Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 16:22
Behavioral task
behavioral1
Sample
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
Resource
win10v2004-20240709-en
General
-
Target
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
-
Size
1.3MB
-
MD5
f946ceb3dfbc4802323f045e77b9fc63
-
SHA1
04beac37360d30c5ad933f82f80bfd41ae294cc4
-
SHA256
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a
-
SHA512
7ad0db10f788d63d44a85981ccd9cf7c5acaadad66d1fd4c34554eb77bd1582e49549c917eb39e0c17e7b55b2fc0e262c059e1d85c188f1a3649879368a834e3
-
SSDEEP
24576:qwwpL4DsvfsODQY2mq7yTK32HbzpEOlM7RJFolBjvmPln0Ep9GKc6NC1t:qw8LnsvQKMzpEOlM7RJqlhgq8rC1
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
Processes:
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\System.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\System.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\System.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\MusNotification.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\System.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\MusNotification.exe\", \"C:\\Windows\\Help\\en-US\\spoolsv.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\System.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\MusNotification.exe\", \"C:\\Windows\\Help\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Documents\\sihost.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe -
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 216 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 208 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5056 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3432 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1340 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 508 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4160 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 460 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4108 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4900 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4580 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3784 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3696 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3632 4956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 4956 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/4548-1-0x0000000000CB0000-0x0000000000E0A000-memory.dmp dcrat C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\fontdrvhost.exe dcrat C:\Recovery\WindowsRE\RuntimeBroker.exe dcrat C:\Users\Public\Music\System.exe dcrat C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\fontdrvhost.exe dcrat C:\Windows\Help\en-US\spoolsv.exe dcrat C:\Users\Default\Documents\sihost.exe dcrat behavioral2/memory/508-186-0x0000000000320000-0x000000000047A000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation fontdrvhost.exe -
Executes dropped EXE 14 IoCs
Processes:
fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exepid process 508 fontdrvhost.exe 4140 fontdrvhost.exe 3972 fontdrvhost.exe 840 fontdrvhost.exe 4384 fontdrvhost.exe 1540 fontdrvhost.exe 3772 fontdrvhost.exe 3928 fontdrvhost.exe 4984 fontdrvhost.exe 4348 fontdrvhost.exe 3696 fontdrvhost.exe 1604 fontdrvhost.exe 2276 fontdrvhost.exe 1016 fontdrvhost.exe -
Adds Run key to start application 2 TTPs 16 IoCs
Processes:
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\Music\\System.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Help\\en-US\\spoolsv.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Default\\Documents\\sihost.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Program Files\\Windows Portable Devices\\MusNotification.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Help\\en-US\\spoolsv.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Default\\Documents\\sihost.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\Music\\System.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Program Files\\Windows Portable Devices\\MusNotification.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
