Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 22:51
Static task
static1
Behavioral task
behavioral1
Sample
059DD6A8CB2D31871BB82DBB158965FA.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
059DD6A8CB2D31871BB82DBB158965FA.exe
Resource
win10v2004-20241007-en
General
-
Target
059DD6A8CB2D31871BB82DBB158965FA.exe
-
Size
1.9MB
-
MD5
059dd6a8cb2d31871bb82dbb158965fa
-
SHA1
10507debf7b1a88791b65fc08a5b995f9b873aee
-
SHA256
3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb
-
SHA512
3a9e138d8682f6e22ddcdd480da8cd6893d86cf1e48b7e4232c1cd87a9abe2a3e29577201ace85cf551739c33855352c081c85a2992eb60c2947a1524634580e
-
SSDEEP
24576:2TbBv5rUyXVfKEYWAa5pLMzdFGZWWs5cRtb6kMgmrmtXVdaNjTXf3qtzdzkkJj6c:IBJfp1JAz5cjb6k4cFdaNjTXfa/h
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MoUsoCoreWorker.exe\", \"C:\\Users\\Admin\\Application Data\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\Idle.exe\"" Bridgecommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MoUsoCoreWorker.exe\", \"C:\\Users\\Admin\\Application Data\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\Idle.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\uk-UA\\dwm.exe\"" Bridgecommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MoUsoCoreWorker.exe\", \"C:\\Users\\Admin\\Application Data\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\Idle.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\uk-UA\\dwm.exe\", \"C:\\Users\\All Users\\Microsoft\\conhost.exe\"" Bridgecommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MoUsoCoreWorker.exe\", \"C:\\Users\\Admin\\Application Data\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\Idle.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\uk-UA\\dwm.exe\", \"C:\\Users\\All Users\\Microsoft\\conhost.exe\", \"C:\\hyperContaineragent\\Bridgecommon.exe\"" Bridgecommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MoUsoCoreWorker.exe\"" Bridgecommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MoUsoCoreWorker.exe\", \"C:\\Users\\Admin\\Application Data\\RuntimeBroker.exe\"" Bridgecommon.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 4368 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 4368 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 4368 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 4368 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3652 4368 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 4368 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 4368 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 4368 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3132 4368 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4380 4368 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 4368 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4556 4368 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4572 4368 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 4368 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4340 4368 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 4368 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4848 4368 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4772 4368 schtasks.exe 93 -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1488 powershell.exe 2172 powershell.exe 3588 powershell.exe 4644 powershell.exe 4036 powershell.exe 2336 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 059DD6A8CB2D31871BB82DBB158965FA.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Bridgecommon.exe -
Executes dropped EXE 2 IoCs
pid Process 3408 Bridgecommon.exe 4772 conhost.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\Application Data\\RuntimeBroker.exe\"" Bridgecommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\Idle.exe\"" Bridgecommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows NT\\Accessories\\uk-UA\\dwm.exe\"" Bridgecommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\All Users\\Microsoft\\conhost.exe\"" Bridgecommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgecommon = "\"C:\\hyperContaineragent\\Bridgecommon.exe\"" Bridgecommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\Windows\\Globalization\\MoUsoCoreWorker.exe\"" Bridgecommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\Windows\\Globalization\\MoUsoCoreWorker.exe\"" Bridgecommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\Application Data\\RuntimeBroker.exe\"" Bridgecommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\Idle.exe\"" Bridgecommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows NT\\Accessories\\uk-UA\\dwm.exe\"" Bridgecommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\All Users\\Microsoft\\conhost.exe\"" Bridgecommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgecommon = "\"C:\\hyperContaineragent\\Bridgecommon.exe\"" Bridgecommon.