Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2024 04:21
Behavioral task
behavioral1
Sample
F946CEB3DFBC4802323F045E77B9FC63.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
F946CEB3DFBC4802323F045E77B9FC63.exe
Resource
win10v2004-20240709-en
General
-
Target
F946CEB3DFBC4802323F045E77B9FC63.exe
-
Size
1.3MB
-
MD5
f946ceb3dfbc4802323f045e77b9fc63
-
SHA1
04beac37360d30c5ad933f82f80bfd41ae294cc4
-
SHA256
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a
-
SHA512
7ad0db10f788d63d44a85981ccd9cf7c5acaadad66d1fd4c34554eb77bd1582e49549c917eb39e0c17e7b55b2fc0e262c059e1d85c188f1a3649879368a834e3
-
SSDEEP
24576:qwwpL4DsvfsODQY2mq7yTK32HbzpEOlM7RJFolBjvmPln0Ep9GKc6NC1t:qw8LnsvQKMzpEOlM7RJqlhgq8rC1
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 7 IoCs
Processes:
F946CEB3DFBC4802323F045E77B9FC63.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\es-ES\\TextInputHost.exe\", \"C:\\Users\\Admin\\Saved Games\\unsecapp.exe\", \"C:\\Windows\\ServiceProfiles\\OfficeClickToRun.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\es-ES\\TextInputHost.exe\", \"C:\\Users\\Admin\\Saved Games\\unsecapp.exe\", \"C:\\Windows\\ServiceProfiles\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\backgroundTaskHost.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\es-ES\\TextInputHost.exe\", \"C:\\Users\\Admin\\Saved Games\\unsecapp.exe\", \"C:\\Windows\\ServiceProfiles\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\backgroundTaskHost.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\RuntimeBroker.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\es-ES\\TextInputHost.exe\", \"C:\\Users\\Admin\\Saved Games\\unsecapp.exe\", \"C:\\Windows\\ServiceProfiles\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\backgroundTaskHost.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\fontdrvhost.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\es-ES\\TextInputHost.exe\", \"C:\\Users\\Admin\\Saved Games\\unsecapp.exe\", \"C:\\Windows\\ServiceProfiles\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\backgroundTaskHost.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\fontdrvhost.exe\", \"C:\\Windows\\Branding\\fontdrvhost.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\es-ES\\TextInputHost.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\es-ES\\TextInputHost.exe\", \"C:\\Users\\Admin\\Saved Games\\unsecapp.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe -
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1168 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3328 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3916 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 848 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 460 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2168 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3448 2168 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/4552-1-0x0000000000660000-0x00000000007BA000-memory.dmp dcrat C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe dcrat C:\Program Files (x86)\Windows Sidebar\Gadgets\backgroundTaskHost.exe dcrat C:\Program Files\WindowsPowerShell\fontdrvhost.exe dcrat C:\Windows\Branding\fontdrvhost.exe dcrat behavioral2/memory/4380-172-0x0000000000110000-0x000000000026A000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exeF946CEB3DFBC4802323F045E77B9FC63.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation F946CEB3DFBC4802323F045E77B9FC63.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe -
Executes dropped EXE 14 IoCs
Processes:
fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exepid process 4380 fontdrvhost.exe 420 fontdrvhost.exe 2248 fontdrvhost.exe 1532 fontdrvhost.exe 4376 fontdrvhost.exe 2668 fontdrvhost.exe 2916 fontdrvhost.exe 2860 fontdrvhost.exe 3536 fontdrvhost.exe 3016 fontdrvhost.exe 5028 fontdrvhost.exe 3076 fontdrvhost.exe 4272 fontdrvhost.exe 968 fontdrvhost.exe -
Adds Run key to start application 2 TTPs 14 IoCs
Processes:
F946CEB3DFBC4802323F045E77B9FC63.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Mozilla Firefox\\fonts\\RuntimeBroker.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\ServiceProfiles\\OfficeClickToRun.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\backgroundTaskHost.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Admin\\Saved Games\\unsecapp.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\ServiceProfiles\\OfficeClickToRun.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Admin\\Saved Games\\unsecapp.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\backgroundTaskHost.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Mozilla Firefox\\fonts\\RuntimeBroker.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\WindowsPowerShell\\fontdrvhost.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Branding\\fontdrvhost.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Windows Defender\\es-ES\\TextInputHost.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Windows Defender\\es-ES\\TextInputHost.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\WindowsPowerShell\\fontdrvhost.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Branding\\fontdrvhost.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs
Processes:
flow ioc 22 pastebin.com 89 pastebin.com 91 pastebin.com 93 pastebin.com 41 pastebin.com 57 pastebin.com 65 pastebin.com 67 pastebin.com 71 pastebin.com 95 pastebin.com 97 pastebin.com 23 pastebin.com 34 pastebin.com 53 pastebin.com 51 pastebin.com 54 pastebin.com -
Drops file in Program Files directory 20 IoCs
Processes:
F946CEB3DFBC4802323F045E77B9FC63.exedescription ioc process File created C:\Program Files (x86)\Windows Sidebar\Gadgets\eddb19405b7ce1 F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\backgroundTaskHost.exe F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files\WindowsPowerShell\RCXB534.tmp F946CEB3DFBC4802323F045E77B9FC63.exe File created C:\Program Files\Windows Defender\es-ES\TextInputHost.exe F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files\Windows Defender\es-ES\TextInputHost.exe F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files\Windows Defender\es-ES\RCXA9DE.tmp F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RCXB09C.tmp F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files\Mozilla Firefox\fonts\RCXB2A2.tmp F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files\WindowsPowerShell\RCXB4B6.tmp F946CEB3DFBC4802323F045E77B9FC63.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\backgroundTaskHost.exe F946CEB3DFBC4802323F045E77B9FC63.exe File created C:\Program Files\WindowsPowerShell\fontdrvhost.exe F946CEB3DFBC4802323F045E77B9FC63.exe File created C:\Program Files\WindowsPowerShell\5b884080fd4f94 F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files\Windows Defender\es-ES\RCXA9DF.tmp F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files\Mozilla Firefox\fonts\RCXB2A1.tmp F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files\WindowsPowerShell\fontdrvhost.exe F946CEB3DFBC4802323F045E77B9FC63.exe File created C:\Program Files\Windows Defender\es-ES\22eafd247d37c3 F946CEB3DFBC4802323F045E77B9FC63.exe File created C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe F946CEB3DFBC4802323F045E77B9FC63.exe File created C:\Program Files\Mozilla Firefox\fonts\9e8d7a4ca61bd9 F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RCXB01E.tmp F946CEB3DFBC4802323F045E77B9FC63.exe -