Processes:
flow ioc 21 pastebin.com 84 pastebin.com 86 pastebin.com 70 pastebin.com 20 pastebin.com 47 pastebin.com 49 pastebin.com 56 pastebin.com 53 pastebin.com 67 pastebin.com 88 pastebin.com 90 pastebin.com 32 pastebin.com 61 pastebin.com -
Drops file in Program Files directory 10 IoCs
Processes:
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exedescription ioc process File created C:\Program Files\Windows Portable Devices\RuntimeBroker.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Program Files\Windows Portable Devices\MusNotification.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files\Windows Portable Devices\RCX8837.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files\Windows Portable Devices\RCX8838.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files\Windows Portable Devices\RuntimeBroker.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Program Files\Windows Portable Devices\aa97147c4c782d 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files\Windows Portable Devices\RCX7C66.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files\Windows Portable Devices\RCX7C67.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files\Windows Portable Devices\MusNotification.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe -
Drops file in Windows directory 6 IoCs
Processes:
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exedescription ioc process File created C:\Windows\Help\en-US\spoolsv.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Windows\Help\en-US\f3b6ecef712a24 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Windows\Help\en-US\RCX8A4C.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Windows\Help\en-US\RCX8ABB.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Windows\Help\en-US\spoolsv.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Windows\schemas\TSWorkSpace\backgroundTaskHost.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 14 IoCs
Processes:
fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings fontdrvhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5056 schtasks.exe 508 schtasks.exe 1180 schtasks.exe 1632 schtasks.exe 208 schtasks.exe 1340 schtasks.exe 4580 schtasks.exe 4508 schtasks.exe 216 schtasks.exe 1856 schtasks.exe 3432 schtasks.exe 4160 schtasks.exe 4900 schtasks.exe 1768 schtasks.exe 1468 schtasks.exe 628 schtasks.exe 460 schtasks.exe 4108 schtasks.exe 1812 schtasks.exe 3784 schtasks.exe 3696 schtasks.exe 2644 schtasks.exe 3632 schtasks.exe 2828 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exepid process 4548 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 4548 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 4548 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 508 fontdrvhost.exe 4140 fontdrvhost.exe 3972 fontdrvhost.exe 840 fontdrvhost.exe 4384 fontdrvhost.exe 1540 fontdrvhost.exe 3772 fontdrvhost.exe 3928 fontdrvhost.exe 4984 fontdrvhost.exe 4348 fontdrvhost.exe 3696 fontdrvhost.exe 1604 fontdrvhost.exe 1604 fontdrvhost.exe 2276 fontdrvhost.exe 2276 fontdrvhost.exe 1016 fontdrvhost.exe 1016 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exedescription pid process Token: SeDebugPrivilege 4548 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Token: SeDebugPrivilege 508 fontdrvhost.exe Token: SeDebugPrivilege 4140 fontdrvhost.exe Token: SeDebugPrivilege 3972 fontdrvhost.exe Token: SeDebugPrivilege 840 fontdrvhost.exe Token: SeDebugPrivilege 4384 fontdrvhost.exe Token: SeDebugPrivilege 1540 fontdrvhost.exe Token: SeDebugPrivilege 3772 fontdrvhost.exe Token: SeDebugPrivilege 3928 fontdrvhost.exe Token: SeDebugPrivilege 4984 fontdrvhost.exe Token: SeDebugPrivilege 4348 fontdrvhost.exe