Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-07-2024 17:36

General

  • Target

    7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe

  • Size

    1.2MB

  • MD5

    76552f8bd7533c66bc900c75abdc0ea7

  • SHA1

    9a682fc922b82e6896c9892efb85687586963355

  • SHA256

    7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f

  • SHA512

    4479dc402d8f9ddf9d8fcb46d9a5048484e59e91b5f4c0b1efd6042ab287556fc028f5e3f0ae03856521bdc346613d848469732de77150719d14dfa3c5171b77

  • SSDEEP

    24576:sMYo92G/nvxW3Ww0tp6A3bEXxdhJGx+RYdVmX9ddqGC:/NbA30QArEX+x+en

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 11 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe
    "C:\Users\Admin\AppData\Local\Temp\7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4884
    • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
      "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3444
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        3⤵
          PID:1384
      • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
        "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3628
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\surrogatereviewRuntimebrokerMonitor\MUbLhzNCHv2Ljaa6Ortas1tSg5Ijz.vbe"
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:5008
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\surrogatereviewRuntimebrokerMonitor\QoneXY9Lni2fLPRVpDBSwrtS8.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4720
            • C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe
              "C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe"
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3624
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oK0sfimwjR.bat"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1080
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:632
                  • C:\Users\Default\Documents\wininit.exe
                    "C:\Users\Default\Documents\wininit.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4380
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\surrogatereviewRuntimebrokerMonitor\unsecapp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3464
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3664
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\surrogatereviewRuntimebrokerMonitor\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3732
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4508
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3292
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1756
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3988
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4472
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:8
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\PackageManifests\upfc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4948
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3632
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\PackageManifests\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2128
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\My Documents\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3524
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\My Documents\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1704
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\My Documents\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1940
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\surrogatereviewRuntimebrokerMonitor\Registry.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4672
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\Registry.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3204
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\surrogatereviewRuntimebrokerMonitor\Registry.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2756
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2768
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1400
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4848
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\CbsTemp\fontdrvhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4880
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\CbsTemp\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:732
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\CbsTemp\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1048
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\CrackLauncher.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3216
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\CrackLauncher.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2616
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\CrackLauncher.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1224
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\StartMenuExperienceHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4384
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3132
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2920
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\surrogatereviewRuntimebrokerMonitor\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:808
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1920
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\surrogatereviewRuntimebrokerMonitor\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1556
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Sun\Java\Deployment\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:432
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1292
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Sun\Java\Deployment\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4324
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\sysmon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1716
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\addins\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4292
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4572
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2636
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\Services\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5084
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\fontdrvhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2320
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\tracing\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3560
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2132
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\ja-JP\fontdrvhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1452
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2908
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2704
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\surrogatereviewRuntimebrokerMonitor\TextInputHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2496
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1416
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\surrogatereviewRuntimebrokerMonitor\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1212
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Documents\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1040
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Documents\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1364
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3164
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4648
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:812
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4040

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

        Filesize

        102KB

        MD5

        c137c5f5287d73a94d55bc18df238303

        SHA1

        95b4b01775bea14feaaa462c98d969eb81696d2c

        SHA256

        d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0

        SHA512

        ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5

      • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

        Filesize

        1.1MB

        MD5

        d5073e19a3ad042b1f759bcd13a65a3f

        SHA1

        9df8b87566284b169e56ee4a8b78d72ce2e3e5aa

        SHA256

        28aee210bbeacee17831ab5acaa78551bb3c981ec8018ba3d0c2332178294e8b

        SHA512

        89c210bf7bccf524b2dc26d5ba574c06e7c5e7233932d2f98ddf37665542c170d99589c60fd3a1d9c92b322e3c1f8694988a8f446904a4155ee495bd9cb3171e

      • C:\Users\Admin\AppData\Local\Temp\oK0sfimwjR.bat

        Filesize

        203B

        MD5

        0ed59a14b14eb38934c6d1fe10a5bffd

        SHA1

        4fa494cfb989aa9ad0e7abad03e7f9bd968687c7

        SHA256

        3969288a75498243393bafc1a0224a4989c172047ea951004cdf0c332d3089df

        SHA512

        4ccfcf93dad301a334a8aede01c76a2cef30d4cccb55c35442cca14fcb1c25d7c56719d816dc741cff8f48688768e4f226b81c73854e15ccf5fa0c7d230c9540

      • C:\surrogatereviewRuntimebrokerMonitor\MUbLhzNCHv2Ljaa6Ortas1tSg5Ijz.vbe

        Filesize

        237B

        MD5

        67ef89a77b03bfa1932cc54db6dce88f

        SHA1

        a2afed6d40b91cb6d48a7023fea05c0853437050

        SHA256

        67b88c35860e20d6b83ca746c93088b98e0eb0ecfd913e769e1353e1809bef30

        SHA512

        7bf14a84e8af2ed04908666ef48233da887d856724c91e3ae3d80bda19b50d47681b5e3e8ae39de2e434c1af5d47f945af2ed0b0b2b3ae7a46987f8b3e962652

      • C:\surrogatereviewRuntimebrokerMonitor\QoneXY9Lni2fLPRVpDBSwrtS8.bat

        Filesize

        52B

        MD5

        fbbcc9f113a6c0c84210f8550cffca28

        SHA1

        b3e94b80d166ad9c71260ce9674b7edd5d00aa25

        SHA256

        fdb006c74fb6e8d52546f9cbf5cbc86cd39905eac5bf29536d1e1a8d3332846f

        SHA512

        f434c8e5ad16219c4a526690c9e8bf3a139df51439fb047a0fcd77e1e939c3fb53ef4d71c0609520fb522f7bcd34f3aab192df083dd3fa75d68724d26efd03b8

      • C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe

        Filesize

        827KB

        MD5

        bc8b1b7e6c72022131728dd99627e1d3

        SHA1

        0dcd162ee7a24204fb032b5e02d3f99c185e82bf

        SHA256

        60e5109f2ee7a7ff493ea0cb43cd182f22a6a2769561f030bc4668a46d8c6d7a

        SHA512

        9dae0a6cd1d6a26f6f03e00755dd0c05a41bcda787dc3fd6d245672058d7eed0c54b4aabdadb65c42341707e942603b0a01dbb442148949b8b7229197abca340

      • memory/3624-29-0x00000000004C0000-0x0000000000596000-memory.dmp

        Filesize

        856KB

      • memory/4884-15-0x0000000000400000-0x000000000053F000-memory.dmp

        Filesize

        1.2MB