Analysis
-
max time kernel
1700s -
max time network
1801s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2024 16:29
Behavioral task
behavioral1
Sample
Celestial Crack.zip
Resource
win10v2004-20240709-en
General
-
Target
Celestial Crack.zip
-
Size
18.3MB
-
MD5
3c002d22691e03979237c9b2e59b68fe
-
SHA1
4eb08de136c65c39ac50cce1eb933f0ebdb32a58
-
SHA256
3d5c1e8b26ab2596b9109d465b2edaaecea6e19b1a976a102b2a855249d70915
-
SHA512
b8a40611097d6875e47c76cfa8c8429bf457a6d240f9bc4e4d95a696acfaf87092e9cf29f03131b515c30e5aa03ffe210ae53f788fdcc2906972e963ebeab84f
-
SSDEEP
393216:7bXvrdREdINeW/FJxcd6CZMczYrjpJViNyfBJNPrTZAHd5s:fBREdIfdG6C9YHNHfB3PROdu
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3528 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4296 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4460 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4820 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4192 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3540 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3612 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4040 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 972 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4140 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3780 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4292 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4252 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3724 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4784 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3244 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3436 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3660 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 608 3628 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe dcrat C:\ProviderdriverIntocommon\blocksavesdll.exe dcrat behavioral1/memory/4980-88-0x00000000009E0000-0x0000000000B3A000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Loader.exeWScript.exeblocksavesdll.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation blocksavesdll.exe -
Executes dropped EXE 26 IoCs
Processes:
Loader.exeblocksavesdll.exesysmon.exeRegistry.exeservices.exefontdrvhost.exeTextInputHost.exesysmon.exewininit.exeRuntimeBroker.exeRegistry.exeservices.exefontdrvhost.execsrss.exeTextInputHost.exesysmon.exeRegistry.exeservices.exefontdrvhost.exeTextInputHost.exewininit.exeRuntimeBroker.exeRegistry.execsrss.exeservices.exefontdrvhost.exepid process 1512 Loader.exe 4980 blocksavesdll.exe 2416 sysmon.exe 2152 Registry.exe 1292 services.exe 3780 fontdrvhost.exe 1832 TextInputHost.exe 5004 sysmon.exe 4792 wininit.exe 2240 RuntimeBroker.exe 1312 Registry.exe 3988 services.exe 2632 fontdrvhost.exe 4272 csrss.exe 3928 TextInputHost.exe 3980 sysmon.exe 2000 Registry.exe 3264 services.exe 4820 fontdrvhost.exe 1604 TextInputHost.exe 688 wininit.exe 3940 RuntimeBroker.exe 3872 Registry.exe 2012 csrss.exe 4384 services.exe 3928 fontdrvhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 38 ipinfo.io 39 ipinfo.io -
Drops file in System32 directory 1 IoCs
Processes:
blocksavesdll.exedescription ioc process File created C:\Windows\System32\wininit.exe blocksavesdll.exe -
Drops file in Program Files directory 12 IoCs
Processes:
blocksavesdll.exedescription ioc process File created C:\Program Files\Google\ee2ad38f3d4382 blocksavesdll.exe File created C:\Program Files\Reference Assemblies\5b884080fd4f94 blocksavesdll.exe File created C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe blocksavesdll.exe File created C:\Program Files\Google\Registry.exe blocksavesdll.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe blocksavesdll.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\56085415360792 blocksavesdll.exe File created C:\Program Files (x86)\Windows Multimedia Platform\ee2ad38f3d4382 blocksavesdll.exe File created C:\Program Files\Common Files\services.exe blocksavesdll.exe File created C:\Program Files\Common Files\c5b4cb5e9653cc blocksavesdll.exe File created C:\Program Files\Windows Photo Viewer\de-DE\RuntimeBroker.exe blocksavesdll.exe File created C:\Program Files\Windows Photo Viewer\de-DE\9e8d7a4ca61bd9 blocksavesdll.exe File created C:\Program Files\Reference Assemblies\fontdrvhost.exe blocksavesdll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
Loader.exeblocksavesdll.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings Loader.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings blocksavesdll.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2372 schtasks.exe 4820 schtasks.exe 4932 schtasks.exe 4784 schtasks.exe 3660 schtasks.exe 4388 schtasks.exe 4192 schtasks.exe 3612 schtasks.exe 4140 schtasks.exe 4952 schtasks.exe 3436 schtasks.exe 796 schtasks.exe 2476 schtasks.exe 1212 schtasks.exe 1652 schtasks.exe 2724 schtasks.exe 4252 schtasks.exe 764 schtasks.exe 3528 schtasks.exe 1364 schtasks.exe 4040 schtasks.exe 1232 schtasks.exe 2216 schtasks.exe 2868 schtasks.exe 3540 schtasks.exe 972 schtasks.exe 3780 schtasks.exe 1056 schtasks.exe 3724 schtasks.exe 2716 schtasks.exe 4296 schtasks.exe 4092 schtasks.exe 4460 schtasks.exe 2752 schtasks.exe 1044 schtasks.exe 2576 schtasks.exe 1784 schtasks.exe 4292 schtasks.exe 1288 schtasks.exe 2244 schtasks.exe 3244 schtasks.exe 608 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
