Overview

overview

10

Static

static

10

EXECUTOR METEOR .exe

windows11-21h2-x64

10

EXECUTOR METEOR .exe

windows7-x64

10

EXECUTOR METEOR .exe

windows10-2004-x64

10

EXECUTOR METEOR .exe

windows10-ltsc 2021-x64

10

EXECUTOR METEOR .exe

windows11-21h2-x64

10

Resubmissions

25-11-2024 10:00

241125-l129jaxlhr 10

25-11-2024 09:58

241125-lzk9ma1kg1 10

25-11-2024 09:56

241125-lyt55s1kew 10

25-11-2024 09:46

241125-lrsnqswral 10

Analysis

  • max time kernel
    1790s
  • max time network
    1797s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2024 09:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EXECUTOR METEOR .exe

  • Size

    1.1MB

  • MD5

    e5be94d6e847bb7656e80201cacf67fb

  • SHA1

    cc1ce69eea609b5fc9ff18f09407b934690bcff3

  • SHA256

    be5c49fa94be78520ee83ed6230a80aaf0ae9dd4bb2d6053aa8f843131f2f506

  • SHA512

    306c26f1e72a32c479b8d9112e2e0c5d22fd0e46b02ae5fa7ffff51191c9d79a52a2dbe7d200e0dc9cccf0919cba3693905c8b2dc6c6fc8f3d7eaf883e388100

  • SSDEEP

    24576:U2G/nvxW3Ww0tiUfTyqyg1hIZ9XWp7wJO:UbA30L+ixx

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 37 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\EXECUTOR METEOR .exe
    "C:\Users\Admin\AppData\Local\Temp\EXECUTOR METEOR .exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\comReviewrefPerf\Elw8H.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4256
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\comReviewrefPerf\8WD994.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:672
        • C:\comReviewrefPerf\surrogateRuntime.exe
          "C:\comReviewrefPerf\surrogateRuntime.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2780
          • C:\Users\Admin\SendTo\WmiPrvSE.exe
            "C:\Users\Admin\SendTo\WmiPrvSE.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:3312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "surrogateRuntimes" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\surrogateRuntime.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2520
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "surrogateRuntime" /sc ONLOGON /tr "'C:\Users\Default User\surrogateRuntime.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1912
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "surrogateRuntimes" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\surrogateRuntime.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2324
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\comReviewrefPerf\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1392
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\comReviewrefPerf\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1916
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\comReviewrefPerf\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:804
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\comReviewrefPerf\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:700
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\comReviewrefPerf\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2932
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\comReviewrefPerf\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:5044
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4552
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:5096
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2952
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\comReviewrefPerf\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4988
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\comReviewrefPerf\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2904
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\comReviewrefPerf\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3548
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\MoUsoCoreWorker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4176
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\MoUsoCoreWorker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4276
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\MoUsoCoreWorker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3612
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4844
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\it-IT\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4196
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1492
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\WmiPrvSE.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3684
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:448
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SendTo\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:528
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\comReviewrefPerf\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:368
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\comReviewrefPerf\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3168
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\comReviewrefPerf\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3368
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2512
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3680
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2296
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\upfc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4368
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Security\upfc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1736
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\upfc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4412
  • C:\Program Files\Windows Security\upfc.exe
    "C:\Program Files\Windows Security\upfc.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:856
  • C:\comReviewrefPerf\winlogon.exe
    C:\comReviewrefPerf\winlogon.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2720
  • C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.exe
    "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2308
  • C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe
    "C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4736
  • C:\comReviewrefPerf\fontdrvhost.exe
    C:\comReviewrefPerf\fontdrvhost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3264
  • C:\Program Files\Windows Security\upfc.exe
    "C:\Program Files\Windows Security\upfc.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4400
  • C:\comReviewrefPerf\winlogon.exe
    C:\comReviewrefPerf\winlogon.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3036
  • C:\Program Files\Reference Assemblies\Microsoft\MoUsoCoreWorker.exe
    "C:\Program Files\Reference Assemblies\Microsoft\MoUsoCoreWorker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3608
  • C:\Windows\it-IT\wininit.exe
    C:\Windows\it-IT\wininit.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2024
  • C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.exe
    "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3204
  • C:\Users\Admin\SendTo\WmiPrvSE.exe
    C:\Users\Admin\SendTo\WmiPrvSE.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4600
  • C:\Users\Default User\surrogateRuntime.exe
    "C:\Users\Default User\surrogateRuntime.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2108
  • C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe
    "C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1916
  • C:\comReviewrefPerf\services.exe
    C:\comReviewrefPerf\services.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4864
  • C:\Program Files\Windows Security\upfc.exe
    "C:\Program Files\Windows Security\upfc.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:5008
  • C:\comReviewrefPerf\winlogon.exe
    C:\comReviewrefPerf\winlogon.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1548
  • C:\comReviewrefPerf\fontdrvhost.exe
    C:\comReviewrefPerf\fontdrvhost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1892
  • C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.exe
    "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1688
  • C:\Program Files\Reference Assemblies\Microsoft\MoUsoCoreWorker.exe
    "C:\Program Files\Reference Assemblies\Microsoft\MoUsoCoreWorker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4492
  • C:\Program Files\Windows Security\upfc.exe
    "C:\Program Files\Windows Security\upfc.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3716
  • C:\comReviewrefPerf\winlogon.exe
    C:\comReviewrefPerf\winlogon.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:5048
  • C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe
    "C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:772
  • C:\Windows\it-IT\wininit.exe
    C:\Windows\it-IT\wininit.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2468
  • C:\comReviewrefPerf\fontdrvhost.exe
    C:\comReviewrefPerf\fontdrvhost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:208
  • C:\Users\Admin\SendTo\WmiPrvSE.exe
    C:\Users\Admin\SendTo\WmiPrvSE.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1472
  • C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.exe
    "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2496
  • C:\Users\Default User\surrogateRuntime.exe
    "C:\Users\Default User\surrogateRuntime.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4852
  • C:\comReviewrefPerf\winlogon.exe
    C:\comReviewrefPerf\winlogon.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2192
  • C:\Program Files\Windows Security\upfc.exe
    "C:\Program Files\Windows Security\upfc.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1164
  • C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe
    "C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4596
  • C:\comReviewrefPerf\services.exe
    C:\comReviewrefPerf\services.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4976
  • C:\comReviewrefPerf\winlogon.exe
    C:\comReviewrefPerf\winlogon.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:876
  • C:\Program Files\Reference Assemblies\Microsoft\MoUsoCoreWorker.exe
    "C:\Program Files\Reference Assemblies\Microsoft\MoUsoCoreWorker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4364
  • C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.exe
    "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:5016
  • C:\Program Files\Windows Security\upfc.exe
    "C:\Program Files\Windows Security\upfc.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log
    Filesize

