Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-07-2024 10:47

General

  • Target

    RastyClient.exe

  • Size

    1.6MB

  • MD5

    e97033f786a03e53c5b1f2f8f7459823

  • SHA1

    ee716af387f986b3f89eaa8f95e2e9525a7e6dc5

  • SHA256

    51803275cce1aa6e37aaa3f5cc9d28244eb27f275691254b0c916224f8cbe3f3

  • SHA512

    492f847961f8bea60b2aaa9d6200148fb0b7da4a504f3bd41c624e6698d8ae5f0ac925c612cc53b099173ca1730c8c1bd6945ca8ea58d1a472fc428220c5e8ca

  • SSDEEP

    24576:U2G/nvxW3Ww0tXNKse+i4rH9o95ONppeDZf/7wL6yz3dkoJoDvCJp88aQ:UbA30Xg4rdC/bIoDvC88P

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\RastyClient.exe
    "C:\Users\Admin\AppData\Local\Temp\RastyClient.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4912
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Bridgecrt\gMVksfrBboGCsBBkLwQuhvaLwm.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:436
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Bridgecrt\7isy5PZMm5dkBZViNdFGyDFLK0qR.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1124
        • C:\Bridgecrt\RefdhcpSvc.exe
          "C:\Bridgecrt\RefdhcpSvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2916
          • C:\Users\Admin\3D Objects\RuntimeBroker.exe
            "C:\Users\Admin\3D Objects\RuntimeBroker.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1228
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pornhub.com/
              6⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:4232
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff72e946f8,0x7fff72e94708,0x7fff72e94718
                7⤵
                  PID:3292
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,1073896466118047472,210558015940512543,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
                  7⤵
                    PID:3696
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,1073896466118047472,210558015940512543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
                    7⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3424
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,1073896466118047472,210558015940512543,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
                    7⤵
                      PID:4276
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1073896466118047472,210558015940512543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
                      7⤵
                        PID:864
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1073896466118047472,210558015940512543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
                        7⤵
                          PID:1728
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1073896466118047472,210558015940512543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
                          7⤵
                            PID:408
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1073896466118047472,210558015940512543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
                            7⤵
                              PID:1636
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1073896466118047472,210558015940512543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
                              7⤵
                                PID:1508
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1073896466118047472,210558015940512543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
                                7⤵
                                  PID:2064
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,1073896466118047472,210558015940512543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:8
                                  7⤵
                                    PID:1416
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,1073896466118047472,210558015940512543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:8
                                    7⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:3584
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1073896466118047472,210558015940512543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
                                    7⤵
                                      PID:3868
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1073896466118047472,210558015940512543,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
                                      7⤵
                                        PID:5096
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1073896466118047472,210558015940512543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
                                        7⤵
                                          PID:4748
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1073896466118047472,210558015940512543,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
                                          7⤵
                                            PID:868
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Bridgecrt\conhost.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:4708
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Bridgecrt\conhost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:3856
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Bridgecrt\conhost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:4008
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:3560
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:3648
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1516
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\3D Objects\RuntimeBroker.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:4748
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\RuntimeBroker.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:4028
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\3D Objects\RuntimeBroker.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:4716
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Bridgecrt\StartMenuExperienceHost.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:4800
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Bridgecrt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1636
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Bridgecrt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:3488
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:376
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:3832
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2084
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\StartMenuExperienceHost.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1196
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:3052
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2232
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Oracle\sppsvc.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:4944
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\sppsvc.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2484
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Oracle\sppsvc.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:4316
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:4580
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:4688
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1764
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:3988
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:3952
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:3716
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\skins\WaaSMedicAgent.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:3628
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\WaaSMedicAgent.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:116
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\skins\WaaSMedicAgent.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:968
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:4712
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:4012

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Bridgecrt\7isy5PZMm5dkBZViNdFGyDFLK0qR.bat

                                    Filesize

                                    29B

                                    MD5

                                    f8f274a07f5224a3f69091f043af146c

                                    SHA1

                                    2513dccda5f12624dbb9a13052a2e629936bbab6

                                    SHA256

                                    8a6e165c22056fc26e710ade51ec3f299e8aca3c4e43b53cc77b9be60bb3cb24

                                    SHA512

                                    0c559ea5231d80976bb21b6ba1f8d788112cf89a8c7c32bb268557711a4d945f718616f9324997b5e59980956b736a1c59fb93ec17280cc7b8ccf3cf81ac298f

