Analysis
-
max time kernel
131s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
05/12/2023, 17:12
Behavioral task
behavioral1
Sample
Yar.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Yar.exe
Resource
win10v2004-20231127-en
General
-
Target
Yar.exe
-
Size
1.1MB
-
MD5
ff3751454ca1658a428b889e398d188f
-
SHA1
104448a398139e9972431cbf78a584cc9119c304
-
SHA256
e7786686b2b48fd0e29d9c18ffeebb816a75f4e5704170fb9858f7bb9e6d3ff1
-
SHA512
0aed38bf2ccada7c32f49fe215de0e92c38f0139ffe6dbff55cc7b5c8efb478a9310674ba9bbcf575e16798f948573cb2c51ed1caab9fd11d387c6cfdc785826
-
SSDEEP
12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbvDUUKAIBaZd3xgruwn2oKPOileholldz8mU:U2G/nvxW3Ww0t7xKAIBaCryOike7dzdU
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 472 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 276 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 612 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 2664 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2664 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x0031000000015ea7-9.dat dcrat behavioral1/files/0x0031000000015ea7-11.dat dcrat behavioral1/files/0x0031000000015ea7-12.dat dcrat behavioral1/files/0x0031000000015ea7-10.dat dcrat behavioral1/memory/2376-13-0x0000000000BC0000-0x0000000000C96000-memory.dmp dcrat behavioral1/files/0x0009000000016cd8-20.dat dcrat behavioral1/files/0x0007000000016adb-50.dat dcrat behavioral1/files/0x0007000000016adb-51.dat dcrat behavioral1/memory/2272-52-0x0000000000FE0000-0x00000000010B6000-memory.dmp dcrat behavioral1/memory/2272-54-0x000000001B1E0000-0x000000001B260000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
pid Process 2376 portsurrogatemonitor.exe 2272 taskhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2604 cmd.exe 2604 cmd.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cc11b995f2a76d portsurrogatemonitor.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\cmd.exe portsurrogatemonitor.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\ebf1f9fa8afd6d portsurrogatemonitor.exe File created C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe portsurrogatemonitor.exe File created C:\Program Files\Java\jre7\bin\plugin2\42af1c969fbb7b portsurrogatemonitor.exe File created C:\Program Files\Windows Media Player\es-ES\explorer.exe portsurrogatemonitor.exe File created C:\Program Files\Windows Media Player\es-ES\7a0fd90576e088 portsurrogatemonitor.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe portsurrogatemonitor.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Help\mui\0411\dwm.exe portsurrogatemonitor.exe File created C:\Windows\Help\mui\0411\6cb0b6c459d5d3 portsurrogatemonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1808 schtasks.exe 1924 schtasks.exe 1104 schtasks.exe 1688 schtasks.exe 1412 schtasks.exe 1812 schtasks.exe 472 schtasks.exe 1736 schtasks.exe 1712 schtasks.exe 612 schtasks.exe 2300 schtasks.exe 1960 schtasks.exe 276 schtasks.exe 1976 schtasks.exe 1416 schtasks.exe 2396 schtasks.exe 2836 schtasks.exe 536 schtasks.exe 2808 schtasks.exe 2184 schtasks.exe 1836 schtasks.exe 2516 schtasks.exe 2572 schtasks.exe 1052 schtasks.exe 2264 schtasks.exe 1156 schtasks.exe 2908 schtasks.exe 1648 schtasks.exe 1644 schtasks.exe 2876 schtasks.exe 2052 schtasks.exe 3012 schtasks.exe 3024 schtasks.exe 2900 schtasks.exe 1084 schtasks.exe 888 schtasks.exe 2148 schtasks.exe 1068 schtasks.exe 892 schtasks.exe 2880 schtasks.exe 1628 schtasks.exe 2180 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2376 portsurrogatemonitor.exe 2376 portsurrogatemonitor.exe 2376 portsurrogatemonitor.exe 2376 portsurrogatemonitor.exe 2376 portsurrogatemonitor.exe 2376 portsurrogatemonitor.exe 2376 portsurrogatemonitor.exe 2272 taskhost.exe 2272 taskhost.exe 2272 taskhost.exe 2272 taskhost.exe 2272 taskhost.exe 2272 taskhost.exe 2272 taskhost.exe 2272 taskhost.exe 2272 taskhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2272 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2376 portsurrogatemonitor.exe Token: SeDebugPrivilege 2272 taskhost.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2172 1820 Yar.exe 28 PID 1820 wrote to memory of 2172 1820 Yar.exe 28 PID 1820 wrote to memory of 2172 1820 Yar.exe 28 PID 1820 wrote to memory of 2172 1820 Yar.exe 28 PID 2172 wrote to memory of 2604 2172 WScript.exe 29 PID 2172 wrote to memory of 2604 2172 WScript.exe 29 PID 2172 wrote to memory of 2604 2172 WScript.exe 29 PID 2172 wrote to memory of 2604 2172 WScript.exe 29 PID 2604 wrote to memory of 2376 2604 cmd.exe 31 PID 2604 wrote to memory of 2376 2604 cmd.exe 31 PID 2604 wrote to memory of 2376 2604 cmd.exe 31 PID 2604 wrote to memory of 2376 2604 cmd.exe 31 PID 2376 wrote to memory of 1740 2376 portsurrogatemonitor.exe 75 PID 2376 wrote to memory of 1740 2376 portsurrogatemonitor.exe 75 PID 2376 wrote to memory of 1740 2376 portsurrogatemonitor.exe 75 PID 1740 wrote to memory of 2020 1740 cmd.exe 77 PID 1740 wrote to memory of 2020 1740 cmd.exe 77 PID 1740 wrote to memory of 2020 1740 cmd.exe 77 PID 1740 wrote to memory of 2272 1740 cmd.exe 78 PID 1740 wrote to memory of 2272 1740 cmd.exe 78 PID 1740 wrote to memory of 2272 1740 cmd.exe 78 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Yar.exe"C:\Users\Admin\AppData\Local\Temp\Yar.