Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 07:11
Behavioral task
behavioral1
Sample
76552F8BD7533C66BC900C75ABDC0EA7.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
76552F8BD7533C66BC900C75ABDC0EA7.exe
Resource
win10v2004-20240709-en
General
-
Target
76552F8BD7533C66BC900C75ABDC0EA7.exe
-
Size
1.2MB
-
MD5
76552f8bd7533c66bc900c75abdc0ea7
-
SHA1
9a682fc922b82e6896c9892efb85687586963355
-
SHA256
7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f
-
SHA512
4479dc402d8f9ddf9d8fcb46d9a5048484e59e91b5f4c0b1efd6042ab287556fc028f5e3f0ae03856521bdc346613d848469732de77150719d14dfa3c5171b77
-
SSDEEP
24576:sMYo92G/nvxW3Ww0tp6A3bEXxdhJGx+RYdVmX9ddqGC:/NbA30QArEX+x+en
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 460 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1392 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4844 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3120 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4652 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4400 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1352 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3404 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3392 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5012 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4972 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 756 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4280 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3984 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4100 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1012 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 224 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4380 2704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2704 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe dcrat behavioral2/memory/4924-14-0x0000000000400000-0x000000000053F000-memory.dmp dcrat C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe dcrat behavioral2/memory/908-29-0x0000000000C60000-0x0000000000D36000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
76552F8BD7533C66BC900C75ABDC0EA7.exeDCRatBuild.exeWScript.exehostNet.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 76552F8BD7533C66BC900C75ABDC0EA7.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation DCRatBuild.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation hostNet.exe -
Executes dropped EXE 4 IoCs
Processes:
CrackLauncher.exeDCRatBuild.exehostNet.exesihost.exepid process 1036 CrackLauncher.exe 2796 DCRatBuild.exe 908 hostNet.exe 2632 sihost.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 ipinfo.io 25 ipinfo.io -
Drops file in Program Files directory 7 IoCs
Processes:
hostNet.exedescription ioc process File created C:\Program Files (x86)\Common Files\System\uk-UA\upfc.exe hostNet.exe File created C:\Program Files (x86)\Common Files\System\uk-UA\ea1d8f6d871115 hostNet.exe File created C:\Program Files (x86)\Windows Defender\es-ES\conhost.exe hostNet.exe File created C:\Program Files (x86)\Windows Defender\es-ES\088424020bedd6 hostNet.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe hostNet.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe hostNet.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\5940a34987c991 hostNet.exe -
Drops file in Windows directory 6 IoCs
Processes:
hostNet.exedescription ioc process File created C:\Windows\L2Schemas\RuntimeBroker.exe hostNet.exe File created C:\Windows\L2Schemas\9e8d7a4ca61bd9 hostNet.exe File created C:\Windows\Performance\WinSAT\DataStore\csrss.exe hostNet.exe File created C:\Windows\Performance\WinSAT\DataStore\886983d96e3d3e hostNet.exe File created C:\Windows\SKB\LanguageModels\explorer.exe hostNet.exe File created C:\Windows\SKB\LanguageModels\7a0fd90576e088 hostNet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 10 IoCs
Processes:
CrackLauncher.exeDCRatBuild.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings DCRatBuild.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\discord-1199748644409184347 CrackLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol" CrackLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\discord-1199748644409184347\URL Protocol CrackLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\discord-1199748644409184347\DefaultIcon CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\discord-1199748644409184347\shell\open\command CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\discord-1199748644409184347\shell CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\discord-1199748644409184347\shell\open CrackLauncher.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2616 schtasks.exe 1988 schtasks.exe 2180 schtasks.exe 4400 schtasks.exe 1808 schtasks.exe 2696 schtasks.exe 2160 schtasks.exe 1504 schtasks.exe 4844 schtasks.exe 832 schtasks.exe 4652 schtasks.exe 3052 schtasks.exe 1336 schtasks.exe 4280 schtasks.exe 4100 schtasks.exe 2244 schtasks.exe 460 schtasks.exe 860 schtasks.exe 2756 schtasks.exe 1044 schtasks.exe 876 schtasks.exe 4508 schtasks.exe 3392 schtasks.exe 2676 schtasks.exe 756 schtasks.exe 4512 schtasks.exe 224 schtasks.exe 1064 schtasks.exe 4380 schtasks.exe 4976 schtasks.exe 3984 schtasks.exe 2768 schtasks.exe 1392 schtasks.exe 1380 schtasks.exe 4944 schtasks.exe 1352 schtasks.exe 4972 schtasks.exe 1012 schtasks.exe 3120 schtasks.exe 3404 schtasks.exe 5012 schtasks.exe 2104 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
