Analysis
-
max time kernel
69s -
max time network
73s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2024 16:29
Behavioral task
behavioral1
Sample
Nurik Nextgen.zip
Resource
win10v2004-20240709-en
General
-
Target
Nurik Nextgen.zip
-
Size
18.3MB
-
MD5
3fc9a11e02cb42d213d905f1d8ad6fa0
-
SHA1
209513a3c96a5afa02987a792ba23d61bcffcb75
-
SHA256
5080fde04d9c1a84629ef9115de89032f4648865a763b759e03140c82e55ef03
-
SHA512
0de34b6a34f4aadcddbb0bd37e337e21f3e641a70396491d430879a3192459b754a1d403417e8c5477d613afe0073440fe961d3f00e109075620895407902d86
-
SSDEEP
393216:VbXvrdREZMNsYJFJxcTT45MczYrjpJViNyBBJNPrNf4H75o:FBREZMhd0T4dYHNHBB3PtW7a
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4372 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3388 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4824 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3512 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3904 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4232 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4192 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3524 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4848 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3508 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4600 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3248 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1348 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3984 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4484 4872 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3924 4872 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\Desktop\Nurik Nextgen\Loader.exe dcrat C:\Users\Admin\Desktop\Nurik Nextgen\Start.bat dcrat C:\ProviderdriverIntocommon\blocksavesdll.exe dcrat behavioral1/memory/1572-100-0x0000000000D00000-0x0000000000E5C000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Loader.exeStart.batWScript.exeblocksavesdll.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation Start.bat Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation blocksavesdll.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 5 IoCs
Processes:
Loader.exeStart.batblocksavesdll.exebackgroundTaskHost.exeblocksavesdll.exepid process 5012 Loader.exe 2868 Start.bat 1572 blocksavesdll.exe 1112 backgroundTaskHost.exe 2584 blocksavesdll.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 43 ipinfo.io 42 ipinfo.io -
Drops file in Program Files directory 5 IoCs
Processes:
blocksavesdll.exedescription ioc process File created C:\Program Files\Internet Explorer\en-US\System.exe blocksavesdll.exe File created C:\Program Files\Internet Explorer\en-US\27d1bcfc3c54e0 blocksavesdll.exe File created C:\Program Files\Windows Security\BrowserCore\taskhostw.exe blocksavesdll.exe File created C:\Program Files\Windows Security\BrowserCore\ea9f0e6c9e2dcd blocksavesdll.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\csrss.exe blocksavesdll.exe -
Drops file in Windows directory 4 IoCs
Processes:
blocksavesdll.exedescription ioc process File created C:\Windows\en-US\backgroundTaskHost.exe blocksavesdll.exe File created C:\Windows\en-US\eddb19405b7ce1 blocksavesdll.exe File created C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\winlogon.exe blocksavesdll.exe File created C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\cc11b995f2a76d blocksavesdll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
Loader.exeStart.batdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings Loader.exe Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings Start.bat -
