Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 10:51
Behavioral task
behavioral1
Sample
586551303debdcf610645e79397bba4d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
586551303debdcf610645e79397bba4d.exe
Resource
win10v2004-20240508-en
General
-
Target
586551303debdcf610645e79397bba4d.exe
-
Size
1.1MB
-
MD5
586551303debdcf610645e79397bba4d
-
SHA1
3ebc6e5ae076f40c5b65a955549efb20af93db4c
-
SHA256
2d578ea6dc9a22d8b7ef1ed05429560daebb9847de4c4e42d84de61b2cecb8d9
-
SHA512
21cab4ac88765f77682f8271d9de126b92fc57e793b702c7ae8d5aefefdfb245c2ad1b9880635ebdfc857ed6739fa9582a4380f7c95545aa8261526e812072a7
-
SSDEEP
24576:U2G/nvxW3Ww0tfSxBXpxsfdnRegCieaho8AAe:UbA30f8xsVnRegCXQfO
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 304 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 488 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 596 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 588 2476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2476 schtasks.exe -
Processes:
resource yara_rule \Bridgeperfmonitor\blockbrowser.exe dcrat behavioral1/memory/2736-13-0x0000000000CD0000-0x0000000000DA6000-memory.dmp dcrat behavioral1/memory/2028-43-0x0000000000B20000-0x0000000000BF6000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
blockbrowser.exeblockbrowser.exepid process 2736 blockbrowser.exe 2028 blockbrowser.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2668 cmd.exe 2668 cmd.exe -
Drops file in Program Files directory 9 IoCs
Processes:
blockbrowser.exedescription ioc process File created C:\Program Files\Windows Portable Devices\explorer.exe blockbrowser.exe File created C:\Program Files\Windows Journal\Templates\explorer.exe blockbrowser.exe File created C:\Program Files\7-Zip\Lang\wininit.exe blockbrowser.exe File opened for modification C:\Program Files\7-Zip\Lang\wininit.exe blockbrowser.exe File created C:\Program Files\7-Zip\Lang\56085415360792 blockbrowser.exe File created C:\Program Files\Windows Journal\Templates\7a0fd90576e088 blockbrowser.exe File created C:\Program Files (x86)\Microsoft Analysis Services\services.exe blockbrowser.exe File created C:\Program Files (x86)\Microsoft Analysis Services\c5b4cb5e9653cc blockbrowser.exe File created C:\Program Files\Windows Portable Devices\7a0fd90576e088 blockbrowser.exe -
Drops file in Windows directory 4 IoCs
Processes:
blockbrowser.exedescription ioc process File created C:\Windows\de-DE\services.exe blockbrowser.exe File created C:\Windows\de-DE\c5b4cb5e9653cc blockbrowser.exe File created C:\Windows\SchCache\blockbrowser.exe blockbrowser.exe File created C:\Windows\SchCache\09de74bfc901bc blockbrowser.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1984 schtasks.exe 488 schtasks.exe 2292 schtasks.exe 2324 schtasks.exe 596 schtasks.exe 1796 schtasks.exe 3004 schtasks.exe 1944 schtasks.exe 2912 schtasks.exe 2620 schtasks.exe 2508 schtasks.exe 3008 schtasks.exe 304 schtasks.exe 2832 schtasks.exe 2748 schtasks.exe 1196 schtasks.exe 3028 schtasks.exe 1336 schtasks.exe 880 schtasks.exe 2444 schtasks.exe 2812 schtasks.exe 2696 schtasks.exe 324 schtasks.exe 3016 schtasks.exe 588 schtasks.exe 2864 schtasks.exe 1628 schtasks.exe 1864 schtasks.exe 1912 schtasks.exe 2488 schtasks.exe 1576 schtasks.exe 1960 schtasks.exe 2988 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
blockbrowser.exeblockbrowser.exepid process 2736 blockbrowser.exe 2736 blockbrowser.exe 2736 blockbrowser.exe 2028 blockbrowser.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
blockbrowser.exeblockbrowser.exedescription pid process Token: SeDebugPrivilege 2736 blockbrowser.exe Token: SeDebugPrivilege 2028 blockbrowser.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