Drops file in Windows directory 10 IoCs
Processes:
F946CEB3DFBC4802323F045E77B9FC63.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\RCXAE0A.tmp F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Windows\ServiceProfiles\OfficeClickToRun.exe F946CEB3DFBC4802323F045E77B9FC63.exe File created C:\Windows\ServiceProfiles\e6c9b481da804f F946CEB3DFBC4802323F045E77B9FC63.exe File created C:\Windows\Branding\fontdrvhost.exe F946CEB3DFBC4802323F045E77B9FC63.exe File created C:\Windows\Branding\5b884080fd4f94 F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Windows\ServiceProfiles\RCXAE09.tmp F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Windows\Branding\RCXB738.tmp F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Windows\Branding\RCXB7B6.tmp F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Windows\Branding\fontdrvhost.exe F946CEB3DFBC4802323F045E77B9FC63.exe File created C:\Windows\ServiceProfiles\OfficeClickToRun.exe F946CEB3DFBC4802323F045E77B9FC63.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 15 IoCs
Processes:
fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exeF946CEB3DFBC4802323F045E77B9FC63.exefontdrvhost.exefontdrvhost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ F946CEB3DFBC4802323F045E77B9FC63.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3448 schtasks.exe 3916 schtasks.exe 1204 schtasks.exe 5104 schtasks.exe 2908 schtasks.exe 2980 schtasks.exe 2648 schtasks.exe 2664 schtasks.exe 1892 schtasks.exe 3328 schtasks.exe 2012 schtasks.exe 4788 schtasks.exe 848 schtasks.exe 2096 schtasks.exe 2756 schtasks.exe 2752 schtasks.exe 2448 schtasks.exe 4328 schtasks.exe 460 schtasks.exe 1036 schtasks.exe 1168 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
F946CEB3DFBC4802323F045E77B9FC63.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exepid process 4552 F946CEB3DFBC4802323F045E77B9FC63.exe 4552 F946CEB3DFBC4802323F045E77B9FC63.exe 4552 F946CEB3DFBC4802323F045E77B9FC63.exe 4552 F946CEB3DFBC4802323F045E77B9FC63.exe 4552 F946CEB3DFBC4802323F045E77B9FC63.exe 4552 F946CEB3DFBC4802323F045E77B9FC63.exe 4552 F946CEB3DFBC4802323F045E77B9FC63.exe 4552 F946CEB3DFBC4802323F045E77B9FC63.exe 4380 fontdrvhost.exe 420 fontdrvhost.exe 2248 fontdrvhost.exe 1532 fontdrvhost.exe 4376 fontdrvhost.exe 2668 fontdrvhost.exe 2916 fontdrvhost.exe 2860 fontdrvhost.exe 3536 fontdrvhost.exe 3016 fontdrvhost.exe 5028 fontdrvhost.exe 3076 fontdrvhost.exe 3076 fontdrvhost.exe 4272 fontdrvhost.exe 968 fontdrvhost.exe 968 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
F946CEB3DFBC4802323F045E77B9FC63.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exedescription pid process Token: SeDebugPrivilege 4552 F946CEB3DFBC4802323F045E77B9FC63.exe Token: SeDebugPrivilege 4380 fontdrvhost.exe Token: SeDebugPrivilege 420 fontdrvhost.exe Token: SeDebugPrivilege 2248 fontdrvhost.exe Token: SeDebugPrivilege 1532 fontdrvhost.exe Token: SeDebugPrivilege 4376 fontdrvhost.exe Token: SeDebugPrivilege 2668 fontdrvhost.exe Token: SeDebugPrivilege 2916 fontdrvhost.exe Token: SeDebugPrivilege 2860 fontdrvhost.exe Token: SeDebugPrivilege 3536 fontdrvhost.exe Token: SeDebugPrivilege 3016 fontdrvhost.exe Token: SeDebugPrivilege 5028 fontdrvhost.exe Token: SeDebugPrivilege 3076 fontdrvhost.exe Token: SeDebugPrivilege 4272 fontdrvhost.exe Token: SeDebugPrivilege 968 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