Token: SeDebugPrivilege 3696 fontdrvhost.exe Token: SeDebugPrivilege 1604 fontdrvhost.exe Token: SeDebugPrivilege 2276 fontdrvhost.exe Token: SeDebugPrivilege 1016 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exedescription pid process target process PID 4548 wrote to memory of 508 4548 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe fontdrvhost.exe PID 4548 wrote to memory of 508 4548 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe fontdrvhost.exe PID 508 wrote to memory of 4900 508 fontdrvhost.exe WScript.exe PID 508 wrote to memory of 4900 508 fontdrvhost.exe WScript.exe PID 508 wrote to memory of 916 508 fontdrvhost.exe WScript.exe PID 508 wrote to memory of 916 508 fontdrvhost.exe WScript.exe PID 4900 wrote to memory of 4140 4900 WScript.exe fontdrvhost.exe PID 4900 wrote to memory of 4140 4900 WScript.exe fontdrvhost.exe PID 4140 wrote to memory of 4300 4140 fontdrvhost.exe WScript.exe PID 4140 wrote to memory of 4300 4140 fontdrvhost.exe WScript.exe PID 4140 wrote to memory of 2948 4140 fontdrvhost.exe WScript.exe PID 4140 wrote to memory of 2948 4140 fontdrvhost.exe WScript.exe PID 4300 wrote to memory of 3972 4300 WScript.exe fontdrvhost.exe PID 4300 wrote to memory of 3972 4300 WScript.exe fontdrvhost.exe PID 3972 wrote to memory of 3176 3972 fontdrvhost.exe WScript.exe PID 3972 wrote to memory of 3176 3972 fontdrvhost.exe WScript.exe PID 3972 wrote to memory of 3320 3972 fontdrvhost.exe WScript.exe PID 3972 wrote to memory of 3320 3972 fontdrvhost.exe WScript.exe PID 3176 wrote to memory of 840 3176 WScript.exe fontdrvhost.exe PID 3176 wrote to memory of 840 3176 WScript.exe fontdrvhost.exe PID 840 wrote to memory of 632 840 fontdrvhost.exe WScript.exe PID 840 wrote to memory of 632 840 fontdrvhost.exe WScript.exe PID 840 wrote to memory of 4088 840 fontdrvhost.exe WScript.exe PID 840 wrote to memory of 4088 840 fontdrvhost.exe WScript.exe PID 632 wrote to memory of 4384 632 WScript.exe fontdrvhost.exe PID 632 wrote to memory of 4384 632 WScript.exe fontdrvhost.exe PID 4384 wrote to memory of 4780 4384 fontdrvhost.exe WScript.exe PID 4384 wrote to memory of 4780 4384 fontdrvhost.exe WScript.exe PID 4384 wrote to memory of 1280 4384 fontdrvhost.exe WScript.exe PID 4384 wrote to memory of 1280 4384 fontdrvhost.exe WScript.exe PID 4780 wrote to memory of 1540 4780 WScript.exe fontdrvhost.exe PID 4780 wrote to memory of 1540 4780 WScript.exe fontdrvhost.exe PID 1540 wrote to memory of 1068 1540 fontdrvhost.exe WScript.exe PID 1540 wrote to memory of 1068 1540 fontdrvhost.exe WScript.exe PID 1540 wrote to memory of 4376 1540 fontdrvhost.exe WScript.exe PID 1540 wrote to memory of 4376 1540 fontdrvhost.exe WScript.exe PID 1068 wrote to memory of 3772 1068 WScript.exe fontdrvhost.exe PID 1068 wrote to memory of 3772 1068 WScript.exe fontdrvhost.exe PID 3772 wrote to memory of 3028 3772 fontdrvhost.exe WScript.exe PID 3772 wrote to memory of 3028 3772 fontdrvhost.exe WScript.exe PID 3772 wrote to memory of 1004 3772 fontdrvhost.exe WScript.exe PID 3772 wrote to memory of 1004 3772 fontdrvhost.exe WScript.exe PID 3028 wrote to memory of 3928 3028 WScript.exe fontdrvhost.exe PID 3028 wrote to memory of 3928 3028 WScript.exe fontdrvhost.exe PID 3928 wrote to memory of 508 3928 fontdrvhost.exe WScript.exe PID 3928 wrote to memory of 508 3928 fontdrvhost.exe WScript.exe PID 3928 wrote to memory of 536 3928 fontdrvhost.exe WScript.exe PID 3928 wrote to memory of 536 3928 fontdrvhost.exe WScript.exe PID 508 wrote to memory of 4984 508 WScript.exe fontdrvhost.exe PID 508 wrote to memory of 4984 508 WScript.exe fontdrvhost.exe PID 4984 wrote to memory of 632 4984 fontdrvhost.exe WScript.exe PID 4984 wrote to memory of 632 4984 fontdrvhost.exe WScript.exe PID 4984 wrote to memory of 1960 4984 fontdrvhost.exe WScript.exe PID 4984 wrote to memory of 1960 4984 fontdrvhost.exe WScript.exe PID 