Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 12:22
Behavioral task
behavioral1
Sample
DCRatBuild.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
DCRatBuild.exe
Resource
win10v2004-20240508-en
General
-
Target
DCRatBuild.exe
-
Size
1.1MB
-
MD5
69119a27d94728deb85e51c343ca0173
-
SHA1
f93da03f3678056d611196d1c837146277fc68dc
-
SHA256
f54df54335eb1edb832f6a501d095b0d2011c32a81f061397e04908efab35b3e
-
SHA512
ce7887a1abaac570a45344efa9793650c39134b89a1aaad5e1cbe8e71985e6515871622334b5da4cad520e865a4c7605e0587bb4174d54fbf129035eb5cd1e6c
-
SSDEEP
24576:U2G/nvxW3Ww0tzm2QaiULPxZWv7q6cZIrDgVmAk:UbA30BQaVZrmH
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4140 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5108 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4584 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4880 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3684 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3440 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3420 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4492 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4832 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5008 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3784 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3444 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4936 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3368 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3732 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3720 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3652 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5044 2396 schtasks.exe -
Processes:
resource yara_rule C:\PortserverWin\serverwin.exe dcrat behavioral2/memory/3960-13-0x0000000000B00000-0x0000000000BD6000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DCRatBuild.exeWScript.exeserverwin.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation DCRatBuild.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation serverwin.exe -
Executes dropped EXE 2 IoCs
Processes:
serverwin.exeRuntimeBroker.exepid process 3960 serverwin.exe 3300 RuntimeBroker.exe -
Drops file in Program Files directory 12 IoCs
Processes:
serverwin.exedescription ioc process File created C:\Program Files\Microsoft Office\root\Client\55b276f4edf653 serverwin.exe File created C:\Program Files\Windows Defender\System.exe serverwin.exe File created C:\Program Files\Windows Defender\27d1bcfc3c54e0 serverwin.exe File created C:\Program Files\Google\Chrome\Application\fontdrvhost.exe serverwin.exe File created C:\Program Files (x86)\Internet Explorer\uk-UA\conhost.exe serverwin.exe File created C:\Program Files (x86)\Internet Explorer\uk-UA\088424020bedd6 serverwin.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe serverwin.exe File created C:\Program Files\Microsoft Office\root\Client\StartMenuExperienceHost.exe serverwin.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\9e8d7a4ca61bd9 serverwin.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe serverwin.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\9e8d7a4ca61bd9 serverwin.exe File created C:\Program Files\Google\Chrome\Application\5b884080fd4f94 serverwin.exe -
Drops file in Windows directory 6 IoCs
Processes:
serverwin.exedescription ioc process File created C:\Windows\Branding\shellbrd\wininit.exe serverwin.exe File created C:\Windows\Branding\shellbrd\56085415360792 serverwin.exe File created C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe serverwin.exe File created C:\Windows\DigitalLocker\en-US\9e8d7a4ca61bd9 serverwin.exe File created C:\Windows\SystemResources\Windows.UI.Cred\pris\csrss.exe serverwin.exe File created C:\Windows\SystemResources\Windows.UI.Cred\pris\886983d96e3d3e serverwin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