hostNet.exesihost.exepid process 908 hostNet.exe 908 hostNet.exe 908 hostNet.exe 908 hostNet.exe 908 hostNet.exe 2632 sihost.exe 2632 sihost.exe 2632 sihost.exe 2632 sihost.exe 2632 sihost.exe 2632 sihost.exe 2632 sihost.exe 2632 sihost.exe 2632 sihost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
sihost.exepid process 2632 sihost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
hostNet.exesihost.exedescription pid process Token: SeDebugPrivilege 908 hostNet.exe Token: SeDebugPrivilege 2632 sihost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
76552F8BD7533C66BC900C75ABDC0EA7.exeCrackLauncher.exeDCRatBuild.exeWScript.execmd.exehostNet.exedescription pid process target process PID 4924 wrote to memory of 1036 4924 76552F8BD7533C66BC900C75ABDC0EA7.exe CrackLauncher.exe PID 4924 wrote to memory of 1036 4924 76552F8BD7533C66BC900C75ABDC0EA7.exe CrackLauncher.exe PID 4924 wrote to memory of 2796 4924 76552F8BD7533C66BC900C75ABDC0EA7.exe DCRatBuild.exe PID 4924 wrote to memory of 2796 4924 76552F8BD7533C66BC900C75ABDC0EA7.exe DCRatBuild.exe PID 4924 wrote to memory of 2796 4924 76552F8BD7533C66BC900C75ABDC0EA7.exe DCRatBuild.exe PID 1036 wrote to memory of 2612 1036 CrackLauncher.exe cmd.exe PID 1036 wrote to memory of 2612 1036 CrackLauncher.exe cmd.exe PID 2796 wrote to memory of 228 2796 DCRatBuild.exe WScript.exe PID 2796 wrote to memory of 228 2796 DCRatBuild.exe WScript.exe PID 2796 wrote to memory of 228 2796 DCRatBuild.exe WScript.exe PID 228 wrote to memory of 3728 228 WScript.exe cmd.exe PID 228 wrote to memory of 3728 228 WScript.exe cmd.exe PID 228 wrote to memory of 3728 228 WScript.exe cmd.exe PID 3728 wrote to memory of 908 3728 cmd.exe hostNet.exe PID 3728 wrote to memory of 908 3728 cmd.exe hostNet.exe PID 908 wrote to memory of 2632 908 hostNet.exe sihost.exe PID 908 wrote to memory of 2632 908 hostNet.exe sihost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe"C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\surrogatereviewRuntimebrokerMonitor\MUbLhzNCHv2Ljaa6Ortas1tSg5Ijz.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\surrogatereviewRuntimebrokerMonitor\QoneXY9Lni2fLPRVpDBSwrtS8.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe"C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Users\All Users\regid.1991-06.com.microsoft\sihost.exe"C:\Users\All Users\regid.1991-06.com.microsoft\sihost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\surrogatereviewRuntimebrokerMonitor\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\surrogatereviewRuntimebrokerMonitor\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\surrogatereviewRuntimebrokerMonitor\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\surrogatereviewRuntimebrokerMonitor\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\surrogatereviewRuntimebrokerMonitor\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\surrogatereviewRuntimebrokerMonitor\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\uk-UA\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\uk-UA\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\System\uk-UA\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\surrogatereviewRuntimebrokerMonitor\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\surrogatereviewRuntimebrokerMonitor\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\SKB\LanguageModels\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\SKB\LanguageModels\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102KB
MD5c137c5f5287d73a94d55bc18df238303
SHA195b4b01775bea14feaaa462c98d969eb81696d2c
SHA256d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0
SHA512ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5
-
Filesize
1.1MB
MD5d5073e19a3ad042b1f759bcd13a65a3f
SHA19df8b87566284b169e56ee4a8b78d72ce2e3e5aa
SHA25628aee210bbeacee17831ab5acaa78551bb3c981ec8018ba3d0c2332178294e8b
SHA51289c210bf7bccf524b2dc26d5ba574c06e7c5e7233932d2f98ddf37665542c170d99589c60fd3a1d9c92b322e3c1f8694988a8f446904a4155ee495bd9cb3171e
-
Filesize
237B
MD567ef89a77b03bfa1932cc54db6dce88f
SHA1a2afed6d40b91cb6d48a7023fea05c0853437050
SHA25667b88c35860e20d6b83ca746c93088b98e0eb0ecfd913e769e1353e1809bef30
SHA5127bf14a84e8af2ed04908666ef48233da887d856724c91e3ae3d80bda19b50d47681b5e3e8ae39de2e434c1af5d47f945af2ed0b0b2b3ae7a46987f8b3e962652
-
Filesize
52B
MD5fbbcc9f113a6c0c84210f8550cffca28
SHA1b3e94b80d166ad9c71260ce9674b7edd5d00aa25
SHA256fdb006c74fb6e8d52546f9cbf5cbc86cd39905eac5bf29536d1e1a8d3332846f
SHA512f434c8e5ad16219c4a526690c9e8bf3a139df51439fb047a0fcd77e1e939c3fb53ef4d71c0609520fb522f7bcd34f3aab192df083dd3fa75d68724d26efd03b8
-
Filesize
827KB
MD5bc8b1b7e6c72022131728dd99627e1d3
SHA10dcd162ee7a24204fb032b5e02d3f99c185e82bf
SHA25660e5109f2ee7a7ff493ea0cb43cd182f22a6a2769561f030bc4668a46d8c6d7a
SHA5129dae0a6cd1d6a26f6f03e00755dd0c05a41bcda787dc3fd6d245672058d7eed0c54b4aabdadb65c42341707e942603b0a01dbb442148949b8b7229197abca340