632 wrote to memory of 4348 632 WScript.exe fontdrvhost.exe PID 632 wrote to memory of 4348 632 WScript.exe fontdrvhost.exe PID 4348 wrote to memory of 2040 4348 fontdrvhost.exe WScript.exe PID 4348 wrote to memory of 2040 4348 fontdrvhost.exe WScript.exe PID 4348 wrote to memory of 3792 4348 fontdrvhost.exe WScript.exe PID 4348 wrote to memory of 3792 4348 fontdrvhost.exe WScript.exe PID 2040 wrote to memory of 3696 2040 WScript.exe fontdrvhost.exe PID 2040 wrote to memory of 3696 2040 WScript.exe fontdrvhost.exe PID 3696 wrote to memory of 3036 3696 fontdrvhost.exe WScript.exe PID 3696 wrote to memory of 3036 3696 fontdrvhost.exe WScript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Users\Default\Cookies\fontdrvhost.exe"C:\Users\Default\Cookies\fontdrvhost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc033611-d2d0-44b0-b277-4977adef5908.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Users\Default\Cookies\fontdrvhost.exeC:\Users\Default\Cookies\fontdrvhost.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\257d045d-0555-4632-9085-4363078208f3.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Default\Cookies\fontdrvhost.exeC:\Users\Default\Cookies\fontdrvhost.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32432e3c-d9de-4559-9a06-dd76fc0ea08e.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Users\Default\Cookies\fontdrvhost.exeC:\Users\Default\Cookies\fontdrvhost.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\805768f0-8f3c-4087-8e66-4e6892e68392.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Users\Default\Cookies\fontdrvhost.exeC:\Users\Default\Cookies\fontdrvhost.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96c02fd5-b86e-4c79-9598-9192034dc619.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Users\Default\Cookies\fontdrvhost.exeC:\Users\Default\Cookies\fontdrvhost.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c595f92e-0a95-4670-b7ee-50be35de7acf.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Default\Cookies\fontdrvhost.exeC:\Users\Default\Cookies\fontdrvhost.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22b04a1f-b109-4d85-9d31-2c20f04d08d2.vbs"15⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Default\Cookies\fontdrvhost.exeC:\Users\Default\Cookies\fontdrvhost.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e4d2282-b1ca-41cc-8169-e6a62efc4311.vbs"17⤵
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Users\Default\Cookies\fontdrvhost.exeC:\Users\Default\Cookies\fontdrvhost.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9559992-6813-4550-a111-527ef7c4c9fc.vbs"19⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Users\Default\Cookies\fontdrvhost.exeC:\Users\Default\Cookies\fontdrvhost.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c53620db-243b-43e1-b707-1764855e6e3a.vbs"21⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Default\Cookies\fontdrvhost.exeC:\Users\Default\Cookies\fontdrvhost.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64e30746-60ae-4f6b-afa0-3ebd7380e65b.vbs"23⤵PID:3036
-
C:\Users\Default\Cookies\fontdrvhost.exeC:\Users\Default\Cookies\fontdrvhost.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22fc14e8-43b6-4e5d-9656-d0db3ec0b447.vbs"25⤵PID:4372
-
C:\Users\Default\Cookies\fontdrvhost.exeC:\Users\Default\Cookies\fontdrvhost.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a175d40d-c386-4747-aec2-15660821120c.vbs"27⤵PID:1584
-
C:\Users\Default\Cookies\fontdrvhost.exeC:\Users\Default\Cookies\fontdrvhost.exe28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba08e236-ade8-4e5b-ad16-8ade9421b7f5.vbs"27⤵PID:1860
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\284fc433-5c34-4a93-8b1f-86a66acaf077.vbs"25⤵PID:4000
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7779719-7631-47ca-a9af-2be4444fdb7e.vbs"23⤵PID:3308
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8aa4de02-c1c3-4309-ac61-d177e5e01917.vbs"21⤵PID:3792