F946CEB3DFBC4802323F045E77B9FC63.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exedescription pid process target process PID 4552 wrote to memory of 4380 4552 F946CEB3DFBC4802323F045E77B9FC63.exe fontdrvhost.exe PID 4552 wrote to memory of 4380 4552 F946CEB3DFBC4802323F045E77B9FC63.exe fontdrvhost.exe PID 4380 wrote to memory of 2304 4380 fontdrvhost.exe WScript.exe PID 4380 wrote to memory of 2304 4380 fontdrvhost.exe WScript.exe PID 4380 wrote to memory of 1192 4380 fontdrvhost.exe WScript.exe PID 4380 wrote to memory of 1192 4380 fontdrvhost.exe WScript.exe PID 2304 wrote to memory of 420 2304 WScript.exe fontdrvhost.exe PID 2304 wrote to memory of 420 2304 WScript.exe fontdrvhost.exe PID 420 wrote to memory of 4472 420 fontdrvhost.exe WScript.exe PID 420 wrote to memory of 4472 420 fontdrvhost.exe WScript.exe PID 420 wrote to memory of 1352 420 fontdrvhost.exe WScript.exe PID 420 wrote to memory of 1352 420 fontdrvhost.exe WScript.exe PID 4472 wrote to memory of 2248 4472 WScript.exe fontdrvhost.exe PID 4472 wrote to memory of 2248 4472 WScript.exe fontdrvhost.exe PID 2248 wrote to memory of 3092 2248 fontdrvhost.exe WScript.exe PID 2248 wrote to memory of 3092 2248 fontdrvhost.exe WScript.exe PID 2248 wrote to memory of 1648 2248 fontdrvhost.exe WScript.exe PID 2248 wrote to memory of 1648 2248 fontdrvhost.exe WScript.exe PID 3092 wrote to memory of 1532 3092 WScript.exe fontdrvhost.exe PID 3092 wrote to memory of 1532 3092 WScript.exe fontdrvhost.exe PID 1532 wrote to memory of 3480 1532 fontdrvhost.exe WScript.exe PID 1532 wrote to memory of 3480 1532 fontdrvhost.exe WScript.exe PID 1532 wrote to memory of 4064 1532 fontdrvhost.exe WScript.exe PID 1532 wrote to memory of 4064 1532 fontdrvhost.exe WScript.exe PID 3480 wrote to memory of 4376 3480 WScript.exe fontdrvhost.exe PID 3480 wrote to memory of 4376 3480 WScript.exe fontdrvhost.exe PID 4376 wrote to memory of 4848 4376 fontdrvhost.exe WScript.exe PID 4376 wrote to memory of 4848 4376 fontdrvhost.exe WScript.exe PID 4376 wrote to memory of 3464 4376 fontdrvhost.exe WScript.exe PID 4376 wrote to memory of 3464 4376 fontdrvhost.exe WScript.exe PID 4848 wrote to memory of 2668 4848 WScript.exe fontdrvhost.exe PID 4848 wrote to memory of 2668 4848 WScript.exe fontdrvhost.exe PID 2668 wrote to memory of 3756 2668 fontdrvhost.exe WScript.exe PID 2668 wrote to memory of 3756 2668 fontdrvhost.exe WScript.exe PID 2668 wrote to memory of 452 2668 fontdrvhost.exe WScript.exe PID 2668 wrote to memory of 452 2668 fontdrvhost.exe WScript.exe PID 3756 wrote to memory of 2916 3756 WScript.exe fontdrvhost.exe PID 3756 wrote to memory of 2916 3756 WScript.exe fontdrvhost.exe PID 2916 wrote to memory of 4652 2916 fontdrvhost.exe WScript.exe PID 2916 wrote to memory of 4652 2916 fontdrvhost.exe WScript.exe PID 2916 wrote to memory of 4372 2916 fontdrvhost.exe WScript.exe PID 2916 wrote to memory of 4372 2916 fontdrvhost.exe WScript.exe PID 4652 wrote to memory of 2860 4652 WScript.exe fontdrvhost.exe PID 4652 wrote to memory of 2860 4652 WScript.exe fontdrvhost.exe PID 2860 wrote to memory of 2364 2860 fontdrvhost.exe WScript.exe PID 2860 wrote to memory of 2364 2860 fontdrvhost.exe WScript.exe PID 2860 wrote to memory of 1764 2860 fontdrvhost.exe WScript.exe PID 2860 wrote to memory of 1764 2860 fontdrvhost.exe WScript.exe PID 2364 wrote to memory of 3536 2364 WScript.exe fontdrvhost.exe PID 2364 wrote to memory of 3536 2364 WScript.exe fontdrvhost.exe PID 3536 wrote to memory of 3800 3536 fontdrvhost.exe WScript.exe PID 3536 wrote to memory of 3800 3536 fontdrvhost.exe WScript.exe PID 3536 wrote to memory of 2284 3536 fontdrvhost.exe WScript.exe PID 3536 wrote to memory of 2284 3536 fontdrvhost.exe WScript.exe PID 3800 wrote to memory of 3016 3800 WScript.exe fontdrvhost.exe PID 3800 wrote to memory of 3016 3800 WScript.exe fontdrvhost.exe PID 3016 wrote to memory of 3408 3016 fontdrvhost.exe WScript.exe PID 3016 wrote to memory of 3408 3016 fontdrvhost.exe WScript.exe PID 3016 