Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2024 10:23
Behavioral task
behavioral1
Sample
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe
Resource
win10v2004-20240709-en
General
-
Target
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe
-
Size
827KB
-
MD5
ac9e1c7decb45fa41c77e30543bc535e
-
SHA1
b89c25859b9b195d8768868be6d4b029bd395d1f
-
SHA256
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682
-
SHA512
32ad2b8385fbb5206be47bd55f8a3af55ce6fd84c48771fec8b7fc39862fb9133aaf99de5672a548454c17fd05a03a0f3c1813df65b65fdae73ca7881393c417
-
SSDEEP
12288:aRX/Vbdw0amUjO3t/6jf0eEHP2a1KP/CpvwfpKdXRJNJa:kXVamd96jf0/2apvwxKdXRJNJa
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 7 IoCs
Processes:
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\RuntimeBroker.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\RuntimeBroker.exe\", \"C:\\Windows\\SchCache\\OfficeClickToRun.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\RuntimeBroker.exe\", \"C:\\Windows\\SchCache\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dwm.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\backgroundTaskHost.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\backgroundTaskHost.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe -
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5348 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3168 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4260 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4776 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5600 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5684 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5756 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5796 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5864 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5784 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6064 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6128 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6136 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3468 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5920 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5952 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5988 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5900 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5936 3964 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/4200-0-0x0000000000390000-0x0000000000466000-memory.dmp dcrat C:\Program Files (x86)\WindowsPowerShell\Configuration\RuntimeBroker.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe -
Executes dropped EXE 1 IoCs
Processes:
OfficeClickToRun.exepid process 5036 OfficeClickToRun.exe -
Adds Run key to start application 2 TTPs 14 IoCs
Processes:
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\SchCache\\OfficeClickToRun.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\RuntimeBroker.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\RuntimeBroker.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dwm.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\backgroundTaskHost.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\All Users\\Templates\\backgroundTaskHost.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\SchCache\\OfficeClickToRun.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dwm.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\All Users\\Templates\\backgroundTaskHost.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682 = "\"C:\\Program Files\\Windows Portable Devices\\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682 = "\"C:\\Program Files\\Windows Portable Devices\\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\backgroundTaskHost.exe\"" fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe -
Drops file in Program Files directory 10 IoCs
Processes:
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exedescription ioc process File created C:\Program Files (x86)\WindowsPowerShell\Configuration\9e8d7a4ca61bd9 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\6cb0b6c459d5d3 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\eddb19405b7ce1 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Program Files\Windows Portable Devices\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Program Files\Windows Portable Devices\837dac93350532 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\RuntimeBroker.exe fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\dwm.exe fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\9e8d7a4ca61bd9 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe -
Drops file in Windows directory 2 IoCs
Processes:
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exedescription ioc process File created C:\Windows\SchCache\OfficeClickToRun.exe fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe File created C:\Windows\SchCache\e6c9b481da804f fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5920 schtasks.exe 5684 schtasks.exe 5796 schtasks.exe 2948 schtasks.exe 5600 schtasks.exe 5756 schtasks.exe 6128 schtasks.exe 6136 schtasks.exe 3468 schtasks.exe 3168 schtasks.exe 4260 schtasks.exe 5936 schtasks.exe 5864 schtasks.exe 5988 schtasks.exe 4776 schtasks.exe 5784 schtasks.exe 6064 schtasks.exe 5952 schtasks.exe 5900 schtasks.exe 5348 schtasks.exe 2716 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exeOfficeClickToRun.exepid process 4200 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe 4200 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe 4200 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe 4200 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe 4200 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe 5036 OfficeClickToRun.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exeOfficeClickToRun.exedescription pid process Token: SeDebugPrivilege 4200 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe Token: SeDebugPrivilege 5036 OfficeClickToRun.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exedescription pid process target process PID 4200 wrote to memory of 5036 4200 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe OfficeClickToRun.exe PID 4200 wrote to memory of 5036 4200 fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe OfficeClickToRun.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe"C:\Users\Admin\AppData\Local\Temp\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SchCache\OfficeClickToRun.exe"C:\Windows\SchCache\OfficeClickToRun.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682f" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682f" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\SchCache\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5936
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD5ac9e1c7decb45fa41c77e30543bc535e
SHA1b89c25859b9b195d8768868be6d4b029bd395d1f
SHA256fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682
SHA51232ad2b8385fbb5206be47bd55f8a3af55ce6fd84c48771fec8b7fc39862fb9133aaf99de5672a548454c17fd05a03a0f3c1813df65b65fdae73ca7881393c417