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab2a99af-9977-4497-a89f-07ce0d419cc1.vbs"19⤵PID:1960
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b85c961-42f2-4c17-9f0e-33d9e85f7665.vbs"17⤵PID:536
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbd66830-6180-4f71-b5d1-682a3ed9bcf8.vbs"15⤵PID:1004
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bba41d8-1d36-4709-9344-158aaae088a2.vbs"13⤵PID:4376
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a81f9432-7531-4c29-99bc-080dea902f11.vbs"11⤵PID:1280
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41267a48-933d-4c81-a165-b2f1ee7cf29a.vbs"9⤵PID:4088
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e74a0ff-b026-4b09-8178-e322614a80d3.vbs"7⤵PID:3320
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17d31dc7-af5f-41d0-99c8-8d65faf5d6f4.vbs"5⤵PID:2948
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\841342f7-1e3c-4245-8dea-77c1085e84ae.vbs"3⤵PID:916
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Music\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\MusNotification.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Help\en-US\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Help\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Documents\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Documents\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Documents\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD560338cbf38a7e58b665f780abec2e9bc
SHA1be090c261e318e87f3b723601c11272aa5ef3bbb
SHA2565acaa969578ead27705c7d2f685762e82cca648fc26fef2b605f0ae1794111d0
SHA5121ec2462e55bc2455f62ee700dbd004e13ce79fcbabf11c9d882bea95182a4e1ae5ce993d806190a3615a217b13a4bb5d44c5a262e4730225813feb6e84b6b983
-
Filesize
1KB
MD53690a1c3b695227a38625dcf27bd6dac
SHA1c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA2562ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA51215ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1
-
Filesize
716B
MD505b3d1d72e5b5c12e527ecc1bc361709
SHA119aa5d7314d8d0409d1ec61e96267406423d8134
SHA25638defd43ed00f8cbbdf15c6d0356d1907a84f78c6970ec704cba52c897a19e2e
SHA512da57db719b6f026ad1cb1cde0a7ab380140962b29895c9beaf0438ea0c1bb0f6e9cbbf1767c735849297fea55766b3f62fe902a3cb4666dfd59a3ed202360749
-
Filesize
716B
MD57e6af3f646ce1673eab4434d9c5176dd
SHA18d2a463d5b0a41a7e36716fed124b5511430c88a
SHA25610dba4aad255b4e4e94d4daf5e32b447f696827873702e082bf66e10d4eeb9df
SHA5126330a5fd3086178a4c56add1793f7dffa65c3ffdcbc09460c82b04d220cf3f3cd7df91895aa396befff567342a04cad4e2b4c6b34a219e8a1fb74edfe65cac70
-
Filesize
716B
MD528ce6b80660408701ecd8fc4abbbca05
SHA13546a868d19f7347a63726e1384f079ad71f16a2
SHA25670d3434ae15e0e7a1f143e33f4500ec375d85edfdf6d4df1adeb50bccce6d883
SHA51296cc573e6c779a2c3d7b92ceb5493969daaf94ea7415e50df2443d08fd0ccf1d3ec2e9d46c03c45acafbdbf46685eeb4a978fca0a91d8983f9befa292b55c025
-
Filesize
716B
MD56098e28a95b722b1da721add41b664f1
SHA1b2d478107e84537d2c185772253c379ae64b4293
SHA2568d5b251b1a70156e5b3848cb5cfa707e0f4581952e41713ea6edbf71b0c0f201
SHA512edfdc31d57e1061f0ffe0b0aaa6b516e7dcb60cf24122bfd2a39c4854d1bc56e4ffbf39a01080fc41fb6ef5aa6b0b6b9b54de8a8b31f54e18f1e7b13f11ecf3c
-
Filesize
716B
MD50a99863aa278a8e07c08d6635e9f6425
SHA1db76021dc9b8bd8ddd102c51394230b8e90b3913
SHA2569e5cdcb80c3791da6a54baa208717f98cc5fca8a8ce08fa8bb09317b0e23d58b
SHA512dd1877b717504b8a24675a657489352eb4b872a329ad7425a149920e8c623e14463664864c7c0e59a9184274ba5f99519316abaa17058c53c7b5e80cc01c7fc3
-
Filesize
716B
MD51b1e1c4a25ac763b643b0feac74210a2
SHA1239517baff076433cfbec070da9fd2f021d56149
SHA2568926ae11288f28c2c24a9c7cd83914e955e5cafcd1a171a70c67768d8c7ba1d8
SHA5128c481601209dcfeba62f89dab85f271467d7510ce98da614d6e467a266d507ec427bdc8216e6531351b379c218827631f8d2dec374d973add9a6d7de003308c5
-
Filesize
715B
MD5aa73f347643c7fad7d907ad46689dc0e