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4384 schtasks.exe 3904 schtasks.exe 1412 schtasks.exe 2296 schtasks.exe 448 schtasks.exe 4328 schtasks.exe 3924 schtasks.exe 1716 schtasks.exe 4824 schtasks.exe 2740 schtasks.exe 4232 schtasks.exe 3508 schtasks.exe 1932 schtasks.exe 2884 schtasks.exe 4620 schtasks.exe 3524 schtasks.exe 1348 schtasks.exe 560 schtasks.exe 4484 schtasks.exe 2756 schtasks.exe 4600 schtasks.exe 2052 schtasks.exe 3388 schtasks.exe 2260 schtasks.exe 4192 schtasks.exe 2976 schtasks.exe 3512 schtasks.exe 2216 schtasks.exe 3248 schtasks.exe 4372 schtasks.exe 4604 schtasks.exe 4848 schtasks.exe 3984 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
blocksavesdll.exebackgroundTaskHost.exepid process 1572 blocksavesdll.exe 1572 blocksavesdll.exe 1572 blocksavesdll.exe 1572 blocksavesdll.exe 1572 blocksavesdll.exe 1572 blocksavesdll.exe 1572 blocksavesdll.exe 1572 blocksavesdll.exe 1572 blocksavesdll.exe 1572 blocksavesdll.exe 1112 backgroundTaskHost.exe 1112 backgroundTaskHost.exe 1112 backgroundTaskHost.exe 1112 backgroundTaskHost.exe 1112 backgroundTaskHost.exe 1112 backgroundTaskHost.exe 1112 backgroundTaskHost.exe 1112 backgroundTaskHost.exe 1112 backgroundTaskHost.exe 1112 backgroundTaskHost.exe 1112 backgroundTaskHost.exe 1112 backgroundTaskHost.exe 1112 backgroundTaskHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 2556 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
7zFM.exeblocksavesdll.exebackgroundTaskHost.exeblocksavesdll.exedescription pid process Token: SeRestorePrivilege 2556 7zFM.exe Token: 35 2556 7zFM.exe Token: SeSecurityPrivilege 2556 7zFM.exe Token: SeDebugPrivilege 1572 blocksavesdll.exe Token: SeDebugPrivilege 1112 backgroundTaskHost.exe Token: SeDebugPrivilege 2584 blocksavesdll.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid process 2556 7zFM.exe 2556 7zFM.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Loader.exeStart.batWScript.execmd.exeblocksavesdll.exeWScript.execmd.exedescription pid process target process PID 5012 wrote to memory of 1628 5012 Loader.exe WScript.exe PID 5012 wrote to memory of 1628 5012 Loader.exe WScript.exe PID 5012 wrote to memory of 1628 5012 Loader.exe WScript.exe PID 2868 wrote to memory of 892 2868 Start.bat WScript.exe PID 2868 wrote to memory of 892 2868 Start.bat WScript.exe PID 2868 wrote to memory of 892 2868 Start.bat WScript.exe PID 1628 wrote to memory of 3232 1628 WScript.exe cmd.exe PID 1628 wrote to memory of 3232 1628 WScript.exe cmd.exe PID 1628 wrote to memory of 3232 1628 WScript.exe cmd.exe PID 3232 wrote to memory of 1572 3232 cmd.exe blocksavesdll.exe PID 3232 wrote to memory of 1572 3232 cmd.exe blocksavesdll.exe PID 1572 wrote to memory of 1112 1572 blocksavesdll.exe backgroundTaskHost.exe PID 1572 wrote to memory of 1112 1572 blocksavesdll.exe backgroundTaskHost.exe PID 892 wrote to memory of 4624 892 WScript.exe cmd.exe PID 892 wrote to memory of 4624 892 WScript.exe cmd.exe PID 892 wrote to memory of 4624 892 WScript.exe cmd.exe PID 4624 wrote to memory of 2584 4624 cmd.exe blocksavesdll.exe PID 4624 wrote to memory of 2584 4624 cmd.exe blocksavesdll.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Nurik Nextgen.zip"1⤵PID:4088
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2196
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Nurik Nextgen.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2556
-
C:\Users\Admin\Desktop\Nurik Nextgen\Loader.exe"C:\Users\Admin\Desktop\Nurik Nextgen\Loader.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProviderdriverIntocommon\88xPq.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProviderdriverIntocommon\agbLTe.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\ProviderdriverIntocommon\blocksavesdll.exe"C:\ProviderdriverIntocommon\blocksavesdll.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\ProviderdriverIntocommon\backgroundTaskHost.exe"C:\ProviderdriverIntocommon\backgroundTaskHost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