wrote to memory of 636 3016 fontdrvhost.exe WScript.exe PID 3016 wrote to memory of 636 3016 fontdrvhost.exe WScript.exe PID 3408 wrote to memory of 5028 3408 WScript.exe fontdrvhost.exe PID 3408 wrote to memory of 5028 3408 WScript.exe fontdrvhost.exe PID 5028 wrote to memory of 1348 5028 fontdrvhost.exe WScript.exe PID 5028 wrote to memory of 1348 5028 fontdrvhost.exe WScript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe"C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\Branding\fontdrvhost.exe"C:\Windows\Branding\fontdrvhost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e767b887-1a93-4c47-850c-f291b0f52c9f.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\Branding\fontdrvhost.exeC:\Windows\Branding\fontdrvhost.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cecf907-1a44-4197-9bba-63e7ad0cb11f.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\Branding\fontdrvhost.exeC:\Windows\Branding\fontdrvhost.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86582284-2896-4cb1-aaf3-4dcfb9a871dc.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\Branding\fontdrvhost.exeC:\Windows\Branding\fontdrvhost.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7533e802-628a-4ebe-ac25-0716e5917a67.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\Branding\fontdrvhost.exeC:\Windows\Branding\fontdrvhost.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bdf90df-fff6-46b3-a390-b224919c8ebc.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\Branding\fontdrvhost.exeC:\Windows\Branding\fontdrvhost.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62dfae26-4595-47fe-80b9-32dc9b250927.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\Branding\fontdrvhost.exeC:\Windows\Branding\fontdrvhost.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0be2b0e-404a-4587-9f1e-1e3efbfa71dc.vbs"15⤵
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\Branding\fontdrvhost.exeC:\Windows\Branding\fontdrvhost.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dfddaaf-b1ae-4c46-94fb-8b5c5fa32e10.vbs"17⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\Branding\fontdrvhost.exeC:\Windows\Branding\fontdrvhost.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\210b55fa-f589-4bd4-acdd-90cc97d84fba.vbs"19⤵
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\Branding\fontdrvhost.exeC:\Windows\Branding\fontdrvhost.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\769e5175-a7cf-48f2-a5c9-c9f91820a8d0.vbs"21⤵
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\Branding\fontdrvhost.exeC:\Windows\Branding\fontdrvhost.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73962c40-07d5-4df8-9a42-2c6621b110df.vbs"23⤵PID:1348
-
C:\Windows\Branding\fontdrvhost.exeC:\Windows\Branding\fontdrvhost.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3076 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b0a9d1b-5071-44bf-8c56-767a2d42ec62.vbs"25⤵PID:4676
-
C:\Windows\Branding\fontdrvhost.exeC:\Windows\Branding\fontdrvhost.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\483e4332-9f73-4040-abc5-f67f6eb59580.vbs"27⤵PID:3744
-
C:\Windows\Branding\fontdrvhost.exeC:\Windows\Branding\fontdrvhost.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc65bc91-7c01-484a-bea1-3cfe987d5b46.vbs"29⤵PID:980
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\636f09de-5fa0-424a-8e8d-bb7edb6dd783.vbs"29⤵PID:2404
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccec9bc5-fec0-4329-ab62-b6beeadf1ebc.vbs"27⤵PID:5088
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcb99c75-2483-4019-b61a-64c4fa23e38e.vbs"25⤵PID:4704
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb25182e-953b-40cc-9760-c117eecc90c1.vbs"23⤵PID:664