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCE7147E7D37045AABAE7E2E0A2B8234E.TMP csc.exe File created \??\c:\Windows\System32\ovufcs.exe csc.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Windows NT\Accessories\uk-UA\6cb0b6c459d5d3 Bridgecommon.exe File created C:\Program Files\Windows NT\Accessories\uk-UA\dwm.exe Bridgecommon.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Globalization\MoUsoCoreWorker.exe Bridgecommon.exe File created C:\Windows\Globalization\1f93f77a7f4778 Bridgecommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 059DD6A8CB2D31871BB82DBB158965FA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings 059DD6A8CB2D31871BB82DBB158965FA.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings Bridgecommon.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1904 schtasks.exe 4772 schtasks.exe 2888 schtasks.exe 1792 schtasks.exe 3132 schtasks.exe 4380 schtasks.exe 2660 schtasks.exe 5060 schtasks.exe 4984 schtasks.exe 3652 schtasks.exe 2976 schtasks.exe 4848 schtasks.exe 752 schtasks.exe 2652 schtasks.exe 4572 schtasks.exe 3460 schtasks.exe 4556 schtasks.exe 4340 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3408 Bridgecommon.exe 3588 powershell.exe 3588 powershell.exe 4644 powershell.exe 4644 powershell.exe 2336 powershell.exe 2336 powershell.exe 1488 powershell.exe 1488 powershell.exe 4036 powershell.exe 4036 powershell.exe 3588 powershell.exe 2172 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3408 Bridgecommon.exe Token: SeDebugPrivilege 3588 powershell.exe Token: SeDebugPrivilege 4644 powershell.exe Token: SeDebugPrivilege 2336 powershell.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeDebugPrivilege 4036 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 4772 conhost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2336 wrote to memory of 3540 2336 059DD6A8CB2D31871BB82DBB158965FA.exe 87 PID 2336 wrote to memory of 3540 2336 059DD6A8CB2D31871BB82DBB158965FA.exe 87 PID 2336 wrote to memory of 3540 2336 059DD6A8CB2D31871BB82DBB158965FA.exe 87 PID 3540 wrote to memory of 1176 3540 WScript.exe 100 PID 3540 wrote to memory of 1176 3540 WScript.exe 100 PID 3540 wrote to memory of 1176 3540 WScript.exe 100 PID 1176 wrote to memory of 3408 1176 cmd.exe 102 PID 1176 wrote to memory of 3408 1176 cmd.exe 102 PID 3408 wrote to memory of 2432 3408 Bridgecommon.exe 106 PID 3408 wrote to memory of 2432 3408 Bridgecommon.exe 106 PID 2432 wrote to memory of 552 2432 csc.exe 108 PID 2432 wrote to memory of 552 2432 csc.exe 108 PID 3408 wrote to memory of 2172 3408 Bridgecommon.exe 124 PID 3408 wrote to memory of 2172 3408 Bridgecommon.exe 124 PID 3408 wrote to memory of 1488 3408 Bridgecommon.exe 125 PID 3408 wrote to memory of 1488 3408 Bridgecommon.exe 125 PID 3408 wrote to memory of 2336 3408 Bridgecommon.exe 126 PID 3408 wrote to memory of 2336 3408 Bridgecommon.exe 126 PID 3408 wrote to memory of 4036 3408 Bridgecommon.exe 127 PID 3408 wrote to memory of 4036 3408 Bridgecommon.exe 127 PID 3408 wrote to memory of 4644 3408 Bridgecommon.exe 128 PID 3408 wrote to memory of 4644 3408 Bridgecommon.exe 128 PID 3408 wrote to memory of 3588 3408 Bridgecommon.exe 129 PID 3408 wrote to memory of 3588 3408 Bridgecommon.exe 129 PID 3408 wrote to memory of 4812 3408 Bridgecommon.exe 136 PID 3408 wrote to memory of 4812 3408 Bridgecommon.exe 136 PID 4812 wrote to memory of 4912 4812 cmd.exe 138 PID 4812 wrote to memory of 4912 4812 cmd.exe 138 PID 4812 wrote to memory of 2652 4812 cmd.exe 139 PID 4812 wrote to memory of 2652 4812 cmd.exe 139 PID 4812 wrote to memory of 4772 4812 cmd.exe 141 PID 4812 wrote to memory of 4772 4812 cmd.exe 141 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\059DD6A8CB2D31871BB82DBB158965FA.exe"C:\Users\Admin\AppData\Local\Temp\059DD6A8CB2D31871BB82DBB158965FA.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperContaineragent\6TX15s3o3dST68MJkEj7bgGxU9zvefDuKPar5COcqC66esPk.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperContaineragent\CYWN6IDJqLBtl0YjSrMSw1hYURgrvXzRLx.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\hyperContaineragent\Bridgecommon.exe"C:\hyperContaineragent/Bridgecommon.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bykkela2\bykkela2.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BED.tmp" "c:\Windows\System32\CSCE7147E7D37045AABAE7E2E0A2B8234E.TMP"6⤵PID:552
