Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 01:06
Behavioral task
behavioral1
Sample
2d578ea6dc9a22d8b7ef1ed05429560daebb9847de4c4e42d84de61b2cecb8d9.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2d578ea6dc9a22d8b7ef1ed05429560daebb9847de4c4e42d84de61b2cecb8d9.exe
Resource
win10v2004-20240508-en
General
-
Target
2d578ea6dc9a22d8b7ef1ed05429560daebb9847de4c4e42d84de61b2cecb8d9.exe
-
Size
1.1MB
-
MD5
586551303debdcf610645e79397bba4d
-
SHA1
3ebc6e5ae076f40c5b65a955549efb20af93db4c
-
SHA256
2d578ea6dc9a22d8b7ef1ed05429560daebb9847de4c4e42d84de61b2cecb8d9
-
SHA512
21cab4ac88765f77682f8271d9de126b92fc57e793b702c7ae8d5aefefdfb245c2ad1b9880635ebdfc857ed6739fa9582a4380f7c95545aa8261526e812072a7
-
SSDEEP
24576:U2G/nvxW3Ww0tfSxBXpxsfdnRegCieaho8AAe:UbA30f8xsVnRegCXQfO
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 596 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 904 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1020 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 2496 schtasks.exe -
Processes:
resource yara_rule \Bridgeperfmonitor\blockbrowser.exe dcrat behavioral1/memory/2768-13-0x00000000012B0000-0x0000000001386000-memory.dmp dcrat behavioral1/memory/2372-58-0x0000000000340000-0x0000000000416000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
blockbrowser.execsrss.exepid process 2768 blockbrowser.exe 2372 csrss.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2700 cmd.exe 2700 cmd.exe -
Drops file in Program Files directory 9 IoCs
Processes:
blockbrowser.exedescription ioc process File created C:\Program Files (x86)\Common Files\Adobe\Idle.exe blockbrowser.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Idle.exe blockbrowser.exe File created C:\Program Files\Windows Defender\en-US\42af1c969fbb7b blockbrowser.exe File created C:\Program Files\Windows Journal\en-US\886983d96e3d3e blockbrowser.exe File created C:\Program Files (x86)\Common Files\Adobe\6ccacd8608530f blockbrowser.exe File created C:\Program Files\Windows Defender\en-US\audiodg.exe blockbrowser.exe File created C:\Program Files\Windows Media Player\fr-FR\spoolsv.exe blockbrowser.exe File created C:\Program Files\Windows Media Player\fr-FR\f3b6ecef712a24 blockbrowser.exe File created C:\Program Files\Windows Journal\en-US\csrss.exe blockbrowser.exe -
Drops file in Windows directory 6 IoCs
Processes:
blockbrowser.exedescription ioc process File created C:\Windows\Fonts\spoolsv.exe blockbrowser.exe File created C:\Windows\Fonts\f3b6ecef712a24 blockbrowser.exe File created C:\Windows\system\Idle.exe blockbrowser.exe File created C:\Windows\system\6ccacd8608530f blockbrowser.exe File created C:\Windows\Tasks\Idle.exe blockbrowser.exe File created C:\Windows\Tasks\6ccacd8608530f blockbrowser.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2332 schtasks.exe 1480 schtasks.exe 2440 schtasks.exe 2180 schtasks.exe 2584 schtasks.exe 2888 schtasks.exe 2100 schtasks.exe 1720 schtasks.exe 1256 schtasks.exe 2136 schtasks.exe 1440 schtasks.exe 2064 schtasks.exe 1020 schtasks.exe 2376 schtasks.exe 1084 schtasks.exe 1668 schtasks.exe 2916 schtasks.exe 2636 schtasks.exe 2940 schtasks.exe 3024 schtasks.exe 1676 schtasks.exe 592 schtasks.exe 1820 schtasks.exe 1920 schtasks.exe 2656 schtasks.exe 264 schtasks.exe 596 schtasks.exe 2576 schtasks.exe 1204 schtasks.exe 3040 schtasks.exe 2476 schtasks.exe 936 schtasks.exe 1696 schtasks.exe 2320 schtasks.exe 2152 schtasks.exe 2224 schtasks.exe 1128 schtasks.exe 1512 schtasks.exe 2448 schtasks.exe 1604 schtasks.exe 2080 schtasks.exe 1040 schtasks.exe 2524 schtasks.exe 940 schtasks.exe 904 schtasks.exe 3000 schtasks.exe 2344 schtasks.exe 2516 schtasks.exe 1504 schtasks.exe 2232 schtasks.exe 1132 schtasks.exe 2484 schtasks.exe 1732 schtasks.exe 1476 schtasks.exe 2948 schtasks.exe 2964 schtasks.exe 1136 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
blockbrowser.execsrss.exepid process 2768 blockbrowser.exe 2372 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
blockbrowser.execsrss.exedescription pid process Token: SeDebugPrivilege 2768 blockbrowser.exe Token: SeDebugPrivilege 2372 csrss.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