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67cf566d-115d-46b5-9a52-e6ae3d0b5435.vbs"21⤵PID:636
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c44465f-88e9-490b-b874-c60622539eec.vbs"19⤵PID:2284
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a71668f-048e-49fc-a692-07544461ccdc.vbs"17⤵PID:1764
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c011816d-2fbb-4c2e-8220-c188d4445494.vbs"15⤵PID:4372
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebf13c66-c5c4-4459-b3b1-06fb3ffeae12.vbs"13⤵PID:452
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e9aff1c-f25c-4d6a-b2d8-be27f575ac28.vbs"11⤵PID:3464
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65982534-c48f-4836-95bf-98ad54ca0ebf.vbs"9⤵PID:4064
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4626c041-5a06-4d9d-9c4d-70235ff32f62.vbs"7⤵PID:1648
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fa17a65-3330-49b9-b443-3df160ef6f41.vbs"5⤵PID:1352
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59cc329e-403b-4304-8f72-31f5ccd51e52.vbs"3⤵PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\es-ES\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\es-ES\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Saved Games\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Saved Games\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Branding\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Branding\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5612d4097b10a21c1defe0107b380a69a
SHA1877837ec1f9e34af29afeb7e265b493f3fadc819
SHA2562d1da6af4cb57038a190ee8a30ae5d39e016573215706b6702854ecd5a8f901b
SHA512b86183fb995fa0b8d8940f5b9e7ceb927011290b75a96aaa9f897b5549702fa032615d4c5475372154858b6c14bc08ad12b4ee651e1679d75bfd2d508ddc4d10
-
Filesize
1.3MB
MD5f946ceb3dfbc4802323f045e77b9fc63
SHA104beac37360d30c5ad933f82f80bfd41ae294cc4
SHA256682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a
SHA5127ad0db10f788d63d44a85981ccd9cf7c5acaadad66d1fd4c34554eb77bd1582e49549c917eb39e0c17e7b55b2fc0e262c059e1d85c188f1a3649879368a834e3
-
Filesize
1.3MB
MD5628b4844c74eb266079dcd04b2407ca0
SHA151d8901d17966bdc3e889f40fffe61fc5b0d327c
SHA2565041b8b86e204e582563c60f9e7f0e2e457aaa54f017dc2a0856678b71451647
SHA5127fd2b9f7965084aa190672b91295d8ddb7cdb5ff986b984a5c7557c1e27a776f984aa4542f2c775d4daee09c46b33c9a7480c1304d73bd29b062940b28a0b31d
-
Filesize
1KB
MD53690a1c3b695227a38625dcf27bd6dac
SHA1c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA2562ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA51215ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1
-
Filesize
711B
MD522df33af409b795240048a3e9846fec5
SHA172e837b92b8e08d5904420ad786f8f047ce5f334
SHA2564b0cc27eed9c8e3f944902879e0518ad5a729a1ddc6b1e077c9b340f20fdb089
SHA512b84116db67966f238357ad73d8d4b3747a70eaf77691dfe0ecb57147d978b2909202dbce5f913673483dbe218e55e39db33a05eb56704db30a46167d5e79b558
-
Filesize
711B
MD513c6dc7796c9b43e3749bc3c76c2c015
SHA19c5560fc3a54bf008f984059d730e49cadd5bcf6
SHA256ce0fda16cdc0ba1a003cff224848243ef13221241ad50d33c329868b2f81c7f7
SHA512df73b8022711e8f06dfeb6be0d0efde9460782f202627be81e7f0a83f304c0011af191c0d8f9c45f478c933834589bc97a0268ca2d69422f54fa03987aad4061
-
Filesize
711B
MD541e3d80f412ac5b87c62cb0516246929
SHA1e16b3b71887a1f15d46fc2c2e023029b5ef0b239
SHA25611e97c602a2067ae1f5700daa443d3bbf0ba223b72eed22b1b1ecef9a79f0338
SHA512128edea71e8e3eef287401f8cc5ee698b45365c3636a82fdece833f888ff8b4296ae12edd8de91bc1d9e1daa350fe42e146c0ad1b0fe507cad2e1b0ca2722c31
-
Filesize
710B
MD5c9d487687492e01010cd4de5007b0da9
SHA16c264bda92bf19d9b37bf9421d8d6ce67824f6b6
SHA2563a7be2c0305bad826df73bab52b6a25a70a71630e1d16399dc2f99fc3c90853f
