Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 05:25
Static task
static1
Behavioral task
behavioral1
Sample
be08dac8fc827b41b19be240140f13e19a802e6c6108105cc303a873c57a20c4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
be08dac8fc827b41b19be240140f13e19a802e6c6108105cc303a873c57a20c4.exe
Resource
win10v2004-20241007-en
General
-
Target
be08dac8fc827b41b19be240140f13e19a802e6c6108105cc303a873c57a20c4.exe
-
Size
2.7MB
-
MD5
d07543cb1bc6f660adcb7107ab33f270
-
SHA1
8421ed19516a2152e4a53d694179107f3ef585c0
-
SHA256
be08dac8fc827b41b19be240140f13e19a802e6c6108105cc303a873c57a20c4
-
SHA512
03b6e377af1022d298aeac70c779b621cb5c0e636874e7739fa7ad30b1d64a08a16429719f89dcd0122f8b7309b20708672f8da32577e0265c3c8b34bae2add0
-
SSDEEP
49152:GB7nRsoz7nIZgHltNj/VImvhIudDXtNHUxQ:Y7nq27nIENjqihIerHUxQ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\AccountPictures\\System.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" BlockPortdriverCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\AccountPictures\\System.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Users\\Public\\Downloads\\conhost.exe\"" BlockPortdriverCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\AccountPictures\\System.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Users\\Public\\Downloads\\conhost.exe\", \"C:\\surrogatesession\\fontdrvhost.exe\"" BlockPortdriverCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\AccountPictures\\System.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Users\\Public\\Downloads\\conhost.exe\", \"C:\\surrogatesession\\fontdrvhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\dllhost.exe\"" BlockPortdriverCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\AccountPictures\\System.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Users\\Public\\Downloads\\conhost.exe\", \"C:\\surrogatesession\\fontdrvhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\dllhost.exe\", \"C:\\surrogatesession\\BlockPortdriverCommon.exe\"" BlockPortdriverCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\AccountPictures\\System.exe\"" BlockPortdriverCommon.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 4108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 4108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3868 4108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 4108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 4108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3672 4108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 4108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4420 4108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 4108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3620 4108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 4108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 4108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 4108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 4108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3436 4108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 4108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 4108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4584 4108 schtasks.exe 86 -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation be08dac8fc827b41b19be240140f13e19a802e6c6108105cc303a873c57a20c4.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation BlockPortdriverCommon.exe -
Executes dropped EXE 2 IoCs
