Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2024 09:00
Static task
static1
Behavioral task
behavioral1
Sample
5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe
Resource
win10v2004-20241007-en
General
-
Target
5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe
-
Size
1.8MB
-
MD5
ad09440875d20aadffdfdc8de043c448
-
SHA1
fbfc7d94285b1da7e0799382a40352f827984771
-
SHA256
5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508
-
SHA512
e8d80aa2ec81b8b06b2a83e18674e19137b996f405dc4e6c93a3fcf76de0e949cbc333396a22141963043fd55ff9a8711eabd0963b933df58e4438f42706e8a3
-
SSDEEP
24576:zyvTg4STbYSG65XZsTBsR36Y1864kHFLlb/sgaspAqsbTsIvVJUl52iFxA4Gbgz:W6hdR3KlyFLlbsrs6PbTJU24GbQ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe\", \"C:\\Users\\Default\\Start Menu\\csrss.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe\", \"C:\\Users\\Default\\Start Menu\\csrss.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe\", \"C:\\Users\\Default\\Start Menu\\csrss.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\spoolsv.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe\", \"C:\\Users\\Default\\Start Menu\\csrss.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe\", \"C:\\Users\\Default\\Start Menu\\csrss.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 224 4736 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 4736 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3360 4736 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 4736 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 4736 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3564 4736 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 4736 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 4736 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3308 4736 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 4736 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 4736 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 4736 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 4736 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3296 4736 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4440 4736 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3860 4736 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4060 4736 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3256 4736 schtasks.exe 85 -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation fontdrvhost.exe -
Executes dropped EXE 15 IoCs
pid Process 4900 fontdrvhost.exe 2132 fontdrvhost.exe 4860 fontdrvhost.exe 4896 fontdrvhost.exe 2772 fontdrvhost.exe 4128 fontdrvhost.exe 1700 fontdrvhost.exe 1052 fontdrvhost.exe 1972 fontdrvhost.exe 2056 fontdrvhost.exe 4384 fontdrvhost.exe 4840 fontdrvhost.exe 4460 fontdrvhost.exe 1560 fontdrvhost.exe 1456 fontdrvhost.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508 = "\"C:\\Program Files (x86)\\Google\\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Start Menu\\csrss.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Public\\fontdrvhost.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\spoolsv.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508 = "\"C:\\Program Files (x86)\\Google\\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Start Menu\\csrss.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Public\\fontdrvhost.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\spoolsv.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC61756816FCD84101A84172A66C4BAE5.TMP csc.exe File created \??\c:\Windows\System32\kpkopw.exe csc.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Sidebar\Gadgets\spoolsv.exe 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\f3b6ecef712a24 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe File created C:\Program Files (x86)\Google\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe File created C:\Program Files (x86)\Google\79aac1ab6b9597 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1556 PING.EXE 2428 PING.EXE 1648 PING.EXE 1396 PING.EXE 3040 PING.EXE -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings fontdrvhost.exe -