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgehypersurrogate\mtYSF.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Bridgehypersurrogate\vhpRdxgjT8JEEAKHpAXjiDc8va.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Bridgehypersurrogate\portsurrogatemonitor.exe"C:\Bridgehypersurrogate\portsurrogatemonitor.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RFscmbZ2Qm.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2020
-
-
C:\Users\All Users\Favorites\taskhost.exe"C:\Users\All Users\Favorites\taskhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\mui\0411\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Help\mui\0411\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\mui\0411\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "portsurrogatemonitorp" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\portsurrogatemonitor.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "portsurrogatemonitor" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\portsurrogatemonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "portsurrogatemonitorp" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\Sample Videos\portsurrogatemonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\SendTo\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\SendTo\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "portsurrogatemonitorp" /sc MINUTE /mo 7 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\portsurrogatemonitor.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "portsurrogatemonitor" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\portsurrogatemonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "portsurrogatemonitorp" /sc MINUTE /mo 14 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\portsurrogatemonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\es-ES\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\es-ES\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD572f05710288e42849e3835e7f5cb7748
SHA1e866b3ff38d5109cf5e1e16c692358bceef4473d
SHA256acceb8a17863212277b22f009d76118e4d9aa5e76ca66fe2602b02fe2fcb9c3b
SHA51252fd1010e2455c65fb9eef4000b096af5aee79561260e7d238cd261ac28377402d26ff57aa5e86fc18156a5ab273f0aba2c25f7c899d6359b47dcfe3e0c7f0b0
-
Filesize
828KB
MD59177dc1235ce8da32d20e3367b018637
SHA19785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA25698c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739
-
Filesize
828KB
MD59177dc1235ce8da32d20e3367b018637
SHA19785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA25698c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739
-
Filesize
50B
MD58340b7a68f0e70aca070b138792520d4
SHA1aeea5b3aabda84add611832ccb2badd157e8444e
SHA256f747e81cbf3144de5af7f620fcfc64daf38f43bb8a1ac3ba35d14805665f6c12
SHA5124e96073d06dcca9cf6d8ac52f7dbebd0ac106e7108f1c3ffb23425e176feb2306efe2d2b846aa13c7365f33499c75a14167bd6d4b4c61fbf223ed99b968e771f
-
Filesize
206B
MD5854a8abfb62a5f4d9ed525d7607c9433
SHA1e6b2a1af2dbe9fa4d14113ec05d83824f79a24e3
SHA256d1565f8fec41bf55d36891846f68c0268fcd682dc0fce61d4d3ba28ffae0cb1e
SHA5128bd295aaa461e3eaa19df3ef7c65a4b0719cd3a8c7348bffcbe8cec82dbd5929cc5e4b26904baaddc342a01344c4e6bb319db698615118a8947fd78683527d6d
-
Filesize
828KB
MD59177dc1235ce8da32d20e3367b018637
SHA19785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA25698c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739
-
Filesize
828KB
MD59177dc1235ce8da32d20e3367b018637
SHA19785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA25698c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739
-
Filesize
828KB
MD59177dc1235ce8da32d20e3367b018637
SHA19785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA25698c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739
-
Filesize
828KB
MD59177dc1235ce8da32d20e3367b018637
SHA19785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA25698c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739
-
Filesize
828KB
MD59177dc1235ce8da32d20e3367b018637
SHA19785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA25698c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739