    1KB

    MD5

    baf55b95da4a601229647f25dad12878

    SHA1

    abc16954ebfd213733c4493fc1910164d825cac8

    SHA256

    ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

    SHA512

    24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\surrogateRuntime.exe.log
    Filesize

    1KB

    MD5

    7f3c0ae41f0d9ae10a8985a2c327b8fb

    SHA1

    d58622bf6b5071beacf3b35bb505bde2000983e3

    SHA256

    519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

    SHA512

    8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

    Download Submit

  • C:\comReviewrefPerf\8WD994.bat
    Filesize

    42B

    MD5

    ff1d6e65d0b458accf2d7e9cf078f012

    SHA1

    4a7a0831b061ce2c72dfe5dbb8d3e06ef48fb9c4

    SHA256

    2a3d5e93e6c1c94626f81d252cf9e831a94337a8fc871efa3560fbe966e35580

    SHA512

    1888c69ad30ab13f71aee80de86aaebb04c1ee7b08bc4f8f5e41dc325399cdc1c3bb956d9401ea6c51b425305d2835fffcae60fc4b8644fab255c03f37431d15

    Download Submit

  • C:\comReviewrefPerf\Elw8H.vbe
    Filesize

    200B

    MD5

    a44fada9f313e0d6008aef960aeae861

    SHA1

    9217e79ff49d67baca484f5a5e9418cca3fb9b2e

    SHA256

    1e5c949fd2059fda331f7cd178a359f2ac4d4dd8cdae76543f21493b2ffb9d44

    SHA512

    800052e7c0cd62433bde0084b94ac3b44ddece5adc144c8e02a2e7dc8629b683ac3a94c6218bf61a595731d2dc1adf596c5bf101fc2d9c3723c3a099d2c853f7

    Download Submit

  • C:\comReviewrefPerf\surrogateRuntime.exe
    Filesize

    828KB

    MD5

    422e6efd4d4c62a97c78be894b85a535

    SHA1

    6de90977b41153d67fdca7a9119edf382d7e5414

    SHA256

    fddbbd909aeb6e9466e3c926f7773f23f84d392604a2619caa3f5a4c9d63eb8c

    SHA512

    1c545785df5e6be6b1142adb94cc6779020d409fddd429743eb69646b35a7acafadb2445218445bbc7e5c02171f1b531d9a7c623d834c18dd49161708529d388

    Download Submit

  • memory/2780-12-0x00007FFC268A3000-0x00007FFC268A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2780-13-0x0000000000DD0000-0x0000000000EA6000-memory.dmp

    Filesize

    856KB

    Download