SHA5121bc5b124691f8c8e7d8ea4f1a0276a32f290580b66cb125ae8a27dc471cbbe925e96da3e668a5b958316fa42d2c550a4fd3eff0abd8805453c91e3b6f243c859
-
Filesize
711B
MD539b396fada774529d2bc7e659673c64c
SHA1de13063ff076eeaaa9d62eeaa0c4ec8275ffeabf
SHA25671ad49b0e1fdbdb6a42d5f8e9398644ab1d53f2d1528ae6baabbbb68bb7416f5
SHA5123bc8560fbe83d395c732aecc3218a17e0d42b2b97341b8f2ae97851a91fd5618af3bcea874e36f07012c18b3ef234ad8cd71c33bbdf60a2fc0ccc2c65ef25f03
-
Filesize
487B
MD5664be8931be668aeec731bd1e801a6ca
SHA17fa78509096f1d810053b14e158eecb7a987764d
SHA256a8e282f30482d4d24d7b4ddd8169d114a954d1c4dff8942e21a8537b67821f04
SHA51227efe317fa9878e9a34a97fe31b87418bfd5fb4f7b327d40e6914b11e475562d54fb93ea3003d1bac70d1353e789566a340a75745baeb38da9bcc2190a173573
-
Filesize
711B
MD5daacc6175c7785836bf31ef76f7cf25c
SHA116f003b848975ad62dc385ab38fa36693ccec19a
SHA25693676ba9a3d0935bea30768798b2df3515c55405e940b54d5aa1daa0e6f36897
SHA512051405ec09e2e26b6edbb6647e4664a8eca1c0fac64b3eecca99cf9f3245ab86be1e95b9510e79a2231113e02469cf25f65a85e0d48b6e459b5f763eadc5244f
-
Filesize
711B
MD5677c38956e1906d2628cb79d1bb2c480
SHA190c4c472e7c8efb617ddb53468a28cf448e99b11
SHA25601409e2954ff011d05a224b719d6c015538e9f433388a69707cbd045c03d65d3
SHA51280bdd471d0a70fdf3080597552326f8c7dcd35efb4b4be6a38b2cda2904e601cfa8f997495f93af51ed41b8a56a48f630f0829e4d12615adfafdfd7a75afde22
-
Filesize
711B
MD55ffcfcda1d9fee6c2db52f9bfc3622b2
SHA1f298ddbf03c7a7bb76897cf9665f442da2fec345
SHA256066fc9e721659cf227b49517db5f9768f6831aa1a5a316bc42ae2e9cbc62e293
SHA5129f93103bdc4e7e26d65df593fefe14d502b4dfe0fe89581eca917d82f35e53a1b52400a5386befb2265405b53c3f93d3b111fcd104dbee5138d7e40ea53320d3
-
Filesize
711B
MD51d82527cd1e7f38f59dfae41ebd01e19
SHA1c93f8c576e0a1a17d5036a3b10eb2e63bfac62fb
SHA2564cf4a4e6071a2e16d07d2ca30b8b5b2afeb21af53ab21388c18819b61154e903
SHA51218f534d7bea2e9e981bd61fecb239b7c466f01c602d0d94a79beca216ce98683087cee1e2d1a40320a2356c4a5af6f2611124cc9ea8b24b83c907646d2dc906c
-
Filesize
711B
MD5f70ea1c58b2899ba128f2b219b5bc562
SHA1a2d76a8b1e791434eec31b7204979854e9e7fa3d
SHA256eced9e6fd71eea7c24c4c0afdafbf3346a0f19dc12537735363fc0340f5be079
SHA512a311d97d69d4cadaaa2ed56ffa8fbd288d3f0cd0fe3b71f9288d5fdffe8b3df2f844e2efdcb81abcdd4bdfc76a5b7ea2d811fbcdd5cd31bf0702690ddc0a45f0
-
Filesize
711B
MD5a19a178057b8caaf9bc3ebfcf63df078
SHA12c83407099723bc97c862240d9f24557962ba001
SHA25646d1b18e6e574de81b4fc6003de9521602b96fcb014f65403ffb9fe73a4edc47
SHA5121acb227f7a762526d59527a39192fde02ce20ccf18aecfc3de9159475f8e91b5dcbb3212f586a8fb58bf2f403a79a3e2ac096e03a0d58c228418c0abc27b7b85
-
Filesize
710B
MD5e550af94ab705aa02d33d20fe2a907c9
SHA13679ce3d615826f76e94adb6e45078193ea66496
SHA2562ce8dc37d23d71ca35762c2d63ffe33cfd0c7f88df0663ccf1d7bc62d9fad7bb
SHA512315502f68cbad27eb0e6d4d9bbdd0224492ac3bdbde19428b3bc5dd305619ee7239c9f44c4c2f6e3f288294eb37a05772797e310cb1dc20f425bf3fd2d4a2c5d
-
Filesize
711B
MD596747b4ec5efe1fd62f79647b2968026
SHA193686bc5a3603ff33ec54d01ae9ee9ae3a214cac
SHA256a718b8fcf373d98eb45ef9491cce76eaf53cf405376edfb580f742eaac244a62
SHA5121c05a1d0c990fef97bef8e9db3fc7cb36ddcb1a316919441b84e821e121f3ea0539d7fa9133c556780d87836f2c38cb1df0969e5c61c052a499d74eed00bf20f
-
Filesize
711B
MD53e0675215d699080ee03ad19571934a8
SHA13194924a40f1d56bc8d593fde056b997553f0f2d
SHA2561e0485dea0734ae6a24da8d47b364586b3cb95f66a1d54149f141760a8a3d13b
SHA512d7d9d50e6106e82e8849bdaf5801e765824e0cedc2503fa2cf381a88075e8e3d74054786f43c94b4b6d3478dfbb53ff46616422268095ede980bbbb1b1441820
-
Filesize
1.3MB
MD516378a6c29c5dc8d4448512fc57b582d
SHA1f08ce448dd867425d3b69d3c80e8e55f7c31e2e5
SHA256c93dcde2380f34d416c52122ac692da95b46922dda54618708c742645e7d4c32
SHA51238f07582c05570fe3322635c5bdb4301611e7fc9aee084cebedb2560ba2f87ad6c8778ebaf005ab1d7f2c2739a2871284f0957b9889f79597adddab16f4856c9