Analysis
-
max time kernel
43s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
04-06-2023 22:28
Behavioral task
behavioral1
Sample
Fortnite.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Fortnite.exe
Resource
win10v2004-20230220-en
General
-
Target
Fortnite.exe
-
Size
1.1MB
-
MD5
f795b0bb519a53aa55f3a1f8b421708d
-
SHA1
18b0c53280f120d18e224ef389e21a09902da4f4
-
SHA256
0102ee1516fd47fc9cb7ffb31c922e747cc5ce638e2fb0d5e133275e271cd492
-
SHA512
d3a1908461508c6bf322e1aa809b6b04ed27e0722957fcdf5d4f828060f4d4ba76d415ba56b8dad1d9d07129603590fc75699d98014fd79f3bfb8ea051e70180
-
SSDEEP
24576:U2G/nvxW3Ww0tEiau4VjR/qCUzDG6bNUa1BMJWl:UbA30klYS6b26
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 440 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 980 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1384 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 824 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 108 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 564 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1400 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 1472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 1472 schtasks.exe -
Processes:
resource yara_rule C:\Windows\syscom32.exe dcrat C:\Windows\syscom32.exe dcrat behavioral1/memory/592-65-0x0000000000EF0000-0x0000000000FC6000-memory.dmp dcrat C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe dcrat C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe dcrat behavioral1/memory/1744-109-0x0000000000C00000-0x0000000000CD6000-memory.dmp dcrat C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
syscom32.exewinlogon.exepid process 592 syscom32.exe 1744 winlogon.exe -
Drops file in Program Files directory 12 IoCs
Processes:
syscom32.exedescription ioc process File created C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe syscom32.exe File created C:\Program Files (x86)\Microsoft Sync Framework\56085415360792 syscom32.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe syscom32.exe File created C:\Program Files\Windows Portable Devices\sppsvc.exe syscom32.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\winlogon.exe syscom32.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe syscom32.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\smss.exe syscom32.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\6ccacd8608530f syscom32.exe File created C:\Program Files\Windows Portable Devices\0a1fd5f707cd16 syscom32.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\cc11b995f2a76d syscom32.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\ebf1f9fa8afd6d syscom32.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\69ddcba757bf72 syscom32.exe -
Drops file in Windows directory 13 IoCs
Processes:
syscom32.exeFortnite.exedescription ioc process File created C:\Windows\Boot\Fonts\lsass.exe syscom32.exe File created C:\Windows\Web\Wallpaper\Scenes\explorer.exe syscom32.exe File created C:\Windows\kkLuA.bat Fortnite.exe File created C:\Windows\es-ES\6ccacd8608530f syscom32.exe File created C:\Windows\syscom32.exe Fortnite.exe File opened for modification C:\Windows\syscom32.exe Fortnite.exe File created C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe Fortnite.exe File opened for modification C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe Fortnite.exe File created C:\Windows\rescache\rc0002\Idle.exe syscom32.exe File created C:\Windows\es-ES\Idle.exe syscom32.exe File created C:\Windows\__tmp_rar_sfx_access_check_7083334 Fortnite.exe File opened for modification C:\Windows\kkLuA.bat Fortnite.exe File created C:\Windows\Web\Wallpaper\Scenes\7a0fd90576e088 syscom32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2040 schtasks.exe 980 schtasks.exe 108 schtasks.exe 2008 schtasks.exe 560 schtasks.exe 440 schtasks.exe 1220 schtasks.exe 1732 schtasks.exe 1544 schtasks.exe 1596 schtasks.exe 844 schtasks.exe 1116 schtasks.exe 1640 schtasks.exe 1400 schtasks.exe 1736 schtasks.exe 1184 schtasks.exe 1576 schtasks.exe 1456 schtasks.exe 1984 schtasks.exe 1956 schtasks.exe 1768 schtasks.exe 1912 schtasks.exe 1840 schtasks.exe 1824 schtasks.exe 1308 schtasks.exe 1744 schtasks.exe 1452 schtasks.exe 1384 schtasks.exe 1976 schtasks.exe 1104 schtasks.exe 840 schtasks.exe 1648 schtasks.exe 1852 schtasks.exe 832 schtasks.exe 936 schtasks.exe 1184 schtasks.exe 1860 schtasks.exe 564 schtasks.exe 1160 schtasks.exe 1424 schtasks.exe 1252 schtasks.exe 1304 schtasks.exe 1424 schtasks.exe 1056 schtasks.exe 824 schtasks.exe 1600 schtasks.exe 1660 schtasks.exe 1584 schtasks.exe 1736 schtasks.exe 1100 schtasks.exe 1632 schtasks.exe 1220 schtasks.exe 1692 schtasks.exe 1396 schtasks.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