blocksavesdll.exesysmon.exepid process 4980 blocksavesdll.exe 4980 blocksavesdll.exe 4980 blocksavesdll.exe 4980 blocksavesdll.exe 4980 blocksavesdll.exe 4980 blocksavesdll.exe 4980 blocksavesdll.exe 4980 blocksavesdll.exe 4980 blocksavesdll.exe 4980 blocksavesdll.exe 4980 blocksavesdll.exe 4980 blocksavesdll.exe 4980 blocksavesdll.exe 4980 blocksavesdll.exe 4980 blocksavesdll.exe 4980 blocksavesdll.exe 4980 blocksavesdll.exe 4980 blocksavesdll.exe 4980 blocksavesdll.exe 4980 blocksavesdll.exe 2416 sysmon.exe 2416 sysmon.exe 2416 sysmon.exe 2416 sysmon.exe 2416 sysmon.exe 2416 sysmon.exe 2416 sysmon.exe 2416 sysmon.exe 2416 sysmon.exe 2416 sysmon.exe 2416 sysmon.exe 2416 sysmon.exe 2416 sysmon.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
sysmon.exepid process 2416 sysmon.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
7zG.exeblocksavesdll.exesysmon.exeRegistry.exeservices.exefontdrvhost.exeTextInputHost.exesysmon.exewininit.exeRuntimeBroker.exeRegistry.exeservices.exefontdrvhost.execsrss.exeTextInputHost.exesysmon.exeRegistry.exeservices.exefontdrvhost.exeTextInputHost.exewininit.exeRuntimeBroker.exeRegistry.execsrss.exeservices.exefontdrvhost.exedescription pid process Token: SeRestorePrivilege 4540 7zG.exe Token: 35 4540 7zG.exe Token: SeSecurityPrivilege 4540 7zG.exe Token: SeSecurityPrivilege 4540 7zG.exe Token: SeDebugPrivilege 4980 blocksavesdll.exe Token: SeDebugPrivilege 2416 sysmon.exe Token: SeDebugPrivilege 2152 Registry.exe Token: SeDebugPrivilege 1292 services.exe Token: SeDebugPrivilege 3780 fontdrvhost.exe Token: SeDebugPrivilege 1832 TextInputHost.exe Token: SeDebugPrivilege 5004 sysmon.exe Token: SeDebugPrivilege 4792 wininit.exe Token: SeDebugPrivilege 2240 RuntimeBroker.exe Token: SeDebugPrivilege 1312 Registry.exe Token: SeDebugPrivilege 3988 services.exe Token: SeDebugPrivilege 2632 fontdrvhost.exe Token: SeDebugPrivilege 4272 csrss.exe Token: SeDebugPrivilege 3928 TextInputHost.exe Token: SeDebugPrivilege 3980 sysmon.exe Token: SeDebugPrivilege 2000 Registry.exe Token: SeDebugPrivilege 3264 services.exe Token: SeDebugPrivilege 4820 fontdrvhost.exe Token: SeDebugPrivilege 1604 TextInputHost.exe Token: SeDebugPrivilege 688 wininit.exe Token: SeDebugPrivilege 3940 RuntimeBroker.exe Token: SeDebugPrivilege 3872 Registry.exe Token: SeDebugPrivilege 2012 csrss.exe Token: SeDebugPrivilege 4384 services.exe Token: SeDebugPrivilege 3928 fontdrvhost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 4540 7zG.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Loader.exeWScript.execmd.exeblocksavesdll.execmd.exedescription pid process target process PID 1512 wrote to memory of 4984 1512 Loader.exe WScript.exe PID 1512 wrote to memory of 4984 1512 Loader.exe WScript.exe PID 1512 wrote to memory of 4984 1512 Loader.exe WScript.exe PID 4984 wrote to memory of 1412 4984 WScript.exe cmd.exe PID 4984 wrote to memory of 1412 4984 WScript.exe cmd.exe PID 4984 wrote to memory of 1412 4984 WScript.exe cmd.exe PID 1412 wrote to memory of 4980 1412 cmd.exe blocksavesdll.exe PID 1412 wrote to memory of 4980 1412 cmd.exe blocksavesdll.exe PID 4980 wrote to memory of 860 4980 blocksavesdll.exe cmd.exe PID 4980 wrote to memory of 860 4980 blocksavesdll.exe cmd.exe PID 860 wrote to memory of 4272 860 cmd.exe w32tm.exe PID 860 wrote to memory of 4272 860 cmd.exe w32tm.exe PID 860 wrote to memory of 2416 860 cmd.exe sysmon.exe PID 860 wrote to memory of 2416 860 cmd.exe sysmon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Celestial Crack.zip"1⤵PID:1936
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2128
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Celestial Crack\" -spe -an -ai#7zMap22461:110:7zEvent320381⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4540
-
C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProviderdriverIntocommon\88xPq.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProviderdriverIntocommon\agbLTe.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\ProviderdriverIntocommon\blocksavesdll.exe"C:\ProviderdriverIntocommon\blocksavesdll.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uaov4e74DQ.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4272
-