pid Process 3132 BlockPortdriverCommon.exe 2300 fontdrvhost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" BlockPortdriverCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Public\\Downloads\\conhost.exe\"" BlockPortdriverCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\surrogatesession\\fontdrvhost.exe\"" BlockPortdriverCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\dllhost.exe\"" BlockPortdriverCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BlockPortdriverCommon = "\"C:\\surrogatesession\\BlockPortdriverCommon.exe\"" BlockPortdriverCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\AccountPictures\\System.exe\"" BlockPortdriverCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\AccountPictures\\System.exe\"" BlockPortdriverCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" BlockPortdriverCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Public\\Downloads\\conhost.exe\"" BlockPortdriverCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\surrogatesession\\fontdrvhost.exe\"" BlockPortdriverCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\dllhost.exe\"" BlockPortdriverCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BlockPortdriverCommon = "\"C:\\surrogatesession\\BlockPortdriverCommon.exe\"" BlockPortdriverCommon.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\8zj1cq.exe csc.exe File created \??\c:\Windows\System32\CSCAD5BD8D3EE547599C5EDAA86CDEC7E.TMP csc.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe BlockPortdriverCommon.exe File created C:\Program Files\Microsoft Office 15\ClientX64\5940a34987c991 BlockPortdriverCommon.exe File created C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe BlockPortdriverCommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be08dac8fc827b41b19be240140f13e19a802e6c6108105cc303a873c57a20c4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings be08dac8fc827b41b19be240140f13e19a802e6c6108105cc303a873c57a20c4.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings BlockPortdriverCommon.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2664 schtasks.exe 1816 schtasks.exe 1516 schtasks.exe 3620 schtasks.exe 4808 schtasks.exe 1644 schtasks.exe 1976 schtasks.exe 2448 schtasks.exe 3868 schtasks.exe 4420 schtasks.exe 548 schtasks.exe 2228 schtasks.exe 4584 schtasks.exe 3436 schtasks.exe 2216 schtasks.exe 3672 schtasks.exe 2872 schtasks.exe 4328 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe 3132 BlockPortdriverCommon.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3132 BlockPortdriverCommon.exe Token: SeDebugPrivilege 2300 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4856 wrote to memory of 2924 4856 be08dac8fc827b41b19be240140f13e19a802e6c6108105cc303a873c57a20c4.exe 82 PID 4856 wrote to memory of 2924 4856 be08dac8fc827b41b19be240140f13e19a802e6c6108105cc303a873c57a20c4.exe 82 PID 4856 wrote to memory of 2924 4856 be08dac8fc827b41b19be240140f13e19a802e6c6108105cc303a873c57a20c4.exe 82 PID 2924 wrote to memory of 4588 2924 WScript.exe 83 PID 2924 wrote to memory of 4588 2924 WScript.exe 83 PID 2924 wrote to memory of 4588 2924 WScript.exe 83 PID 4588 wrote to memory of 3132 4588 cmd.exe 85 PID 4588 wrote to memory of 3132 4588 cmd.exe 85 PID 3132 wrote to memory of 2260 3132 BlockPortdriverCommon.exe 90 PID 3132 wrote to memory of 2260 3132 BlockPortdriverCommon.exe 90 PID 2260 wrote to memory of 4964 2260 csc.exe 92 PID 2260 wrote to memory of 4964 2260 csc.exe 92 PID 3132 wrote to memory of 4440 3132 BlockPortdriverCommon.exe 108 PID 3132 wrote to memory of 4440 3132 BlockPortdriverCommon.exe 108 PID 4440 wrote to memory of 4600 4440 cmd.exe 110 PID 4440 wrote to memory of 4600 4440 cmd.exe 110 PID 4440 wrote to memory of 1424 4440 cmd.exe 111 PID 4440 wrote to memory of 1424 4440 cmd.exe 111 PID 4440 wrote to memory of 2300 4440 cmd.exe 112 PID 4440 wrote to memory of 2300 4440 cmd.exe 112 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\be08dac8fc827b41b19be240140f13e19a802e6c6108105cc303a873c57a20c4.exe"C:\Users\Admin\AppData\Local\Temp\be08dac8fc827b41b19be240140f13e19a802e6c6108105cc303a873c57a20c4.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\surrogatesession\9Jg3KVOjcV42zUZPCuIVZgehfMBu6YbdOPQ48qfJn162TYBQ.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\surrogatesession\SnwsOZ2aiJutXMyXmD.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\surrogatesession\BlockPortdriverCommon.exe"C:\surrogatesession/BlockPortdriverCommon.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lfpkzqzo\lfpkzqzo.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB556.tmp" "c:\Windows\System32\CSCAD5BD8D3EE547599C5EDAA86CDEC7E.TMP"6⤵PID:4964
