Analysis
-
max time kernel
93s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2025 17:21
Behavioral task
behavioral1
Sample
CrackWar.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
CrackWar.exe
Resource
win10v2004-20241007-en
General
-
Target
CrackWar.exe
-
Size
1.1MB
-
MD5
70af5fd7c9c21dfe942dbdcea82d7742
-
SHA1
59f6da38e354a8e8eb7d1b27d3dc069330586421
-
SHA256
41e9eebddfdeca09dbe3e0aa1b524984f717e56646e187cfac0aafab724b7350
-
SHA512
1780419416e9029153de19843b68f4e283d208734fad2931296f3fb6d60af728570a3eda16e0352f911b9ecf5fff75c28c6d0afc445ad06f10d15d794be9e01f
-
SSDEEP
24576:D2G/nvxW3WOMUtrgrOszTCNs3tYch25XbAujOjh:DbA3rtsrOTs725Qd
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1072 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4740 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5052 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3136 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3808 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4204 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 924 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4872 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 652 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 212 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4928 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3980 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3300 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4376 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4656 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3516 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 620 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4804 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4868 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4212 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 744 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3356 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3344 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3684 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1168 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 3648 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 3648 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x0007000000023cb0-10.dat dcrat behavioral2/memory/3148-13-0x0000000000800000-0x00000000008D6000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CrackWar.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation hyperportweb.exe -
Executes dropped EXE 2 IoCs
pid Process 3148 hyperportweb.exe 2908 services.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 16 pastebin.com 17 pastebin.com -
Drops file in Program Files directory 23 IoCs
description ioc Process File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe hyperportweb.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe hyperportweb.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\5940a34987c991 hyperportweb.exe File created C:\Program Files\Windows Media Player\Network Sharing\dllhost.exe hyperportweb.exe File created C:\Program Files\Windows Photo Viewer\fr-FR\fontdrvhost.exe hyperportweb.exe File created C:\Program Files (x86)\Windows NT\Accessories\hyperportweb.exe hyperportweb.exe File created C:\Program Files\Internet Explorer\de-DE\cc11b995f2a76d hyperportweb.exe File created C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe hyperportweb.exe File created C:\Program Files\Microsoft Office\Office16\dllhost.exe hyperportweb.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\6cb0b6c459d5d3 hyperportweb.exe File created C:\Program Files\Windows Photo Viewer\uk-UA\e6c9b481da804f hyperportweb.exe File created C:\Program Files (x86)\Windows NT\Accessories\10a3f0198382cd hyperportweb.exe File created C:\Program Files\Internet Explorer\de-DE\winlogon.exe hyperportweb.exe File created C:\Program Files\Google\Chrome\Application\5b884080fd4f94 hyperportweb.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cc11b995f2a76d hyperportweb.exe File created C:\Program Files (x86)\Windows Multimedia Platform\121e5b5079f7c0 hyperportweb.exe File created C:\Program Files\Microsoft Office\Office16\5940a34987c991 hyperportweb.exe File created C:\Program Files\Windows Photo Viewer\fr-FR\5b884080fd4f94 hyperportweb.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\dllhost.exe hyperportweb.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dwm.exe hyperportweb.exe File created C:\Program Files\Windows Media Player\Network Sharing\5940a34987c991 hyperportweb.exe File created C:\Program Files\Windows Photo Viewer\uk-UA\OfficeClickToRun.exe hyperportweb.exe File created C:\Program Files\Google\Chrome\Application\fontdrvhost.exe hyperportweb.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Provisioning\Autopilot\ea1d8f6d871115 hyperportweb.exe File created C:\Windows\CSC\SppExtComObj.exe hyperportweb.exe File created C:\Windows\Provisioning\Autopilot\upfc.exe hyperportweb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CrackWar.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings CrackWar.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings hyperportweb.