syscom32.exewinlogon.exepid process 592 syscom32.exe 592 syscom32.exe 592 syscom32.exe 592 syscom32.exe 592 syscom32.exe 592 syscom32.exe 592 syscom32.exe 592 syscom32.exe 592 syscom32.exe 1744 winlogon.exe 1744 winlogon.exe 1744 winlogon.exe 1744 winlogon.exe 1744 winlogon.exe 1744 winlogon.exe 1744 winlogon.exe 1744 winlogon.exe 1744 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
syscom32.exewinlogon.exedescription pid process Token: SeDebugPrivilege 592 syscom32.exe Token: SeDebugPrivilege 1744 winlogon.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Fortnite.exeWScript.execmd.exesyscom32.exedescription pid process target process PID 1400 wrote to memory of 304 1400 Fortnite.exe WScript.exe PID 1400 wrote to memory of 304 1400 Fortnite.exe WScript.exe PID 1400 wrote to memory of 304 1400 Fortnite.exe WScript.exe PID 1400 wrote to memory of 304 1400 Fortnite.exe WScript.exe PID 304 wrote to memory of 1760 304 WScript.exe cmd.exe PID 304 wrote to memory of 1760 304 WScript.exe cmd.exe PID 304 wrote to memory of 1760 304 WScript.exe cmd.exe PID 304 wrote to memory of 1760 304 WScript.exe cmd.exe PID 1760 wrote to memory of 592 1760 cmd.exe syscom32.exe PID 1760 wrote to memory of 592 1760 cmd.exe syscom32.exe PID 1760 wrote to memory of 592 1760 cmd.exe syscom32.exe PID 1760 wrote to memory of 592 1760 cmd.exe syscom32.exe PID 592 wrote to memory of 1744 592 syscom32.exe winlogon.exe PID 592 wrote to memory of 1744 592 syscom32.exe winlogon.exe PID 592 wrote to memory of 1744 592 syscom32.exe winlogon.exe PID 1760 wrote to memory of 2072 1760 cmd.exe reg.exe PID 1760 wrote to memory of 2072 1760 cmd.exe reg.exe PID 1760 wrote to memory of 2072 1760 cmd.exe reg.exe PID 1760 wrote to memory of 2072 1760 cmd.exe reg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fortnite.exe"C:\Users\Admin\AppData\Local\Temp\Fortnite.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\kkLuA.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\syscom32.exe"C:\Windows\syscom32.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Downloads\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "syscom32s" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\syscom32.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "syscom32" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\syscom32.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "syscom32s" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\syscom32.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\Scenes\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Scenes\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Wallpaper\Scenes\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exeFilesize
829KB
MD5a0ae20389c09fb809b4d4a842cb890d4
SHA1f30474f81d60a8c27a722dc822c15639eec30f28
SHA256dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7
SHA5122af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exeFilesize
829KB
MD5a0ae20389c09fb809b4d4a842cb890d4
SHA1f30474f81d60a8c27a722dc822c15639eec30f28
SHA256dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7
SHA5122af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exeFilesize
829KB
MD5a0ae20389c09fb809b4d4a842cb890d4
SHA1f30474f81d60a8c27a722dc822c15639eec30f28
SHA256dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7
SHA5122af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce
-
C:\Windows\kkLuA.batFilesize
137B
MD5eddbf02b8f63229a6f4670d77d49f965
SHA184dc5aa13c3a7144742df74e28da6a7ad9177a69
SHA25612646d50947198b1c27be43e89905ce71902c186c21f1abbe0dc16919d4ce7ae
SHA512be87f2ec9e7371a7999b8c552af765374d8c5c186df18dea61caa5ca57b1ac9e95b194a31d459e090a5cb32c7908af3e90cb4b2576ccfc191a6043879436681d
-
C:\Windows\syscom32.exeFilesize
829KB
MD5a0ae20389c09fb809b4d4a842cb890d4
SHA1f30474f81d60a8c27a722dc822c15639eec30f28
SHA256dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7
SHA5122af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce
-
C:\Windows\syscom32.exeFilesize
829KB
MD5a0ae20389c09fb809b4d4a842cb890d4
SHA1f30474f81d60a8c27a722dc822c15639eec30f28
SHA256dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7
SHA5122af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce
-
C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbeFilesize
189B
MD5c7c7ffa475aef8dff75df4c55df974af
SHA1ef0427f4f4091c69d488443079477b1d4416e9b2
SHA25619a4bf5506db87cf645f4a6e9af79b85e0d04ac4e7bc948585510dfe99d5ef16
SHA51272fa6c18a83eb5edb303a85de4fb5f759a570aa5281525da6021cc1f0613257fbb5305f7a1bf6f6e3337d9ef707776a372b938f6ae6be777b7e6fe18a9dcba66
-
memory/592-65-0x0000000000EF0000-0x0000000000FC6000-memory.dmpFilesize
856KB
-
memory/592-72-0x000000001AF50000-0x000000001AFD0000-memory.dmpFilesize
512KB
-
memory/1744-109-0x0000000000C00000-0x0000000000CD6000-memory.dmpFilesize
856KB
-
memory/1744-110-0x000000001ADC0000-0x000000001AE40000-memory.dmpFilesize
512KB
-
memory/1744-111-0x000000001ADC0000-0x000000001AE40000-memory.dmpFilesize
512KB