2d578ea6dc9a22d8b7ef1ed05429560daebb9847de4c4e42d84de61b2cecb8d9.exeWScript.execmd.exeblockbrowser.exedescription pid process target process PID 2372 wrote to memory of 1744 2372 2d578ea6dc9a22d8b7ef1ed05429560daebb9847de4c4e42d84de61b2cecb8d9.exe WScript.exe PID 2372 wrote to memory of 1744 2372 2d578ea6dc9a22d8b7ef1ed05429560daebb9847de4c4e42d84de61b2cecb8d9.exe WScript.exe PID 2372 wrote to memory of 1744 2372 2d578ea6dc9a22d8b7ef1ed05429560daebb9847de4c4e42d84de61b2cecb8d9.exe WScript.exe PID 2372 wrote to memory of 1744 2372 2d578ea6dc9a22d8b7ef1ed05429560daebb9847de4c4e42d84de61b2cecb8d9.exe WScript.exe PID 1744 wrote to memory of 2700 1744 WScript.exe cmd.exe PID 1744 wrote to memory of 2700 1744 WScript.exe cmd.exe PID 1744 wrote to memory of 2700 1744 WScript.exe cmd.exe PID 1744 wrote to memory of 2700 1744 WScript.exe cmd.exe PID 2700 wrote to memory of 2768 2700 cmd.exe blockbrowser.exe PID 2700 wrote to memory of 2768 2700 cmd.exe blockbrowser.exe PID 2700 wrote to memory of 2768 2700 cmd.exe blockbrowser.exe PID 2700 wrote to memory of 2768 2700 cmd.exe blockbrowser.exe PID 2768 wrote to memory of 2372 2768 blockbrowser.exe csrss.exe PID 2768 wrote to memory of 2372 2768 blockbrowser.exe csrss.exe PID 2768 wrote to memory of 2372 2768 blockbrowser.exe csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d578ea6dc9a22d8b7ef1ed05429560daebb9847de4c4e42d84de61b2cecb8d9.exe"C:\Users\Admin\AppData\Local\Temp\2d578ea6dc9a22d8b7ef1ed05429560daebb9847de4c4e42d84de61b2cecb8d9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgeperfmonitor\Okr5BLwtARysGVz5KIiKrQ4stl1.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Bridgeperfmonitor\mVYPBQ4QEo2wIKyAZnDKAnqv22.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Bridgeperfmonitor\blockbrowser.exe"C:\Bridgeperfmonitor\blockbrowser.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Program Files\Windows Journal\en-US\csrss.exe"C:\Program Files\Windows Journal\en-US\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Adobe\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Fonts\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Bridgeperfmonitor\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Bridgeperfmonitor\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Bridgeperfmonitor\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Bridgeperfmonitor\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Bridgeperfmonitor\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Bridgeperfmonitor\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Bridgeperfmonitor\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Bridgeperfmonitor\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Bridgeperfmonitor\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\en-US\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\en-US\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Bridgeperfmonitor\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Bridgeperfmonitor\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Bridgeperfmonitor\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\fr-FR\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\fr-FR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\system\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\system\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\system\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\Sample Music\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\Sample Music\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Bridgeperfmonitor\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Bridgeperfmonitor\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Bridgeperfmonitor\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "blockbrowserb" /sc MINUTE /mo 8 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\blockbrowser.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "blockbrowser" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\blockbrowser.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "blockbrowserb" /sc MINUTE /mo 9 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\blockbrowser.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Tasks\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Bridgeperfmonitor\Okr5BLwtARysGVz5KIiKrQ4stl1.vbeFilesize
220B
MD51b20f3dc25276310b5d6cfaed4a33b7c
SHA17ae42214f2c13396a52d03663e258c327da709f7
SHA2560cae9a0b5bea3b264a98449dc617d942dba020635f4a890fa3d8ca3561fb99b9
SHA512997bff21f51187fd5911a5c6e1d298892e6a35d127e50d8df0e2375c64e346f35f5d22bb879ba4bb87ef76d853976a09fe3ed3b735a14575c3c88c3533c7ceee
-
C:\Bridgeperfmonitor\mVYPBQ4QEo2wIKyAZnDKAnqv22.batFilesize
39B
MD5ecc0b37d413fa823b389d0b5c56b2730
SHA1d3ea7dce841ec52d88415f5a7c509a2c6639093b
SHA2560ff3f98f6426addb5c7bd25c7fdac293431467095d9cd37aa253f44b37c81697
SHA5126f0c242eedc331ef59e150fab857c4a07f63c647df83a98f854cc906cceb677a5b4d8eb00ce58319d75480d281ff24cd50b381d1da1da8e2f3e7cbf0480af8e0
-
\Bridgeperfmonitor\blockbrowser.exeFilesize
828KB
MD572f4befd780dfd7a742491bd9530a414
SHA133c6b52892da0063fd2106beaaddfafee7d48989
SHA256e6cd6de8708a8c6112e24bebc33cd6f5ed004ef6db10e5fa1ca82987bb62589e
SHA5120505131abd115659c4c2070e7133487de301249f5693de2c00a4965cb58ca9feef61ec456c44fa8270f53faf0d29a02ddbbbd541e1290519edf05a2a0f1ae16b
-
memory/2372-58-0x0000000000340000-0x0000000000416000-memory.dmpFilesize
856KB
-
memory/2768-13-0x00000000012B0000-0x0000000001386000-memory.dmpFilesize
856KB