Overview

overview

10

Static

static

10

terminal.exe

windows7-x64

10

terminal.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2024 10:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    terminal.exe

  • Size

    2.9MB

  • MD5

    200451026a7f2be02adb274026dc827a

  • SHA1

    655f5cff899d319975dfd43b1902e6318a0944f6

  • SHA256

    88953240e260b3ca53b4563afa657ee6d414b887a972e8862b12ca46e0a5853d

  • SHA512

    1054e3b258fab5f496cea9e156b0b17b9e5b1f4f5b049a4308df1b200d89534c88ec1ff11e6612a2b0961842984fe31d7d38b8077c14fd9bb388a03e7d0c3ac8

  • SSDEEP

    49152:1bA3PlN3nP+YscRfII1f8CReMT1Um7GWw/N0TOu09gqpBuuDqtmAP:1buN3nrsc5fdRfTr7GWw/ayl9RIuDqtZ

Score
10/10
dcratdiscoveryevasioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Program Files directory 23 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\terminal.exe
    "C:\Users\Admin\AppData\Local\Temp\terminal.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4224
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\containercomponentfontruntime\qhSOQkLJ6CCd.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3452
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\containercomponentfontruntime\XmZE9.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4216
        • C:\containercomponentfontruntime\portdrivernet.exe
          "C:\containercomponentfontruntime\portdrivernet.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2352
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ud8YNmwlgx.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4064
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4544
              • C:\containercomponentfontruntime\lsass.exe
                "C:\containercomponentfontruntime\lsass.exe"
                6⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • System policy modification
                PID:592
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3228
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5008
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\apppatch\ja-JP\SppExtComObj.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\apppatch\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\apppatch\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2736
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3144
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2336
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\4FE7652E-89E7-4CDB-9F81-A44F45F6732C\OfficeClickToRun.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1252
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\4FE7652E-89E7-4CDB-9F81-A44F45F6732C\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5056
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\4FE7652E-89E7-4CDB-9F81-A44F45F6732C\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2452
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\unsecapp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5116
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Public\Libraries\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2904
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4420
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\cmd.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2348
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3120
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\containercomponentfontruntime\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1068
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\containercomponentfontruntime\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5060
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\containercomponentfontruntime\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1772
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4368
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1984
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4036
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:464
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1464
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4976
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4160
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4912
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3188
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4304
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1080
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1428
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5104
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4716
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4328
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4908
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2088
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4592
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3832
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3140
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Oracle\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2056
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:764
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Oracle\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1908
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4964
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1716
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:452
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2948
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "portdrivernetp" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\ja-JP\portdrivernet.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5024
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "portdrivernet" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\portdrivernet.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2032
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "portdrivernetp" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\ja-JP\portdrivernet.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1712

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ud8YNmwlgx.bat
      Filesize

      207B

      MD5

      a96ab7e6077e597f521eb100beaf3b04

      SHA1

      020e3fc5a015a1f02dcd7e69eb46850a035a22d1

      SHA256

      9a4077208a8669cc1787cb54cd42d99639434a879f4ab858cd87153c70d3edcd

      SHA512

      d0c47cd0e5a9eb5262d50f1d467e55948ff7cfa4cf7f1a6a9868a294f31c423281aef190f044b5ee8f910399ee77ea1217072ef755bf86360533e139948dfaf5

      Download Submit

    • C:\containercomponentfontruntime\XmZE9.bat
      Filesize

      52B

      MD5

      7f19dde92420e1112fb9ef25b0c56e38

      SHA1

      9da19ead2fccc172a39171f026eed2623229d2b7

      SHA256

      697ad5724417463eb1e37c6e173bc24ca4416b3c064036b06b5c05bc6c33742a

      SHA512

      6a184f7e5fb90e302fbdc92eff043b84cab803e741abea94a7a06e1c3f502babd60b95e75b705ae8cd27430dc0bf3873d4ff9b719ea28648f50e080ebef79268

      Download Submit

    • C:\containercomponentfontruntime\portdrivernet.exe
      Filesize

      2.7MB

      MD5

      718e0805d80d7e040a20b5aeda4f877d

      SHA1

      c83f6d2c1ec158e20af2bf54f4d7aeb465cbe58e

      SHA256

      cb1189a7b059346d31cca7596357609eb52e9e518ef59a7659a0e061602f7c0b

      SHA512

      d3854ad4a29732f802a5087c320ca8b85cf46a818f5d283ab612254e9b495e4019c58cc1c8fe7d9f369e070a025d367d6226cf92343b1cafdc8f4aab9fb38cc9

      Download Submit

    • C:\containercomponentfontruntime\qhSOQkLJ6CCd.vbe
      Filesize

      211B

      MD5

      8ac77355599fe3bfb19415a591c62148

      SHA1

      ca5b38c7525b454144d6dfb681a7d5b7c8afd807

      SHA256

      993cc8867a308e64cb94b89206c6632cc1e160a5de372e29686b86a7eb9b318b

      SHA512

      38c7bce3490a171bda26f482e1ef50cdd5cbe8f59f9ce5bafbc452fb8f3b878b9e72a3358489765e8b30ca19e8dba9cb9ffed92f24267a7ba0aab5311416b2b6

      Download Submit

    • memory/592-81-0x000000001CCF0000-0x000000001CD02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/592-80-0x000000001CBA0000-0x000000001CBF6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2352-19-0x0000000001330000-0x0000000001346000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2352-27-0x000000001B800000-0x000000001B808000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2352-18-0x0000000001320000-0x0000000001330000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2352-17-0x0000000001140000-0x0000000001148000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2352-20-0x0000000001350000-0x0000000001358000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2352-21-0x0000000002C80000-0x0000000002C8A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2352-15-0x0000000001160000-0x000000000117C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2352-22-0x000000001B680000-0x000000001B6D6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2352-23-0x0000000001360000-0x0000000001368000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2352-24-0x0000000001370000-0x0000000001382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2352-26-0x0000000002C90000-0x0000000002C98000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2352-16-0x0000000002C30000-0x0000000002C80000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2352-28-0x000000001B810000-0x000000001B81C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2352-30-0x000000001B830000-0x000000001B83C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2352-29-0x000000001B820000-0x000000001B82E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2352-32-0x000000001BD60000-0x000000001BD6C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2352-31-0x000000001BD50000-0x000000001BD5A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2352-25-0x000000001C280000-0x000000001C7A8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2352-14-0x0000000001130000-0x000000000113E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2352-13-0x00000000006C0000-0x0000000000974000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/2352-12-0x00007FFDD23B3000-0x00007FFDD23B5000-memory.dmp

      Filesize

      8KB

      Download