SHA1087fa6317232db070d1a755ee8b81b38843a5a22
SHA25673c35d66633e2ea81e9b033dbd7ece867700eb010be42cc64005ce4a7577a9e7
SHA512c9271b55b470247de122a1284050dd8b2d19526f5669ec7bf783acfd055980950e7431798a272e30f3b641cbb777cbba25c059582642bd5a99b4148d4be9750e
-
Filesize
492B
MD5763d21f582a2d96386da5202554a40fe
SHA145b9dd0577e85078cc31f6d5770f7f8ae6cd32a2
SHA25638491c350c464362e75193f5ef3538d20d21d71cd1a337c37abea1f1adbb0632
SHA512ebc2e8c4f53ac0144ba99831dd40718a02aa9505c766806245355f17b995ccf6657364d0369c867c4402ba9ded35e36cc838bc61194f29e65a499fb9cf956f3b
-
Filesize
716B
MD598fd91b458e18a7e8041e5a3fac36602
SHA196f62cdd6878f433ce2d660ad95ddac0380d8708
SHA25685cc8ce8b35fdc5252ba86afd4f11e4b5032db72674c11d7905a7db658d6c57b
SHA512343eb1b623f51dcaf7e2bdfff73379ad54ba6a1ba30ce9f1b37ff421b121b615a8c2b2aa9fb925d36a617c308594af32eb5adce4d639b3c259494fdbd3b70243
-
Filesize
716B
MD542a425d3b92b0d8a9d15135ea86b0d86
SHA15388ca0e0d5d5a6f04ab72caf29c6ef6dc018d01
SHA256c60e4865723fe39ae861b6aefe9d8cea9cfe0ad178734a778b17b98758eb80f5
SHA512e43e9149b051111e14f8d58e8d782146814b3482d6729745aaa8e4bb76a598f7fe549d0cd59511ca5b7be9149f352de2824c861ba38aad3d139f2831e76f49d4
-
Filesize
716B
MD500a371d774ab7edc032d3a8e270db59b
SHA1aea041ff8faf53ebef1e193d0e5eff16e555f1b4
SHA256b7783a3b6ebef5a18b873fd80b9bc604f7232b4e436c96545bfc666ec63389b2
SHA51267c3753c0f12c83efa6bd6b01bc978de6d90b9c49e58b0c5f046c40692100622a7b9ef5c8aab9aaf9f7b4e5f09e83a69aca6520f1648504e0edf4d3742d514df
-
Filesize
715B
MD5b90b5ae3bb696d09d075a250c5865b36
SHA11a6149e118039d086b4bb2f48202fd6be7c25372
SHA2564c52e5b7d28d0064801772941cecde903dfbc0ccb545737dc0cd76e0792a16c6
SHA512154d75c17e2766d55d8bedeaa3b372aacfa25676399874e3170425a872a78d2a1f1d31cd4e6e2e85a881b62afde3dd9c6a4ac33fd28515e781617b8a6d29ace7
-
Filesize
716B
MD5bd68254c3b10e1fc8e7b0347360a4827
SHA180e0434c4fa9e960c1e6a63d74c0f6805aa56afe
SHA2565989d68b5192c76872058b4c1bb17f139fb4a23c04964c3cfaac735f97860e6f
SHA512483fdd0f18448b6b3a8c6a5a135e806994bdd3fa52bec55204d5dc3795d063f91d8877d5505a2df07422b69b5d7237d1af8400ceda5af6c114f9cb229419a8b3
-
Filesize
716B
MD57622906c193f3650e4d0b45d2373f100
SHA10ef5055229d6261f888d935ff6cd116cbb1c4d7b
SHA25602f75b37398095078230a2290bd1bded8f7138d5b6514c37f47203267f47f1e5
SHA512c24be76fa591a3f122c3541d201f7b56a0386dfefd98fa590d58b3e466f61bc6ab39667be66e022916150200fc7145353b8d9a8fbaafd61e750b3e2ca14bdf8c
-
Filesize
1.3MB
MD5f946ceb3dfbc4802323f045e77b9fc63
SHA104beac37360d30c5ad933f82f80bfd41ae294cc4
SHA256682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a
SHA5127ad0db10f788d63d44a85981ccd9cf7c5acaadad66d1fd4c34554eb77bd1582e49549c917eb39e0c17e7b55b2fc0e262c059e1d85c188f1a3649879368a834e3
-
Filesize
1.3MB
MD50b2fc822e27e875977ff84253f5397e1
SHA1983a016981ff412c4082e4468adc5346b1c4aaf5
SHA2565f4f3e07aa2706a7a68cea1fd334361a3f22578ded2791280ed7d5a34018f288
SHA5127f4cbdacd05fe2a3273e50d839dd594e7238a4fe4238444d8a7ae547623447f3359687dbfe276c903489e4af5ac5d724ebdb49abcabf1b52e74d1fb7a6b7cfcf
-
Filesize
1.3MB
MD57621f394b1365c3a25fd23187b1e1791
SHA1da195d0d481389dba8889ebba775335197f22b3d
SHA256c3a123719de477e4485a91d3ce8230a8338461b44a961b68fdf2adbee45b619a
SHA512a6567c99ffc612862b52907199852af27b4e37b4a8eec60490a6b7204c2c2d80d661f5eb439e62247b285f8a26a91438f799a72e96411b0da835cac231446a27
-
Filesize
1.3MB
MD5fe0ee60141ab3b866ef0958fd44c076b
SHA14de0415625ac4fe690e7bfc2a70c5971b1c2a027
SHA2568c0da9e94f6f5393857cc94f667fbfebb9aade66c9544cc902675b4a5db12d8b
SHA512252e67b459eb1c0ca01cab45bd2888fa1a33106487edc039bb0b592d4e0c75288d0cde6ea276094acacb6096cab153a9f7246d61fe6051e2c85fa3fb9bdd7db6
-
Filesize
1.3MB
MD592e5bf98b2c2ad695dc2e6941a74c54f
SHA14f9b53511b75bdf096ae95e597e46fd3c5364097
SHA25674ac0989d2567257f03d7f8fa3ed73db6b74b420626fd77ca54a163a3dabec26
SHA51259c7a25a59ec56008b0eb4e0822642bc6774a395e3ceae92762a7714b63408aa2c8fd1b4fadab4299572350dfd4083fa360b97e18187b35504d858cdeb120d5d