586551303debdcf610645e79397bba4d.exeWScript.execmd.exeblockbrowser.execmd.exedescription pid process target process PID 2088 wrote to memory of 1816 2088 586551303debdcf610645e79397bba4d.exe WScript.exe PID 2088 wrote to memory of 1816 2088 586551303debdcf610645e79397bba4d.exe WScript.exe PID 2088 wrote to memory of 1816 2088 586551303debdcf610645e79397bba4d.exe WScript.exe PID 2088 wrote to memory of 1816 2088 586551303debdcf610645e79397bba4d.exe WScript.exe PID 1816 wrote to memory of 2668 1816 WScript.exe cmd.exe PID 1816 wrote to memory of 2668 1816 WScript.exe cmd.exe PID 1816 wrote to memory of 2668 1816 WScript.exe cmd.exe PID 1816 wrote to memory of 2668 1816 WScript.exe cmd.exe PID 2668 wrote to memory of 2736 2668 cmd.exe blockbrowser.exe PID 2668 wrote to memory of 2736 2668 cmd.exe blockbrowser.exe PID 2668 wrote to memory of 2736 2668 cmd.exe blockbrowser.exe PID 2668 wrote to memory of 2736 2668 cmd.exe blockbrowser.exe PID 2736 wrote to memory of 1676 2736 blockbrowser.exe cmd.exe PID 2736 wrote to memory of 1676 2736 blockbrowser.exe cmd.exe PID 2736 wrote to memory of 1676 2736 blockbrowser.exe cmd.exe PID 1676 wrote to memory of 1132 1676 cmd.exe w32tm.exe PID 1676 wrote to memory of 1132 1676 cmd.exe w32tm.exe PID 1676 wrote to memory of 1132 1676 cmd.exe w32tm.exe PID 1676 wrote to memory of 2028 1676 cmd.exe blockbrowser.exe PID 1676 wrote to memory of 2028 1676 cmd.exe blockbrowser.exe PID 1676 wrote to memory of 2028 1676 cmd.exe blockbrowser.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\586551303debdcf610645e79397bba4d.exe"C:\Users\Admin\AppData\Local\Temp\586551303debdcf610645e79397bba4d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgeperfmonitor\Okr5BLwtARysGVz5KIiKrQ4stl1.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Bridgeperfmonitor\mVYPBQ4QEo2wIKyAZnDKAnqv22.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Bridgeperfmonitor\blockbrowser.exe"C:\Bridgeperfmonitor\blockbrowser.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5lEMBQZI9d.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1132
-
C:\Windows\SchCache\blockbrowser.exe"C:\Windows\SchCache\blockbrowser.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\de-DE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "blockbrowserb" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\blockbrowser.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "blockbrowser" /sc ONLOGON /tr "'C:\Windows\SchCache\blockbrowser.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "blockbrowserb" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\blockbrowser.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\Templates\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\Templates\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Bridgeperfmonitor\Okr5BLwtARysGVz5KIiKrQ4stl1.vbeFilesize
220B
MD51b20f3dc25276310b5d6cfaed4a33b7c
SHA17ae42214f2c13396a52d03663e258c327da709f7
SHA2560cae9a0b5bea3b264a98449dc617d942dba020635f4a890fa3d8ca3561fb99b9
SHA512997bff21f51187fd5911a5c6e1d298892e6a35d127e50d8df0e2375c64e346f35f5d22bb879ba4bb87ef76d853976a09fe3ed3b735a14575c3c88c3533c7ceee
-
C:\Bridgeperfmonitor\mVYPBQ4QEo2wIKyAZnDKAnqv22.batFilesize
39B
MD5ecc0b37d413fa823b389d0b5c56b2730
SHA1d3ea7dce841ec52d88415f5a7c509a2c6639093b
SHA2560ff3f98f6426addb5c7bd25c7fdac293431467095d9cd37aa253f44b37c81697
SHA5126f0c242eedc331ef59e150fab857c4a07f63c647df83a98f854cc906cceb677a5b4d8eb00ce58319d75480d281ff24cd50b381d1da1da8e2f3e7cbf0480af8e0
-
C:\Users\Admin\AppData\Local\Temp\5lEMBQZI9d.batFilesize
201B
MD53a547a5fcaa9db2d4758820d6ddd2865
SHA11ad601f8e07985d53b58a79d6ba479e9fbeafd65
SHA256ed107711fcf71c785a217ac3dd2dc63a59ed7989e2958a181eaf6f2024ecd6e2
SHA512fbd1033e15876a40e3ba82c21227c0b84717e6d6dff8087dc23eb3e875766455b761ab595f727454646886f5cd63a273d8430f15d77855e425a41ab25008d883
-
\Bridgeperfmonitor\blockbrowser.exeFilesize
828KB
MD572f4befd780dfd7a742491bd9530a414
SHA133c6b52892da0063fd2106beaaddfafee7d48989
SHA256e6cd6de8708a8c6112e24bebc33cd6f5ed004ef6db10e5fa1ca82987bb62589e
SHA5120505131abd115659c4c2070e7133487de301249f5693de2c00a4965cb58ca9feef61ec456c44fa8270f53faf0d29a02ddbbbd541e1290519edf05a2a0f1ae16b
-
memory/2028-43-0x0000000000B20000-0x0000000000BF6000-memory.dmpFilesize
856KB
-
memory/2736-13-0x0000000000CD0000-0x0000000000DA6000-memory.dmpFilesize
856KB