Runs ping.exe 1 TTPs 5 IoCs
pid Process 2428 PING.EXE 1648 PING.EXE 1396 PING.EXE 3040 PING.EXE 1556 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4440 schtasks.exe 4060 schtasks.exe 3360 schtasks.exe 3564 schtasks.exe 1448 schtasks.exe 3296 schtasks.exe 3860 schtasks.exe 3256 schtasks.exe 2464 schtasks.exe 3308 schtasks.exe 1604 schtasks.exe 3064 schtasks.exe 1700 schtasks.exe 1956 schtasks.exe 2612 schtasks.exe 224 schtasks.exe 1920 schtasks.exe 2472 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Token: SeDebugPrivilege 2132 fontdrvhost.exe Token: SeDebugPrivilege 4860 fontdrvhost.exe Token: SeDebugPrivilege 4896 fontdrvhost.exe Token: SeDebugPrivilege 2772 fontdrvhost.exe Token: SeDebugPrivilege 4128 fontdrvhost.exe Token: SeDebugPrivilege 1700 fontdrvhost.exe Token: SeDebugPrivilege 1052 fontdrvhost.exe Token: SeDebugPrivilege 1972 fontdrvhost.exe Token: SeDebugPrivilege 2056 fontdrvhost.exe Token: SeDebugPrivilege 4384 fontdrvhost.exe Token: SeDebugPrivilege 4840 fontdrvhost.exe Token: SeDebugPrivilege 4460 fontdrvhost.exe Token: SeDebugPrivilege 1560 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4200 wrote to memory of 1840 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 89 PID 4200 wrote to memory of 1840 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 89 PID 1840 wrote to memory of 3348 1840 csc.exe 92 PID 1840 wrote to memory of 3348 1840 csc.exe 92 PID 4200 wrote to memory of 984 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 110 PID 4200 wrote to memory of 984 4200 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 110 PID 984 wrote to memory of 3764 984 cmd.exe 112 PID 984 wrote to memory of 3764 984 cmd.exe 112 PID 984 wrote to memory of 1556 984 cmd.exe 114 PID 984 wrote to memory of 1556 984 cmd.exe 114 PID 984 wrote to memory of 4900 984 cmd.exe 121 PID 984 wrote to memory of 4900 984 cmd.exe 121 PID 4128 wrote to memory of 2208 4128 cmd.exe 125 PID 4128 wrote to memory of 2208 4128 cmd.exe 125 PID 4128 wrote to memory of 2428 4128 cmd.exe 126 PID 4128 wrote to memory of 2428 4128 cmd.exe 126 PID 4128 wrote to memory of 2132 4128 cmd.exe 128 PID 4128 wrote to memory of 2132 4128 cmd.exe 128 PID 2132 wrote to memory of 3864 2132 fontdrvhost.exe 130 PID 2132 wrote to memory of 3864 2132 fontdrvhost.exe 130 PID 3864 wrote to memory of 4980 3864 cmd.exe 132 PID 3864 wrote to memory of 4980 3864 cmd.exe 132 PID 3864 wrote to memory of 4092 3864 cmd.exe 133 PID 3864 wrote to memory of 4092 3864 cmd.exe 133 PID 3864 wrote to memory of 4860 3864 cmd.exe 138 PID 3864 wrote to memory of 4860 3864 cmd.exe 138 PID 4860 wrote to memory of 1852 4860 fontdrvhost.exe 140 PID 4860 wrote to memory of 1852 4860 fontdrvhost.exe 140 PID 1852 wrote to memory of 3788 1852 cmd.exe 142 PID 1852 wrote to memory of 3788 1852 cmd.exe 142 PID 1852 wrote to memory of 1648 1852 cmd.exe 143 PID 1852 wrote to memory of 1648 1852 cmd.exe 143 PID 1852 wrote to memory of 4896 1852 cmd.exe 145 PID 1852 wrote to memory of 4896 1852 cmd.exe 145 PID 4896 wrote to memory of 3344 4896 fontdrvhost.exe 147 PID 4896 wrote to memory of 3344 4896 fontdrvhost.exe 147 PID 3344 wrote to memory of 984 3344 cmd.exe 149 PID 3344 wrote to memory of 984 3344 cmd.exe 149 PID 3344 wrote to memory of 1400 3344 cmd.exe 150 PID 3344 wrote to memory of 1400 3344 cmd.exe 150 PID 3344 wrote to memory of 2772 3344 