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\MoUsoCoreWorker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\uk-UA\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\hyperContaineragent\Bridgecommon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3588
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFz9ci6xjk.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4912
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2652
-
-
C:\Users\All Users\Microsoft\conhost.exe"C:\Users\All Users\Microsoft\conhost.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Windows\Globalization\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\Globalization\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Application Data\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\uk-UA\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\uk-UA\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\uk-UA\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgecommonB" /sc MINUTE /mo 9 /tr "'C:\hyperContaineragent\Bridgecommon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Bridgecommon" /sc ONLOGON /tr "'C:\hyperContaineragent\Bridgecommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgecommonB" /sc MINUTE /mo 5 /tr "'C:\hyperContaineragent\Bridgecommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
1KB
MD59f44400badd0a127f1460c63e1a5f0a9
SHA19a7dfda8720c9c406047bc24208798aa0ea66250
SHA256906dcc64e69e8558864633e3bf41d05d29025c7dadc337b3e1873ec2e8fa1a42
SHA512a84167cb9d64fdd57f01d56c5334c9e054e31d149d21f4d161a2410c98d6514e5342315ad1a9a9cd331c5472233da26077525e3c96ef518e9df863f6bd8bbbba
-
Filesize
216B
MD520e3d37622e665b6da04a28b783a5945
SHA1a6823f520cb3768d05ebf4ea4cf4b59aa3bd5212
SHA25610cff66efb55ffbf4f6a01d4651a9c7ef03e9ff4d0fef876e82bcd3524f2d142
SHA5124160ba411253bde5a1406ead43b684c900a25cde2b6532e5ffc4eb469e44bd0d8fa863864d0e3b1f4f2e77184b8787a7b64616894813a2ca01e550bde5197780
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
232B
MD5321b2b59ad9c31cf688937ac999a85af
SHA14e427aaa9f2ef8a56da4c78bef071c28db269c36
SHA2565758fd0e39dc256b30ed578041ca918d92a69b9df7e4ad7808a925619fde3f85
SHA5122e77990658a9602e1da837fbc4754f7629df1b6fb6c0a41fb5a1250a924d30fa564c2b3c69c1582d0062244da480e293ea906d30b4c04cc57016d7b3f3ca30e2
-
Filesize
1.6MB
MD5477db3de46b7779b63495a8bdb279f2c
SHA177dc3f7d83728294c49298db82dd0e668adc3a73
SHA2568b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366
SHA5124ac940fa7ce3c8a2a646639a5b00c5c8a1dcafcfba460782068446a321455cf5af10e1e6ae4e6753150beab7d2431a7c38192787b32c4e508b73f4b3ac843956
-
Filesize
83B
MD5df218c1160a79b119167d4dd812857ea
SHA1e0adece134e3ab420a5eb152b98f89f8b15399bb
SHA256e5cf111b8b8722e4c2ef307e6de857530b48ea2c52a18819424bbbeb8f23a0db
SHA512aeaefbbaee7da588e16ff9f6928b001ed9cfcfa60fe54705f5c4705526b010039a92c6dd34dab4b592e5d24a044525e5e2c3ba4b4acac7d07c10f7e4c5488f17
-
Filesize
376B
MD5b2eed57b050f4d77623059909d61afd1
SHA171a1fdec9770dd9fec238ee0427916c7b07d6ef1
SHA25667bb5e90bfeef9a7d6c0325c1c152c1d7c372447ef12f6c93fb1b8d66fbfff76
SHA512d9cacd17f8dd0ed31af7700ad39d1147fc1890243b4306e693fbb629933bd784810ebc9873a0d4ba4251ca419906480dd0e0a4c7abb5a688b271bc8d089cc3be
-
Filesize
235B
MD51b44085b60db1b1e8dd653b34a7128b3
SHA19429fda7df09d45346e84863ccc74545bd814820
SHA256526218a51ac2a6558e0dd98a26a8e97d613a51b09663c9afcd3b8924d69c6d41
SHA5127e5f7fb5ddea6057d13a01038cc4e8ce6c723cffc9f84fe913e36390dc752ce9f862acc7c628dd8f2e0130ae3dfd356d06245fbb3929979e059c8e24d83007ea
-
Filesize
1KB
MD51c519e4618f2b468d0f490d4a716da11
SHA11a693d0046e48fa813e4fa3bb94ccd20d43e3106
SHA2564dbf16e3b3bb06c98eeaf27d0a25d9f34ee0ceac51e6365218ef7cd09edb3438
SHA51299f293878a08b56db6ff2297f243f5f5b85864e6925a1d6af61a65369f7eb323ae1b75fe5f1465fac0b982ac9f49b9e0a295b5dac947da40f61991c4411233fd