Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 21:51
Static task
static1
Behavioral task
behavioral1
Sample
8FE4D765052F33EE206BABD50ECEBFF4.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
8FE4D765052F33EE206BABD50ECEBFF4.exe
Resource
win10v2004-20241007-en
General
-
Target
8FE4D765052F33EE206BABD50ECEBFF4.exe
-
Size
1.8MB
-
MD5
8fe4d765052f33ee206babd50ecebff4
-
SHA1
626ed36cc72ed374334c868a5d2471cd1d70e9ef
-
SHA256
9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462
-
SHA512
5a41dbc6ead37caa5de7c3110378fc1357954a6b02b50eea6d82ff2685962536090e2e6e75a83ab321aa14a04a50f31c92290ace854bd45bc4c5913a1e1a7210
-
SSDEEP
49152:IBJS5y9ltNK+s0am17m5uSTRhNCYX1xoUQ/Ui5zbf2qmOK:ywGls0amCyN5zbf7jK
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk-1.8\\jre\\bin\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\wininit.exe\", \"C:\\Program Files\\Common Files\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk-1.8\\jre\\bin\\SppExtComObj.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk-1.8\\jre\\bin\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\wininit.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk-1.8\\jre\\bin\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\wininit.exe\", \"C:\\Program Files\\Common Files\\Idle.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk-1.8\\jre\\bin\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\wininit.exe\", \"C:\\Program Files\\Common Files\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk-1.8\\jre\\bin\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\wininit.exe\", \"C:\\Program Files\\Common Files\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" MsRefHost.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5016 2548 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4128 2548 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 2548 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3408 2548 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3396 2548 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3144 2548 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2548 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2548 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2548 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2548 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2548 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 2548 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3912 2548 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2548 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2548 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3544 2548 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2548 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4744 2548 schtasks.exe 94 -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 8FE4D765052F33EE206BABD50ECEBFF4.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation MsRefHost.exe -
Executes dropped EXE 2 IoCs
pid Process 2396 MsRefHost.exe 3504 Idle.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Java\\jdk-1.8\\jre\\bin\\SppExtComObj.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Java\\jdk-1.8\\jre\\bin\\SppExtComObj.exe\"" MsRefHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\wininit.exe\"" MsRefHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Common Files\\Idle.exe\"" MsRefHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsRefHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\wininit.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Common Files\\Idle.exe\"" MsRefHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" MsRefHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" MsRefHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsRefHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\"" MsRefHost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC6A2DB2FABCCF44C6B0B5C2CA929267D1.TMP csc.exe File created \??\c:\Windows\System32\ovufcs.exe csc.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\jre\bin\SppExtComObj.exe MsRefHost.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\e1ef82546f0b02 MsRefHost.exe File created C:\Program Files\Common Files\Idle.exe MsRefHost.exe File created C:\Program Files\Common Files\6ccacd8608530f MsRefHost.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\wininit.exe MsRefHost.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\56085415360792 MsRefHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8FE4D765052F33EE206BABD50ECEBFF4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 764 PING.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings 8FE4D765052F33EE206BABD50ECEBFF4.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings MsRefHost.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 764 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3408 schtasks.exe 1516 schtasks.exe 2536 schtasks.exe 4940 schtasks.exe 4744 schtasks.exe 5100 schtasks.exe 1988 schtasks.exe 2320 schtasks.exe 2664 schtasks.exe 1720 schtasks.exe 4128 schtasks.exe 3144 schtasks.exe 3912 schtasks.exe 2916 schtasks.exe 5016 schtasks.exe 3396 schtasks.exe 3544 schtasks.exe 2104 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe 2396 MsRefHost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2396 MsRefHost.exe Token: SeDebugPrivilege 3504 Idle.