Analysis
-
max time kernel
52s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 10:51
Behavioral task
behavioral1
Sample
586551303debdcf610645e79397bba4d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
586551303debdcf610645e79397bba4d.exe
Resource
win10v2004-20240508-en
General
-
Target
586551303debdcf610645e79397bba4d.exe
-
Size
1.1MB
-
MD5
586551303debdcf610645e79397bba4d
-
SHA1
3ebc6e5ae076f40c5b65a955549efb20af93db4c
-
SHA256
2d578ea6dc9a22d8b7ef1ed05429560daebb9847de4c4e42d84de61b2cecb8d9
-
SHA512
21cab4ac88765f77682f8271d9de126b92fc57e793b702c7ae8d5aefefdfb245c2ad1b9880635ebdfc857ed6739fa9582a4380f7c95545aa8261526e812072a7
-
SSDEEP
24576:U2G/nvxW3Ww0tfSxBXpxsfdnRegCieaho8AAe:UbA30f8xsVnRegCXQfO
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3880 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4476 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4596 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5040 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3328 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4192 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3804 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4728 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4652 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4260 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4928 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4040 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4720 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3696 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3296 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3524 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3520 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3124 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4080 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3372 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4600 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 424 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4708 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 460 2872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 116 2872 schtasks.exe -
Processes:
resource yara_rule C:\Bridgeperfmonitor\blockbrowser.exe dcrat behavioral2/memory/4792-13-0x00000000003B0000-0x0000000000486000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
586551303debdcf610645e79397bba4d.exeWScript.exeblockbrowser.exeblockbrowser.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 586551303debdcf610645e79397bba4d.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation blockbrowser.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation blockbrowser.exe -
Executes dropped EXE 3 IoCs
Processes:
blockbrowser.exeblockbrowser.execsrss.exepid process 4792 blockbrowser.exe 2004 blockbrowser.exe 4408 csrss.exe -
Drops file in Program Files directory 18 IoCs
Processes:
blockbrowser.exeblockbrowser.exedescription ioc process File created C:\Program Files\Microsoft Office\SearchApp.exe blockbrowser.exe File created C:\Program Files\Reference Assemblies\fontdrvhost.exe blockbrowser.exe File created C:\Program Files\Java\jre8\lib\6cb0b6c459d5d3 blockbrowser.exe File created C:\Program Files\Windows Multimedia Platform\cc11b995f2a76d blockbrowser.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\5b884080fd4f94 blockbrowser.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\cmd.exe blockbrowser.exe File created C:\Program Files\Internet Explorer\en-US\RuntimeBroker.exe blockbrowser.exe File created C:\Program Files\Internet Explorer\en-US\9e8d7a4ca61bd9 blockbrowser.exe File created C:\Program Files\Reference Assemblies\5b884080fd4f94 blockbrowser.exe File created C:\Program Files\Windows Sidebar\9e8d7a4ca61bd9 blockbrowser.exe File created C:\Program Files\Windows Multimedia Platform\winlogon.exe blockbrowser.exe File opened for modification C:\Program Files\Windows Multimedia Platform\winlogon.exe blockbrowser.exe File created C:\Program Files\Microsoft Office\38384e6a620884 blockbrowser.exe File created C:\Program Files\Java\jre8\lib\dwm.exe blockbrowser.exe File created C:\Program Files\Windows Sidebar\RuntimeBroker.exe blockbrowser.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe blockbrowser.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\ebf1f9fa8afd6d blockbrowser.exe File opened for modification C:\Program Files\Reference Assemblies\fontdrvhost.exe blockbrowser.exe -
Drops file in Windows directory 7 IoCs
Processes:
blockbrowser.exeblockbrowser.exedescription ioc process File created C:\Windows\SoftwareDistribution\Download\SharedFileCache\RuntimeBroker.exe blockbrowser.exe File created C:\Windows\SoftwareDistribution\Download\SharedFileCache\9e8d7a4ca61bd9 blockbrowser.exe File created C:\Windows\ja-JP\csrss.exe blockbrowser.exe File created C:\Windows\ja-JP\886983d96e3d3e blockbrowser.exe File created C:\Windows\CbsTemp\RuntimeBroker.exe blockbrowser.exe File created C:\Windows\CbsTemp\9e8d7a4ca61bd9 blockbrowser.exe File created C:\Windows\LanguageOverlayCache\RuntimeBroker.exe blockbrowser.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