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4872 schtasks.exe 620 schtasks.exe 1072 schtasks.exe 936 schtasks.exe 924 schtasks.exe 212 schtasks.exe 1764 schtasks.exe 4740 schtasks.exe 3684 schtasks.exe 1848 schtasks.exe 1852 schtasks.exe 1720 schtasks.exe 1976 schtasks.exe 2304 schtasks.exe 1168 schtasks.exe 4204 schtasks.exe 652 schtasks.exe 3516 schtasks.exe 744 schtasks.exe 1356 schtasks.exe 1588 schtasks.exe 748 schtasks.exe 2612 schtasks.exe 3300 schtasks.exe 2312 schtasks.exe 1704 schtasks.exe 1388 schtasks.exe 3344 schtasks.exe 1812 schtasks.exe 3136 schtasks.exe 2636 schtasks.exe 4656 schtasks.exe 4804 schtasks.exe 2996 schtasks.exe 2160 schtasks.exe 1516 schtasks.exe 1708 schtasks.exe 1208 schtasks.exe 3356 schtasks.exe 1312 schtasks.exe 3068 schtasks.exe 4212 schtasks.exe 3040 schtasks.exe 2868 schtasks.exe 4928 schtasks.exe 5052 schtasks.exe 1368 schtasks.exe 3980 schtasks.exe 4376 schtasks.exe 4868 schtasks.exe 2932 schtasks.exe 1756 schtasks.exe 2096 schtasks.exe 3808 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3148 hyperportweb.exe 3148 hyperportweb.exe 3148 hyperportweb.exe 3148 hyperportweb.exe 3148 hyperportweb.exe 3148 hyperportweb.exe 3148 hyperportweb.exe 3148 hyperportweb.exe 3148 hyperportweb.exe 3148 hyperportweb.exe 3148 hyperportweb.exe 3148 hyperportweb.exe 3148 hyperportweb.exe 2908 services.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3148 hyperportweb.exe Token: SeDebugPrivilege 2908 services.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2740 wrote to memory of 4572 2740 CrackWar.exe 82 PID 2740 wrote to memory of 4572 2740 CrackWar.exe 82 PID 2740 wrote to memory of 4572 2740 CrackWar.exe 82 PID 4572 wrote to memory of 528 4572 WScript.exe 83 PID 4572 wrote to memory of 528 4572 WScript.exe 83 PID 4572 wrote to memory of 528 4572 WScript.exe 83 PID 528 wrote to memory of 3148 528 cmd.exe 85 PID 528 wrote to memory of 3148 528 cmd.exe 85 PID 3148 wrote to memory of 4896 3148 hyperportweb.exe 141 PID 3148 wrote to memory of 4896 3148 hyperportweb.exe 141 PID 4896 wrote to memory of 1172 4896 cmd.exe 143 PID 4896 wrote to memory of 1172 4896 cmd.exe 143 PID 4896 wrote to memory of 2908 4896 cmd.exe 144 PID 4896 wrote to memory of 2908 4896 cmd.exe 144 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CrackWar.exe"C:\Users\Admin\AppData\Local\Temp\CrackWar.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\chainComponentDrivercrtSvc\fTEzQC.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\chainComponentDrivercrtSvc\PiYRPhZuk.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:528 -
C:\chainComponentDrivercrtSvc\hyperportweb.exe"C:\chainComponentDrivercrtSvc\hyperportweb.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A0Wv11r62Y.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1172
-
-
C:\chainComponentDrivercrtSvc\services.exe"C:\chainComponentDrivercrtSvc\services.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\chainComponentDrivercrtSvc\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\chainComponentDrivercrtSvc\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\chainComponentDrivercrtSvc\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office16\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office16\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\chainComponentDrivercrtSvc\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\chainComponentDrivercrtSvc\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\chainComponentDrivercrtSvc\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Windows\Provisioning\Autopilot\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Provisioning\Autopilot\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Windows\Provisioning\Autopilot\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Network Sharing\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Network Sharing\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperportwebh" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\hyperportweb.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperportweb" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\hyperportweb.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperportwebh" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\hyperportweb.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\chainComponentDrivercrtSvc\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\chainComponentDrivercrtSvc\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\chainComponentDrivercrtSvc\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\de-DE\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\de-DE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\chainComponentDrivercrtSvc\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\chainComponentDrivercrtSvc\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\chainComponentDrivercrtSvc\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD5e5ad8b4856d3ce5b490d543021a828b9
SHA1e54db3e6febecb09580ecd7b5b7f0fc866274a33
SHA25660da4e9ae53f74eca2c098d52b3901d9749cf22881582809890ddaa366d04e0b
SHA512647591956c4e1fcbbac83e2447feaeb73d0ccb1a74742fda539fef2f9b184eaa8003c47c100a1c7c60312c8b4b73db7e7304e897f6c224d04a87c6660428b61d
-
Filesize
48B
MD5b1ab6a7e31b4927d986775c649f6df67
SHA1ce790334e0cdea15cfc35968bcf765a414fae52f
SHA25694c766f181373d3ef1bd63c5922ac2274cd62d8be126fd39eca379cf397cda5b
SHA512209a84f30b5c93507aaba370378d68cd107970a9f9ad0a48e6b0ac9c0d55a74a9c5efc94f2676be0f6a24e70f035634b5564d8536d90c58d31ae9725dd690c34
-
Filesize
212B
MD50cd6e6fb2cf3645d424b240ebeacd243
SHA18484b11c8db59b7649a9da1ae68dbf5afdf30fb2
SHA2569734be42a3c477dfb503420de98e5cc4382546b304ea83fe9c8dda3812f189b8
SHA512cfe4eccfd02d70cf614b7384cfdce129e97b758ef816ea6147349d7a207997d710d5d4a18080e5bd64e0fc4c9077590c972257e530fc1b09bedf5d058cbf6ef5
-
Filesize
827KB
MD51ed95d587e7f763c515ca9ac41a7f9f4
SHA1e2b1e58c598e5f87101ac60faf593100f5d6f68a
SHA256c87d9a868fc97ee9bc42652c209f5e8d5cf65f4045886026474d2247e4e443b9
SHA5123c334d78696d2b0b20906b31e22059138d5189863df296b6af57aca629557153c457bd083152a71584f32c2d804a278b31b3f96af9c2f104a127addfa715d0a2