C:\Users\Admin\Desktop\Nurik Nextgen\Start.bat"C:\Users\Admin\Desktop\Nurik Nextgen\Start.bat"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProviderdriverIntocommon\DS8loQgAzvz4hzGOlT2oxco7LQ.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProviderdriverIntocommon\z4jwrAxpUhCGOKjWHl3LLujwq0.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\ProviderdriverIntocommon\blocksavesdll.exe"C:\ProviderdriverIntocommon\blocksavesdll.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Nurik Nextgen\Read Me.txt1⤵PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\SoftwareDistribution\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SoftwareDistribution\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\ProviderdriverIntocommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\ProviderdriverIntocommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\ProviderdriverIntocommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\ProviderdriverIntocommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProviderdriverIntocommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\ProviderdriverIntocommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\ProviderdriverIntocommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\ProviderdriverIntocommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\ProviderdriverIntocommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\en-US\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\ProviderdriverIntocommon\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\ProviderdriverIntocommon\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\ProviderdriverIntocommon\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\en-US\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD5b564930885f2d5234f25eb8251f32a39
SHA1dd29e4edd586ec9f224494a3acac72e463b03496
SHA256fbdc4cba4a8dff410b24577cb12a693de0ae1579a57dd035fa54ccb22aeb148c
SHA5122f14edb3ba61873a118907a5d5f8d150f0b886a842e320be568a42f1be2a97b270890173848613dd142af09471b16af3d39e766182d0ae10ad21d4dd47906907
-
Filesize
228B
MD5e7ffce41b3ee681c84684a0102afc208
SHA1927758d2e6c11efc9591e454d2292bff168bc029
SHA256e822fe09d88314279cfb16bd6fc3ab36d1d829dc8e9abdc35c6c0ee235fffea6
SHA51215958b53273fdea2714a751dc429d463648038913fe49a9ab4c66c7de11e69b5140bc6bc77bd46f018b3881c12e32f2dba9e825f64337d86a1130894ea1392b9
-
Filesize
47B
MD53a8731fb4a1c8ac840d9da87b0fabc01
SHA1589cd7631e9487d7287028a9b5e3011ddeb93b02
SHA256bc644fae4d644abc18bd3402435843b5334899e9d4b4871d1fb3c70e7886f353
SHA5122582a5c027f1fcf2cc9a2c5b65bd85416e019d1a8dd36f83c8a324d9fd37a4f84f635dafd3dd47f045eff9e106d1411a0ea85616b46982770cdce3fe0db6d9fb
-
Filesize
1.3MB
MD58315d7b620a490b70605d3eb8ff5aacf
SHA11b3ffd2ad0d9ac4c544089389468b68893d5cb2b
SHA256fd9756282d79eff3fab007965ef93412eb774c26ee51a944fae43c3d7e8466ee
SHA5123d48e50a56222e1929b0dd7da754f854b8e95d756ef9ccdd13e71554d4fbf984816869d6cd3990b0a2be3946bea9665c162d9b95915a71da219c8cf3eca8c9f5
-
Filesize
1KB
MD57800fca2323a4130444c572374a030f4
SHA140c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa
SHA25629f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e
SHA512c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554
-
Filesize
1.7MB
MD501e38e791b2dcba64ee53f97b6e4059c
SHA1b732849edbab22895fbf0b4e6caba3f4d5006081
SHA256b529006e6b49d8b3edc5692ee4489ff70f8a58e4a4ee387c330dfa5fa3453158
SHA5120a993abd964c9ccb100b7a6006dc1ef58dea391a0b70c51729f9c668b903db42d7cf1952598a450107d26fd2ecbc8ec56b46544e76f03944a3cf77167945fc65
-
Filesize
298B
MD5c407fc8e8fa5835b0b37670a9c5f121f
SHA1f85b910cb93eb9c8df19eafcfc953c8e6dcd51c5
SHA2564c13d1b2a5986ddb0773ab95e91bd1ece263d838ffda35508940a7924ae8e331
SHA5125a9a0a8dc3ec19ba53d5a6ed1f1fe41d06bfb29d2dfa3ca2311f223536dbb2250ed6277abbe0e0cefd6ac30a14633efc05d89fa7812c03dd6f872b194bce212c
-
Filesize
1.6MB
MD5d66e9e4f15a2067b4b6c9c1ca79cdc57
SHA1c8b3d637128e269624cc0f154dd4624ded00faa4
SHA2564c63d03073231b403a1b76acfbecb3c291f381092b3f3054ccfa2d651b6ce5d2
SHA51226aca6854e46cc8bc65b348654641191c61f920a02ded64f86f7433b5c277d9c00eecc1effd1dbb8dad978d970b53fcad1624f5e804bab1b5c3662160d6b97da