DCRatBuild.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings DCRatBuild.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3420 schtasks.exe 3444 schtasks.exe 3720 schtasks.exe 468 schtasks.exe 2004 schtasks.exe 2568 schtasks.exe 3684 schtasks.exe 4508 schtasks.exe 4536 schtasks.exe 3440 schtasks.exe 1784 schtasks.exe 4876 schtasks.exe 2008 schtasks.exe 3784 schtasks.exe 3368 schtasks.exe 3732 schtasks.exe 2644 schtasks.exe 4584 schtasks.exe 5044 schtasks.exe 3000 schtasks.exe 1984 schtasks.exe 2620 schtasks.exe 5092 schtasks.exe 4832 schtasks.exe 1016 schtasks.exe 1836 schtasks.exe 4492 schtasks.exe 4984 schtasks.exe 3652 schtasks.exe 5104 schtasks.exe 1656 schtasks.exe 4880 schtasks.exe 2196 schtasks.exe 4176 schtasks.exe 4976 schtasks.exe 2076 schtasks.exe 4140 schtasks.exe 5108 schtasks.exe 5008 schtasks.exe 2168 schtasks.exe 1316 schtasks.exe 1952 schtasks.exe 4936 schtasks.exe 448 schtasks.exe 2512 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
serverwin.exeRuntimeBroker.exepid process 3960 serverwin.exe 3960 serverwin.exe 3960 serverwin.exe 3960 serverwin.exe 3960 serverwin.exe 3960 serverwin.exe 3960 serverwin.exe 3300 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
serverwin.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 3960 serverwin.exe Token: SeDebugPrivilege 3300 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
DCRatBuild.exeWScript.execmd.exeserverwin.exedescription pid process target process PID 4680 wrote to memory of 3636 4680 DCRatBuild.exe WScript.exe PID 4680 wrote to memory of 3636 4680 DCRatBuild.exe WScript.exe PID 4680 wrote to memory of 3636 4680 DCRatBuild.exe WScript.exe PID 3636 wrote to memory of 912 3636 WScript.exe cmd.exe PID 3636 wrote to memory of 912 3636 WScript.exe cmd.exe PID 3636 wrote to memory of 912 3636 WScript.exe cmd.exe PID 912 wrote to memory of 3960 912 cmd.exe serverwin.exe PID 912 wrote to memory of 3960 912 cmd.exe serverwin.exe PID 3960 wrote to memory of 3300 3960 serverwin.exe RuntimeBroker.exe PID 3960 wrote to memory of 3300 3960 serverwin.exe RuntimeBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortserverWin\hbvALF5ANwO637LJ.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\PortserverWin\XYXAwlDcaTvxZITkmh1OkrpHr.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\PortserverWin\serverwin.exe"C:\PortserverWin\serverwin.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe"C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\root\Client\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Client\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\root\Client\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemResources\Windows.UI.Cred\pris\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.Cred\pris\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemResources\Windows.UI.Cred\pris\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\shellbrd\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Branding\shellbrd\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\shellbrd\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\SendTo\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\SendTo\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\PortserverWin\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\PortserverWin\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\PortserverWin\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\PortserverWin\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\PortserverWin\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\PortserverWin\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PortserverWin\XYXAwlDcaTvxZITkmh1OkrpHr.batFilesize
32B
MD5f97003508c4a7da05b8dd7ec2eb5d19d
SHA157c69807156d660c0394caf53af6d7edb10419ae
SHA2560065d6587056351f930803b1030b2d1b210e41a4a731f3d0e4f55d903a0b80e0
SHA51286c8a7697d0593dc48bd1343af8c114e85fa422380ae7cfcbd549d4b740e7aff4faf23d0ff06d1c7e4b6a1b0f3eafe15ddfbc451d42815ec23b4ee7e6437124d
-
C:\PortserverWin\hbvALF5ANwO637LJ.vbeFilesize
215B
MD5ac7f40d86252e33f7eaa68237c8ef92e
SHA13cca1a9e29e8ab5a3a72ac9c8eac2c482a0da30b
SHA25690cd9a07fcbef6f39445d04035adbdcde5f1cc91e7f7f084516efbc5ba95c3ca
SHA5121d66fedbc2b1d882b007d4b36c3ffef1c5d550c60ceb14c7517b48e08deb2f7e868fdd419d6545e07fe4a859ff088746f8a6892b9e99a8d2216f7c3a4bc2c694
-
C:\PortserverWin\serverwin.exeFilesize
828KB
MD5eee8aebed57ea1fb9fb307a967e6892a
SHA1047a0c84eeba395bf99e99872ad56bb35416bb2b
SHA2561d5d6374bc49780c31381696ad42a24369b398a2a85580196c031067f97e621d
SHA512411d5d02d40de7ec4eb4679cc1047df0987060676bbd721efe099c6babbaead2dccdd68a394afe930c96bb34f40c0512ae4ca224c152f02721072cc14c04004d
-
memory/3960-12-0x00007FFF7C023000-0x00007FFF7C025000-memory.dmpFilesize
8KB
-
memory/3960-13-0x0000000000B00000-0x0000000000BD6000-memory.dmpFilesize
856KB