C:\Users\Public\sysmon.exe"C:\Users\Public\sysmon.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Favorites\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Favorites\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Public\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Favorites\Links\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Favorites\Links\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Google\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Videos\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Videos\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Common Files\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608
-
C:\Program Files\Google\Registry.exe"C:\Program Files\Google\Registry.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
C:\Program Files\Common Files\services.exe"C:\Program Files\Common Files\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
C:\Program Files\Reference Assemblies\fontdrvhost.exe"C:\Program Files\Reference Assemblies\fontdrvhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3780
-
C:\Users\Admin\Favorites\Links\TextInputHost.exeC:\Users\Admin\Favorites\Links\TextInputHost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
C:\Users\Public\sysmon.exeC:\Users\Public\sysmon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
C:\Users\Public\Libraries\RuntimeBroker.exeC:\Users\Public\Libraries\RuntimeBroker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
C:\Program Files\Google\Registry.exe"C:\Program Files\Google\Registry.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
C:\Program Files\Common Files\services.exe"C:\Program Files\Common Files\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3988
-
C:\Program Files\Reference Assemblies\fontdrvhost.exe"C:\Program Files\Reference Assemblies\fontdrvhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
C:\Users\Admin\Videos\csrss.exeC:\Users\Admin\Videos\csrss.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
C:\Users\Admin\Favorites\Links\TextInputHost.exeC:\Users\Admin\Favorites\Links\TextInputHost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3928
-
C:\Users\Public\sysmon.exeC:\Users\Public\sysmon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
C:\Program Files\Google\Registry.exe"C:\Program Files\Google\Registry.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
C:\Program Files\Common Files\services.exe"C:\Program Files\Common Files\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3264
-
C:\Program Files\Reference Assemblies\fontdrvhost.exe"C:\Program Files\Reference Assemblies\fontdrvhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
C:\Users\Admin\Favorites\Links\TextInputHost.exeC:\Users\Admin\Favorites\Links\TextInputHost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:688
-
C:\Users\Public\Libraries\RuntimeBroker.exeC:\Users\Public\Libraries\RuntimeBroker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
C:\Program Files\Google\Registry.exe"C:\Program Files\Google\Registry.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
C:\Users\Admin\Videos\csrss.exeC:\Users\Admin\Videos\csrss.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
C:\Program Files\Common Files\services.exe"C:\Program Files\Common Files\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
C:\Program Files\Reference Assemblies\fontdrvhost.exe"C:\Program Files\Reference Assemblies\fontdrvhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD5b564930885f2d5234f25eb8251f32a39
SHA1dd29e4edd586ec9f224494a3acac72e463b03496
SHA256fbdc4cba4a8dff410b24577cb12a693de0ae1579a57dd035fa54ccb22aeb148c
SHA5122f14edb3ba61873a118907a5d5f8d150f0b886a842e320be568a42f1be2a97b270890173848613dd142af09471b16af3d39e766182d0ae10ad21d4dd47906907
-
Filesize
47B
MD53a8731fb4a1c8ac840d9da87b0fabc01
SHA1589cd7631e9487d7287028a9b5e3011ddeb93b02
SHA256bc644fae4d644abc18bd3402435843b5334899e9d4b4871d1fb3c70e7886f353
SHA5122582a5c027f1fcf2cc9a2c5b65bd85416e019d1a8dd36f83c8a324d9fd37a4f84f635dafd3dd47f045eff9e106d1411a0ea85616b46982770cdce3fe0db6d9fb
-
Filesize
1.3MB
MD5ad376a322a947569110fd3b721931efe
SHA1ad9798db572cf3019c2f147ba899d758993727cf
SHA256fe2c7f0a58f640ec6b27f288e81d2e9af3db943f835afbc6367bc4768a12254d
SHA5126a466e4ec5a792630ac560970f8f3339f61c01c03358db702f248e1104b2609b27ede017f1e1039b1b785d879b9cf276da5e1eb10c9aea8f678e76ed72f15efd
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
1.7MB
MD501e38e791b2dcba64ee53f97b6e4059c
SHA1b732849edbab22895fbf0b4e6caba3f4d5006081
SHA256b529006e6b49d8b3edc5692ee4489ff70f8a58e4a4ee387c330dfa5fa3453158
SHA5120a993abd964c9ccb100b7a6006dc1ef58dea391a0b70c51729f9c668b903db42d7cf1952598a450107d26fd2ecbc8ec56b46544e76f03944a3cf77167945fc65
-
Filesize
191B
MD5ebfb613652b09a7ab70e2ea10419267c
SHA117f76c27b1fd7a711baca1edabb7f1c65d724b3f
SHA256830394e43f7f686328910aea6f33948e066dff334fee0bad79917089b7098857
SHA512765c8051b1609f8b13d48e8e8c025d9755bcdbff9a4f7d4c3195d258649f622daf021728d9ff9469e035c65a67c4d00ebbefbfd2caaf0f1c25d06a346437ccdd