                                  • C:\Bridgecrt\RefdhcpSvc.exe

                                    Filesize

                                    1.3MB

                                    MD5

                                    e30cdcd8806bdf366db5b9652663ff6c

                                    SHA1

                                    4d7b9c8f0e0ce092f1008a31a79ef961cd42a66e

                                    SHA256

                                    6faa8554c6856c2e5869ee5bd0d1dd6b7dcbeaabbdd108e7c24987f5a8b9a323

                                    SHA512

                                    e2f0925a9b2ae495364c07814dc7e3725b64faf31f8601e99367a89b8a155da5b54e26cc9bc7ddd50facc13726a10e1dd88b49cfbbeb4e69f3a1ee68034ffa13

                                  • C:\Bridgecrt\gMVksfrBboGCsBBkLwQuhvaLwm.vbe

                                    Filesize

                                    214B

                                    MD5

                                    1bc36447909f83b562458feb56958fc7

                                    SHA1

                                    bdc93b6370a26ebbb0a691e62c7a9a3a9cf6b265

                                    SHA256

                                    2becf9f25216246f2503fd1378725c9cf03bebe8a0c6c8ca7778f4214bdf76d9

                                    SHA512

                                    e2b8d1d5f43f502a82865d0056fa27ddfd7f513515be6ae2419a294e71b569a2990142ff2956b16298da70456d534b8a73af4b9b2bbc55d366e656a1603e2ca8

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    60ead4145eb78b972baf6c6270ae6d72

                                    SHA1

                                    e71f4507bea5b518d9ee9fb2d523c5a11adea842

                                    SHA256

                                    b9e99e7387a915275e8fe4ac0b0c0cd330b4632814d5c9c446beb2755f1309a7

                                    SHA512

                                    8cdbafd2783048f5f54f22e13f6ef890936d5b986b0bb3fa86d2420a5bfecf7bedc56f46e6d5f126eae79f492315843c134c441084b912296e269f384a73ccde

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    1f9d180c0bcf71b48e7bc8302f85c28f

                                    SHA1

                                    ade94a8e51c446383dc0a45edf5aad5fa20edf3c

                                    SHA256

                                    a17d56c41d524453a78e3f06e0d0b0081e79d090a4b75d0b693ddbc39f6f7fdc

                                    SHA512

                                    282863df0e51288049587886ed37ad1cf5b6bfeed86454ea3b9f2bb7f0a1c591f3540c62712ebfcd6f1095e1977446dd5b13b904bb52b6d5c910a1efc208c785

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

                                    Filesize

                                    211KB

                                    MD5

                                    151fb811968eaf8efb840908b89dc9d4

                                    SHA1

                                    7ec811009fd9b0e6d92d12d78b002275f2f1bee1

                                    SHA256

                                    043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

                                    SHA512

                                    83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                    Filesize

                                    864B

                                    MD5

                                    86a988e06b14c9bef1b2d7800377ac53

                                    SHA1

                                    3fe3dce921ee648e7f17aa71a2ab88880c33a5fd

                                    SHA256

                                    17987e6c618314d761ca8885e5d9dbe67cf9361e393569b28db433e35081a0a6

                                    SHA512

                                    e5037780f013c9e5566fb895356dd35ec5cefe5326874e7fdcb04e8f8bbf1161ab7b64919a974e13bdf48d612b817be766d30ad49199ee7ae3fb941bcd56833a

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    dbadde817dead2ec1124ca94ff99af07

                                    SHA1

                                    fc60099388fc72375da10b705c452c492b42000c

                                    SHA256

                                    d6926d3008b7983ebc635b17ee1440cec27329ed1feac5507369b50568d463d8

                                    SHA512

                                    7d2a564e8f9bfc005ea6804d03ea2182ebc39952981d102e57e7a9c87a57ace73545be92becd16627a5ea76383ffbcf5d96389ecf7b3b6a75d431fd5e5ac72dd

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    7KB

                                    MD5

                                    e3430b2de33080893782e608d5ec89a3

                                    SHA1

                                    b1d6c6d43d70b0a28db034bb67a8d7c2fa2200e5

                                    SHA256

                                    ee4f40627d71ceeef134c3352fca26e18518fbc8ec768a434eb11aaaf6618e12

                                    SHA512

                                    6f5779d0a65f8f51addc4f478fe5f145d81f199734e57a9d0a07f9ae8864e499d8f51705df0e69519f73a5cd1bed35c28bd10d1f0977792075be1240b3d8a576

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    7KB

                                    MD5

                                    7694253bc72747b8b5c57ad96b7013a2

                                    SHA1

                                    bb068aa3bc65201d66c792b4da4271035ee856ad

                                    SHA256

                                    fbd621748cd7cd5c55f8ed29b90e5ec9e578fca8b3f4e93f07fde1bf46cabab4

                                    SHA512

                                    92bc89ce41a28e3dd8d187d2d9fc970e50db3076d5c8ffaee1f07570a3b5ac63f94786b89da784366b5735d4ee633dc8a88b395636fa6959ebff1cf7abf8b5ac