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 764 wrote to memory of 64 764 8FE4D765052F33EE206BABD50ECEBFF4.exe 84 PID 764 wrote to memory of 64 764 8FE4D765052F33EE206BABD50ECEBFF4.exe 84 PID 764 wrote to memory of 64 764 8FE4D765052F33EE206BABD50ECEBFF4.exe 84 PID 64 wrote to memory of 3316 64 WScript.exe 90 PID 64 wrote to memory of 3316 64 WScript.exe 90 PID 64 wrote to memory of 3316 64 WScript.exe 90 PID 3316 wrote to memory of 2396 3316 cmd.exe 92 PID 3316 wrote to memory of 2396 3316 cmd.exe 92 PID 2396 wrote to memory of 4316 2396 MsRefHost.exe 99 PID 2396 wrote to memory of 4316 2396 MsRefHost.exe 99 PID 4316 wrote to memory of 2436 4316 csc.exe 101 PID 4316 wrote to memory of 2436 4316 csc.exe 101 PID 2396 wrote to memory of 4420 2396 MsRefHost.exe 117 PID 2396 wrote to memory of 4420 2396 MsRefHost.exe 117 PID 4420 wrote to memory of 1608 4420 cmd.exe 120 PID 4420 wrote to memory of 1608 4420 cmd.exe 120 PID 4420 wrote to memory of 764 4420 cmd.exe 121 PID 4420 wrote to memory of 764 4420 cmd.exe 121 PID 4420 wrote to memory of 3504 4420 cmd.exe 124 PID 4420 wrote to memory of 3504 4420 cmd.exe 124 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8FE4D765052F33EE206BABD50ECEBFF4.exe"C:\Users\Admin\AppData\Local\Temp\8FE4D765052F33EE206BABD50ECEBFF4.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\jkOicXdQzIcV9is8cWaVy6nJ.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\wAdFTqpCaV8zL9PLLEPDNQlrlvWhrY.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe"C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf/MsRefHost.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cgvcqqs1\cgvcqqs1.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAA5.tmp" "c:\Windows\System32\CSC6A2DB2FABCCF44C6B0B5C2CA929267D1.TMP"6⤵PID:2436
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qV0yvi7Q70.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1608
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:764
-
-
C:\Program Files\Common Files\Idle.exe"C:\Program Files\Common Files\Idle.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk-1.8\jre\bin\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\jre\bin\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk-1.8\jre\bin\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsRefHostM" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsRefHost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsRefHostM" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD552ed454e787d6f982eea640b12277a3e
SHA1d68c23d7c0a08fe3dd206efe7ef975da640533ed
SHA2568887a1db47cdbbf10b3682d907c755336528dde8eaaaa184b6110dbc6bbdb7ac
SHA51293441059b85215acab2a0d05590ba075788949b487204bfc102f9470e36a63caf00e1f6fa25bdae84b97f71e2a52a1b0ce3a8da69312374184f09af6af54a528
-
Filesize
166B
MD5af1a40f5018e80dbb10ab98f9191b24c
SHA18c3320a0c031f33968bbb0a2a8da989a3fd70b11
SHA2567688aa5d572e62047dc34ac7aefe2a938c861e457e271c92618f50e7d96dce1c
SHA5128d8c35f758bf102a4e954c669d6f8f1f397c182681fc0c1a205837de2867e9e0e6b4b4f61f009997331789da2c88a904101f9b7b6a7f5d7cc0f03293aae4d063
-
Filesize
1.9MB
MD58f4b5051db276e30641cd63fac01a982
SHA12da38a070be557014c57d314211f6236470aca37
SHA2565864cdafd1e3c62524dd7ec715b055e11a3ace3f586d575a2c2f5f9c4f096553
SHA512db77eb1df5aa539bb55ae9c6936c40f7e6d5b9b53e2c7e0c84c2d6df91f541cbdfef92675b45e5e7bb804b8998482970ff92f793e63ad2f9754d43bfab60bfa2
-
Filesize
247B
MD5299cb1e8030c59ea61c25d77663d93ce
SHA147ed6fb489f8e725a2a25ff2de2f769f8c010ca9
SHA256c21646d405045a3684859964fb3a6bab60be39d07ef509902baa267fb3735d60
SHA512121da7ee97dbc5ea1aed2b95acd2b9869783851bf1f267e97dd9ae25d0ad2819eccb8618108d8adb745a4baed59de9eb5da4c2c132659219f5689f03302bcb08
-
Filesize
111B
MD57570b030d6165dbe5710aea256bc5fb0
SHA1f748ac754c02cebb69b874e6c2b7c8dd51bfa43c
SHA2565a7151908f5167f6be21b2518d8d825dc3f13e4fcc0e1b7ea4931669d28ef3e7
SHA51264ba0ebacbc47fa0a7dc3efd361e89d24d7df343548ad337da0d2f4333e37a5ff208fc0d6f3c197d8e944d38cd4029f13f34b01e8a2adb63baea16dcedcd3ade
-
Filesize
386B
MD5b118dc69a5dedd1f9af6910b25ae2da3
SHA16e35fa38e4d72df7f21b3ce122f8f52670579637
SHA25620f470a53fb4b61ff9dbb462e3a0e05227867973a29f4ac5dc29ef43f894d8e3
SHA5127e2792eeac4184746287362d47d02487bbd0a97e41fa808f51ea32f32e32fec99b0d3ab7b234317389661aa57a7aff0894641177205e059e61a2cd14cc9f4848
-
Filesize
235B
MD5839b3337c9726bf6431108107563353d
SHA17fa4b3502dc40e7f45d210d3f212601f9892efe9
SHA25611c6daa21904088a08ec999eb034d425d9269de5d65f27c1cd169e0a9e515fb0
SHA512ae5594ef1eaca0cb4daba1dfd9599f38678ec75cc0b95bb4a0175cba01be3ecfbaee2fe8fa4a35dee7786a62d84c04c34de3b17c0586896d8b2df01becfebdb8
-
Filesize
1KB
MD51c519e4618f2b468d0f490d4a716da11
SHA11a693d0046e48fa813e4fa3bb94ccd20d43e3106
SHA2564dbf16e3b3bb06c98eeaf27d0a25d9f34ee0ceac51e6365218ef7cd09edb3438
SHA51299f293878a08b56db6ff2297f243f5f5b85864e6925a1d6af61a65369f7eb323ae1b75fe5f1465fac0b982ac9f49b9e0a295b5dac947da40f61991c4411233fd