586551303debdcf610645e79397bba4d.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 586551303debdcf610645e79397bba4d.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3328 schtasks.exe 1256 schtasks.exe 4648 schtasks.exe 1728 schtasks.exe 4652 schtasks.exe 3296 schtasks.exe 844 schtasks.exe 3804 schtasks.exe 1900 schtasks.exe 1544 schtasks.exe 3696 schtasks.exe 404 schtasks.exe 460 schtasks.exe 2340 schtasks.exe 2088 schtasks.exe 4476 schtasks.exe 1088 schtasks.exe 3524 schtasks.exe 2028 schtasks.exe 4040 schtasks.exe 4600 schtasks.exe 4596 schtasks.exe 5040 schtasks.exe 4728 schtasks.exe 1992 schtasks.exe 2008 schtasks.exe 424 schtasks.exe 464 schtasks.exe 116 schtasks.exe 3880 schtasks.exe 1476 schtasks.exe 4928 schtasks.exe 4260 schtasks.exe 4720 schtasks.exe 2556 schtasks.exe 444 schtasks.exe 1204 schtasks.exe 4192 schtasks.exe 1748 schtasks.exe 1052 schtasks.exe 4708 schtasks.exe 1712 schtasks.exe 4080 schtasks.exe 2732 schtasks.exe 3372 schtasks.exe 940 schtasks.exe 4940 schtasks.exe 3520 schtasks.exe 4176 schtasks.exe 3124 schtasks.exe 1756 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
blockbrowser.exeblockbrowser.execsrss.exepid process 4792 blockbrowser.exe 4792 blockbrowser.exe 4792 blockbrowser.exe 4792 blockbrowser.exe 4792 blockbrowser.exe 4792 blockbrowser.exe 4792 blockbrowser.exe 2004 blockbrowser.exe 2004 blockbrowser.exe 2004 blockbrowser.exe 2004 blockbrowser.exe 2004 blockbrowser.exe 2004 blockbrowser.exe 2004 blockbrowser.exe 2004 blockbrowser.exe 2004 blockbrowser.exe 4408 csrss.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
blockbrowser.exeblockbrowser.execsrss.exedescription pid process Token: SeDebugPrivilege 4792 blockbrowser.exe Token: SeDebugPrivilege 2004 blockbrowser.exe Token: SeDebugPrivilege 4408 csrss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
586551303debdcf610645e79397bba4d.exeWScript.execmd.exeblockbrowser.exeblockbrowser.exedescription pid process target process PID 228 wrote to memory of 2584 228 586551303debdcf610645e79397bba4d.exe WScript.exe PID 228 wrote to memory of 2584 228 586551303debdcf610645e79397bba4d.exe WScript.exe PID 228 wrote to memory of 2584 228 586551303debdcf610645e79397bba4d.exe WScript.exe PID 2584 wrote to memory of 4100 2584 WScript.exe cmd.exe PID 2584 wrote to memory of 4100 2584 WScript.exe cmd.exe PID 2584 wrote to memory of 4100 2584 WScript.exe cmd.exe PID 4100 wrote to memory of 4792 4100 cmd.exe blockbrowser.exe PID 4100 wrote to memory of 4792 4100 cmd.exe blockbrowser.exe PID 4792 wrote to memory of 2004 4792 blockbrowser.exe blockbrowser.exe PID 4792 wrote to memory of 2004 4792 blockbrowser.exe blockbrowser.exe PID 2004 wrote to memory of 4408 2004 blockbrowser.exe csrss.exe PID 2004 wrote to memory of 4408 2004 blockbrowser.exe csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\586551303debdcf610645e79397bba4d.exe"C:\Users\Admin\AppData\Local\Temp\586551303debdcf610645e79397bba4d.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgeperfmonitor\Okr5BLwtARysGVz5KIiKrQ4stl1.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Bridgeperfmonitor\mVYPBQ4QEo2wIKyAZnDKAnqv22.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Bridgeperfmonitor\blockbrowser.exe"C:\Bridgeperfmonitor\blockbrowser.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Bridgeperfmonitor\blockbrowser.exe"C:\Bridgeperfmonitor\blockbrowser.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\ja-JP\csrss.exe"C:\Windows\ja-JP\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Desktop\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\en-US\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\Download\SharedFileCache\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\SharedFileCache\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\Download\SharedFileCache\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre8\lib\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Java\jre8\lib\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre8\lib\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\CbsTemp\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\CbsTemp\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\CbsTemp\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Bridgeperfmonitor\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Bridgeperfmonitor\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Bridgeperfmonitor\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Users\Public\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Users\Public\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Bridgeperfmonitor\Okr5BLwtARysGVz5KIiKrQ4stl1.vbeFilesize
220B
MD51b20f3dc25276310b5d6cfaed4a33b7c
SHA17ae42214f2c13396a52d03663e258c327da709f7
SHA2560cae9a0b5bea3b264a98449dc617d942dba020635f4a890fa3d8ca3561fb99b9
SHA512997bff21f51187fd5911a5c6e1d298892e6a35d127e50d8df0e2375c64e346f35f5d22bb879ba4bb87ef76d853976a09fe3ed3b735a14575c3c88c3533c7ceee
-
C:\Bridgeperfmonitor\blockbrowser.exeFilesize
828KB
MD572f4befd780dfd7a742491bd9530a414
SHA133c6b52892da0063fd2106beaaddfafee7d48989
SHA256e6cd6de8708a8c6112e24bebc33cd6f5ed004ef6db10e5fa1ca82987bb62589e
SHA5120505131abd115659c4c2070e7133487de301249f5693de2c00a4965cb58ca9feef61ec456c44fa8270f53faf0d29a02ddbbbd541e1290519edf05a2a0f1ae16b
-
C:\Bridgeperfmonitor\mVYPBQ4QEo2wIKyAZnDKAnqv22.batFilesize
39B
MD5ecc0b37d413fa823b389d0b5c56b2730
SHA1d3ea7dce841ec52d88415f5a7c509a2c6639093b
SHA2560ff3f98f6426addb5c7bd25c7fdac293431467095d9cd37aa253f44b37c81697
SHA5126f0c242eedc331ef59e150fab857c4a07f63c647df83a98f854cc906cceb677a5b4d8eb00ce58319d75480d281ff24cd50b381d1da1da8e2f3e7cbf0480af8e0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\blockbrowser.exe.logFilesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
memory/4792-12-0x00007FF8B0593000-0x00007FF8B0595000-memory.dmpFilesize
8KB
-
memory/4792-13-0x00000000003B0000-0x0000000000486000-memory.dmpFilesize
856KB