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

                                    Filesize

                                    96B

                                    MD5

                                    3799d012e90fd8249115ec3bef17a852

                                    SHA1

                                    96db7117c3a776865b6807c871d4a731983cec83

                                    SHA256

                                    d6d9ea94136767073f2b5d3ef690f2cd390ab58b151123dbe999e68a998c0afc

                                    SHA512

                                    c60e28ab6c4ed0a4a57ccd45d890f8408668bf7c01929cdc520fe6a5d3297d2b57d1a22fd154c0053cddd480cb14b352caca645e5933edc457991e0dd10782e2

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe598c77.TMP

                                    Filesize

                                    48B

                                    MD5

                                    2eec9f19e67b866e110028e705376913

                                    SHA1

                                    d23511c1e521784388a4e79d8498de1b072b0e13

                                    SHA256

                                    110aaa5de6690ef87e92c1b8dadf5906121ada4b6525d82240b87f184e84db00

                                    SHA512

                                    3159263710a04d9dc0b30cd1217c0192f4ce75678a0eba290cec66b780191d1a5b6123f78c56e1ef193849278bd947a6c7f40de93f0c58528e278f993b7ad6cb

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                    Filesize

                                    16B

                                    MD5

                                    46295cac801e5d4857d09837238a6394

                                    SHA1

                                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                    SHA256

                                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                    SHA512

                                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                    Filesize

                                    16B

                                    MD5

                                    206702161f94c5cd39fadd03f4014d98

                                    SHA1

                                    bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                    SHA256

                                    1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                    SHA512

                                    0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    11KB

                                    MD5

                                    0822e6f550012d955b94f81d021c86c4

                                    SHA1

                                    74c8a315d25c197d407ad319b9be47aab11409e7

                                    SHA256

                                    c40036dd9f34269e4146d3cbaea5ea1de910830d66967af42830e19f0ac66147

                                    SHA512

                                    28d1ea1f1b8dac15da8fd1ff4f517eb515b0d0f18a4ece5a16fa280061c02ca409ce2cdf7c07cfa64e701e598217855df9326a16d4c90c45bd8f6c3d361a97de

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    10KB

                                    MD5

                                    f1810565c94150573dd5fcd5de75ce2d

                                    SHA1

                                    5ac8ee12494f86bd8b7fa2771a1ea1d7671587a9

                                    SHA256

                                    135272f90bf934cc54298b9a50752e1c79a4ba0731eebb9d4ba2689901c75ad2

                                    SHA512

                                    1817ad2b715b323c623c769d980cffa8a1a06d9eb90c81608ed6f7bd2acc428babc459d12ba9823f272bbd59384c0fb8884078d70bed29f583db590319f07cc5

                                  • C:\Windows\bcastdvr\55b276f4edf653

                                    Filesize

                                    678B

                                    MD5

                                    ff2864e0d9c273c86231f2c63b5f3bff

                                    SHA1

                                    ec1a4e45bcf97c4c074750b8f2bc56e8fc4827d8

                                    SHA256

                                    1b5e0537ec38c780f8ae0e29b77cc832f98b168122feaeb832531ebaaf482355

                                    SHA512

                                    c696704e132320323311cf7bfa0b2e3cf39cfae0fdee004c19c7137c6457d870699b3fe2b8390b88c2c8341982feb2a94dccae5c39053f2e34706d83cc17796d

                                  • \??\pipe\LOCAL\crashpad_4232_THIOXWIACASCVOFG

                                    MD5

                                    d41d8cd98f00b204e9800998ecf8427e

                                    SHA1

                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                    SHA256

                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                    SHA512

                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                  • memory/1228-50-0x000000001BDA0000-0x000000001BDB8000-memory.dmp

                                    Filesize

                                    96KB

                                  • memory/2916-14-0x0000000002350000-0x000000000235E000-memory.dmp

                                    Filesize

                                    56KB

                                  • memory/2916-17-0x0000000002380000-0x0000000002396000-memory.dmp

                                    Filesize

                                    88KB

                                  • memory/2916-13-0x00000000000E0000-0x000000000022A000-memory.dmp

                                    Filesize

                                    1.3MB

                                  • memory/2916-15-0x0000000002360000-0x000000000237C000-memory.dmp

                                    Filesize

                                    112KB

                                  • memory/2916-16-0x000000001AEE0000-0x000000001AF30000-memory.dmp

                                    Filesize

                                    320KB

                                  • memory/2916-18-0x00000000023A0000-0x00000000023B0000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2916-12-0x00007FFF714B3000-0x00007FFF714B5000-memory.dmp

                                    Filesize

                                    8KB