00000000020A0000-0x00000000020A8000-memory.dmpFilesize
32KB
-
memory/2612-22-0x0000000002130000-0x000000000213C000-memory.dmpFilesize
48KB
-
memory/2612-17-0x0000000000720000-0x000000000072C000-memory.dmpFilesize
48KB
-
memory/2612-16-0x0000000000710000-0x000000000071C000-memory.dmpFilesize
48KB
-
memory/2612-15-0x0000000002180000-0x00000000021D6000-memory.dmpFilesize
344KB
-
memory/2612-14-0x0000000000700000-0x0000000000708000-memory.dmpFilesize
32KB
-
memory/2612-13-0x00000000000E0000-0x000000000030E000-memory.dmpFilesize
2.2MB