cmd.exe 152 PID 3344 wrote to memory of 2772 3344 cmd.exe 152 PID 2772 wrote to memory of 3528 2772 fontdrvhost.exe 154 PID 2772 wrote to memory of 3528 2772 fontdrvhost.exe 154 PID 3528 wrote to memory of 1336 3528 cmd.exe 156 PID 3528 wrote to memory of 1336 3528 cmd.exe 156 PID 3528 wrote to memory of 1396 3528 cmd.exe 157 PID 3528 wrote to memory of 1396 3528 cmd.exe 157 PID 3528 wrote to memory of 4128 3528 cmd.exe 159 PID 3528 wrote to memory of 4128 3528 cmd.exe 159 PID 4128 wrote to memory of 1300 4128 fontdrvhost.exe 161 PID 4128 wrote to memory of 1300 4128 fontdrvhost.exe 161 PID 1300 wrote to memory of 4980 1300 cmd.exe 163 PID 1300 wrote to memory of 4980 1300 cmd.exe 163 PID 1300 wrote to memory of 4188 1300 cmd.exe 164 PID 1300 wrote to memory of 4188 1300 cmd.exe 164 PID 1300 wrote to memory of 1700 1300 cmd.exe 166 PID 1300 wrote to memory of 1700 1300 cmd.exe 166 PID 1700 wrote to memory of 4808 1700 fontdrvhost.exe 168 PID 1700 wrote to memory of 4808 1700 fontdrvhost.exe 168 PID 4808 wrote to memory of 4976 4808 cmd.exe 170 PID 4808 wrote to memory of 4976 4808 cmd.exe 170 PID 4808 wrote to memory of 2580 4808 cmd.exe 171 PID 4808 wrote to memory of 2580 4808 cmd.exe 171 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe"C:\Users\Admin\AppData\Local\Temp\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cprimsm1\cprimsm1.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB640.tmp" "c:\Windows\System32\CSC61756816FCD84101A84172A66C4BAE5.TMP"3⤵PID:3348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l2grNi8PIv.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3764
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1556
-
-
C:\Users\Public\fontdrvhost.exe"C:\Users\Public\fontdrvhost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4900 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IeLvrzYA0a.bat"4⤵
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:2208
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2428
-
-
C:\Users\Public\fontdrvhost.exe"C:\Users\Public\fontdrvhost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jic4eklKP7.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:4980
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4092
-
-
C:\Users\Public\fontdrvhost.exe"C:\Users\Public\fontdrvhost.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EHU1Lrqt50.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:3788
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1648
-
-
C:\Users\Public\fontdrvhost.exe"C:\Users\Public\fontdrvhost.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B8RGJU8TMM.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:984
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1400
-
-
C:\Users\Public\fontdrvhost.exe"C:\Users\Public\fontdrvhost.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z03YznJ6kZ.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:1336
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1396
-
-
C:\Users\Public\fontdrvhost.exe"C:\Users\Public\fontdrvhost.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtA3LkY0CV.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\system32\chcp.comchcp 6500115⤵PID:4980
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:4188
-
-
C:\Users\Public\fontdrvhost.exe"C:\Users\Public\fontdrvhost.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bytHbUMnZy.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\system32\chcp.comchcp 6500117⤵PID:4976
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2580
-
-
C:\Users\Public\fontdrvhost.exe"C:\Users\Public\fontdrvhost.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vcBeTfbqpz.bat"18⤵PID:1456
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:1852