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\301yS01mbE.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4600
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1424
-
-
C:\surrogatesession\fontdrvhost.exe"C:\surrogatesession\fontdrvhost.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\AccountPictures\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\surrogatesession\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\surrogatesession\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\surrogatesession\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BlockPortdriverCommonB" /sc MINUTE /mo 13 /tr "'C:\surrogatesession\BlockPortdriverCommon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BlockPortdriverCommon" /sc ONLOGON /tr "'C:\surrogatesession\BlockPortdriverCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BlockPortdriverCommonB" /sc MINUTE /mo 14 /tr "'C:\surrogatesession\BlockPortdriverCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211B
MD5e9eba2725ceb056f0a498e59ea74e1ff
SHA1dfeb943eb5b749a2b435237aea582a8f36450844
SHA256129981936ecf8872ce20da7b978bbbc7c1d13ea5a5a8c5533b2afee0b2b63d98
SHA512fbb487b8031b6686c3225f644630bab48f646d1cb5d548d2382c1dc0c592737f1b3bf22ea815a7ed156b5279e157ea9da6d0e6a10867d78d4d9a6b7036c2e9f2
-
Filesize
1KB
MD5e13006b09469b17cdeedd3b987a6174d
SHA161075bb4c76a29b4f20afee1af13f6c9e14a68a1
SHA2563f5045a014565891c64d8603fe80ef65e5c6364bf1c00806dbe55d47b643f341
SHA5120621fc10377c9b9e99674a62037b779235fba4b0f4001f87ddba0c30273eaa0bb9a02cdf9ae956d00ade70174fc78be6716c18a19efc1cc3ccec13532c9f0b06
-
Filesize
213B
MD5f8702ecc9e0f72ccee89fdef7a40b971
SHA1a495334be7d04fd4d3d4ceba0b1b846a0ad76d78
SHA256eea23b38c07a415c44a958410d435a4266ebdf7b7cdbb57c2f011b094df99cd5
SHA51268c8b4ebc2c57f0716b6c62d2596686f50a1a02b58a8090dcffec1615125b05ad76e9650be78e094b9df29f4ca3ac91d4ca7718abe4502266ecca8b44c872ee4
-
Filesize
2.0MB
MD577905da28eb0ae1c97f92d614f341411
SHA1aa7a9229ede890bc8efd667aa4ac488517260f32
SHA2563c53924669c7c88687d862775af6f78fb2c656d93577f8c96358918e984d8a42
SHA51266b36b0bc4f38d069ab02adb7d0d2a030ea2268bc826c24533193bc3477c703d941bad86433cfd04af27af6854ee60f17eb1dd84440ebab9494b1d5b0d8ba904
-
Filesize
105B
MD5c4ede3cc43ab27c5ac840dfd8cd98632
SHA161b6df44c8563c5d400c50bbedd91ee9d8c4b28c
SHA25664eab9ebe09f70865dbb3f35b7e5b76d3ac1c6246bfe7d08569d218a6d0bcfcb
SHA512715182ee0e5a1a38be29484d6b241a80360dd6afcf9991330d5b278c8bb7ea371d89cd7edf4d943dcc405ce85ff276ea882b219eb1f50526307c02ce1f354ade
-
Filesize
374B
MD533fa509abdc57872151e32d35c55ed14
SHA146ac9c3df3c48020c0d85d1e66e645dfb7e19a9e
SHA256c2d6273a90a35526d305e633c28f348731d5eb783457e9fc97cc8219d98521c7
SHA51223faf23c4f54f702190b4bc244ae33f9a99bacb500e4dbab53128e80444f1f59adc7db296bd7473566afa5164dfea7ce365b633c83edb34baf5eb39e0348db36
-
Filesize
235B
MD56004e85e850196d2e634017bb48eb794
SHA191f6a33ad73ca32b9116ea1981778d4996261d87
SHA256d4dfa1ef4d431fd167681c807bfabce553a6e513a108fb34f638e48bbc69e95f
SHA51214312f63e88d79ae3bfa231bc74dff2e7e4315b4047434739d205593797495feeb641f316828895231ff1580d0138ff522a35700ecb9dc2bcf9d98a66bf909d2
-
Filesize
1KB
MD5d544bac668d308d2aba58ded2c13d82d
SHA1e5dd50ef24d5c16629092f9290661a92387773b3
SHA25684b05d56c45fd0382410fcd59e16aeef467ed0a455595dda88386dd5c87d7a02
SHA5120826de2bc95d93dde2c540d2d768a0188481ee88f1da79f9c7d70d7ccd3c8715b8f1d62053f84d14f19e4d2b0a13e67084d970a158464e6223e340eb0733e1b0