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:3384
-
-
C:\Users\Public\fontdrvhost.exe"C:\Users\Public\fontdrvhost.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tOMWzubzd4.bat"20⤵PID:4836
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:1400
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:4284
-
-
C:\Users\Public\fontdrvhost.exe"C:\Users\Public\fontdrvhost.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtA3LkY0CV.bat"22⤵PID:4376
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:264
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:4616
-
-
C:\Users\Public\fontdrvhost.exe"C:\Users\Public\fontdrvhost.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4384 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5xIcrgADPl.bat"24⤵PID:4000
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:4128
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:4980
-
-
C:\Users\Public\fontdrvhost.exe"C:\Users\Public\fontdrvhost.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p1UdTmuiiU.bat"26⤵PID:1764
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:4176
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3040
-
-
C:\Users\Public\fontdrvhost.exe"C:\Users\Public\fontdrvhost.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4460 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Auc8oj9cAR.bat"28⤵PID:220
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:4496
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:1488
-
-
C:\Users\Public\fontdrvhost.exe"C:\Users\Public\fontdrvhost.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5xIcrgADPl.bat"30⤵PID:1056
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:4580
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:2236
-
-
C:\Users\Public\fontdrvhost.exe"C:\Users\Public\fontdrvhost.exe"31⤵
- Executes dropped EXE
PID:1456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e45487935085" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e45487935085" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Start Menu\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Start Menu\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Public\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e45487935085" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e45487935085" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5ad09440875d20aadffdfdc8de043c448
SHA1fbfc7d94285b1da7e0799382a40352f827984771
SHA2565af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508
SHA512e8d80aa2ec81b8b06b2a83e18674e19137b996f405dc4e6c93a3fcf76de0e949cbc333396a22141963043fd55ff9a8711eabd0963b933df58e4438f42706e8a3
-
Filesize
207B
MD553e6668019a29cc225a576c0ab108825
SHA1145490764094b103b902e7555ffafedb471321ef
SHA256da52c080610f7a5c5a5b0fb76f9494a6f938e8ff709d3d652a5c755f2d56fff7
SHA512149de41c1c8e171f9b50d61cfe20bc692a514f419a69d7634da2838c95da222ba539c455f9a5091165acce29aab4c3997be69af24e97037b476950fb32eab973
-
Filesize
207B
MD5620fbe37f2f5addbdb019548a7b2123f
SHA14033073d70f89a6c36eaf7410b66052f484f883f
SHA2569ec469589868e9be2d8c36597b235533a825f63f9877c317857efcb952a142aa
SHA5124c4224b920b9181954692cb89a293ddb0ddb9c04534303953d44c54d560eb5f6a7ec115b5495488d2fca1bf1aca31b38a2ed9a6653ed817977ef2c66ed994767
-
Filesize
207B
MD5ac04835436f835d0805fe39ee9a3a414
SHA1d0252e50e3301529aa6c2fb7e8913b8f5e3b9a2e
SHA2569b9877fed68f40db6f33fd946ebb346d9acd224289b1ffdd794d6c95d08aa292
SHA512ad14b5f1054a16164fd01aa4658409cd990eab59422340019353665e3815c090b13803f561baa06a6ff68bdd0adb7719ce54a7ee15ddb06c29c1d5476a2c6f6f
-
Filesize
159B
MD528e6a5de8c2d6bb9d3154ee5e1839b08
SHA1c815f03820d599ac19041fb5b21e0890c75b90e9
SHA2564b3809f9e00324a3e6140418ef754d191a2003473822fe76b4cf83230ffca51f
SHA512ba82a8b8aed9bbe9cc610483248a737a245870fb3990eda8bf7bc208e87d17aa630d2eb5fba8c72ea2fab4d54c32c86b8c55e10b975808aca85ea63f2adcdd27
-
Filesize
207B
MD5cda17addae6f62fb2cf4695c75e3afb4
SHA14dacad50ef498d6644343c005e5677e43eb7ab70
SHA2561c64e35568e5b962f3ad8d6861f512450c6a096b2c8670679d0b84faaf344fa1
SHA512868aecf58c647ef5047269350eac71bc7c53373b8169e6b126757ec6a6eadf38bd7f4dfab4a8f8694357d326d01ccd93d1c4869f76bf6b21a025575905adc8c0
-
Filesize
1KB
MD57d2043acd8948b3dca94e45aa1ee3458
SHA1019c7ae128383cc2a8ffcc69c655bcdbaf487649
SHA256a066d1f405b1e6468227f073a5eb9ef2c0b84bc7dca8151e6d4856d5677c9105
SHA51244967b6214c9802387958078c884af180c9bed40e98503d70ab7cab35471a29c83ba054e9b40d5d33b3e06abca74aa5dcadc0eacb4e9a2a70feeb77d23a651d9
-
Filesize
207B
MD58fafcd9f2138526386d61f71e5412c29
SHA106450bae84df1d351b1957887a31df54982b999d
SHA256364a2b98c10d75470fdcd3a6b87c6b82f305f68ced1b490a677e899c09169bf7
SHA512328463fb7574d8640611c751dd1dc4fd75f610c71aa7b4782b7c8d4318d6ce2319b8b59aaed887306c2536cd02adbcb9cbc2cbb9211aa6aec442ae25bbe398c0
-
Filesize
207B
MD57e16cb4e9a45f52c1ea9681a1fb7fe0f
SHA1a8312c33b876de2662fc8687f94a20c16581edf8
SHA25640a138ef067affff8295bfe9229f17add090a81758f26b0ad227977de31a94ba
SHA5129ee24aeabdd4ffeca3d74f487446850916ec9568b822dadf42ee188e4c77b04a88a7d9328b07b2d8778e0038131f1ce8640fe06bee3ba050970342d8740f9cb9
-
Filesize
159B
MD5e18e8c704ab5a0a27b85b0a9dc789fb0
SHA1c4af7f7e1322bbf736a485d4146a92f91d56a789
SHA256905cf715a2a67ea82ebdeed4994f4d68b50ba2a6509507d6f81e286fb7baf7a3
SHA51254e25798733178b6ce6d811b86388cffd2cabe0dc6c92c1e8dbe337e0b801fd48316e71e91ce9ca12d4f9d94e59e1cf41dade6b70a32a7e174ee194a8dbe5891
-
Filesize
159B
MD5b2db25f152e5c67e3f595a6571ebd0d0
SHA14cdd1fc97e50ab2eb22b8556226b4980f50c2165
SHA2564d8a2a399e47f98646e6486d18d7d65682a327f83b2d9b92b60985440d8c1121
SHA512268a23636eeb955819fe46715da99b3add44be20843b2ab2cc55d1ec7ea05246e8cf8924bc3fd4a6355f4a4ce643d2dbb52ea785ebc8c0724cc7b873511da590
-
Filesize
207B
MD5fd7acc0ef0452c673b0c39324d356c60
SHA12cd6f9a3b9444427d4f5bb71d2475b6232afbf0d
SHA25659c412131946b35d0fee24e81dd6741ccf977588446e5788ebdd43aa67a93535
SHA512bbcfb632de73f6df374680e3e70d2ec89c5041c04067a6a149cd44813b0dde79772557a395cdba0e851bcb744500356e332f3fe1693291ea8ed2025d2fe20dd3
-
Filesize
207B
MD50ee27588063920bc3d1031ca1bf6d610
SHA12b2a6cd0762a82ea0451264c217022d4429aa1af
SHA256c212e2576d2a7bcaa4b7fadebd1b22ab496c129f21cdf9a2246106a09ded276c
SHA5126b0380953bbb69575322f028194779cbcbd0654d00e1d627c12c8fffd427cefd380182922cb00c09ba7bf035d8799ee0eb8926e3c755739eda96b25a48d53fe1
-
Filesize
159B
MD5e58b4435bea0f698110208432ff52885
SHA18691bed30534cabb17b5a9a4b183b1b06ff00a25
SHA2563c380615a4631d4e47912da363a6bb826bcdd00892cf55cf260571a2f1cb2018
SHA512457734da4560085835e000f34e7296d8a007f3dbb1212359ad68d59d6a70d0507bd1db0622f93047e55f23a4650f49549ace71699c29b998347fc78a011534da
-
Filesize
430B
MD5286f58cd75fb730c241a1bb34d4ebe7e
SHA1681f46c15bd3300f58fba7fed2614e8f81c1eeb0
SHA256f5750bbddb3fe710c1b0ef82c0132fe0a94f75e7c5b7551ddf536d89864c99c3
SHA512a0a3c35e8bf83b53eae915baf7bac7d3386475b06f3517a90f8c2d7548b8019d49f7c1a88fa620c476eb159b865408a67e4eae7ee5c449db6e769e69b44e8256
-
Filesize
235B
MD5331f8324fdf5e1bd2e6638a35be66def
SHA144fdae581b2c4295fcf0de6f9059458b4d6b44e5
SHA256e7571bea1c5de83289f8522eb608735bbfb16686c6e83dcb3eda11e85c4e3556
SHA5120031b9474b53d8a31313f17be7ce6bd0c607ab1dfb8a17f4e1a3a7722938284c9296ef3cbdd0004c79d23be569c16d644a5f06eda85ffae808327ae51e43157d
-
Filesize
1KB
MD57bbfaf1199741b237d2493615c95c6d7
SHA186d466217c4dc1e0808f83ceda8f4b4df948b5dc
SHA256e20e4619dbc932a216fd93f86fe0af2e915f4c2ba6177fc3581da59885094476
SHA5122eda9bf71dc4a4583b7b8e9a6aab0f91d98cca68ee4309df1a4d26541917678da09a15d712397ae4b95fe95b65c8aa6eeab94d7620a5546b3df6c00306ef4a5c