Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
12-01-2025 13:59
General
-
Target
6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
-
Size
1.7MB
-
MD5
0624cb81236f6a0e8d0487a766458088
-
SHA1
36ea7baa5b367c60269eb1a277bd5ad4bc41b54b
-
SHA256
6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8
-
SHA512
742d2c2d154133ba9b38c67b59fb4ddbcd16b8b420c8e7fbd14a4c4283c8a875ae62d17924a53b000caf04f5b627d15f031b12e7f98821f03079451008b86553
-
SSDEEP
49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvD:OTHUxUoh1IF9gl2M
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 7 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Drops file in Program Files directory 30 IoCs
-
Drops file in Windows directory 16 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 10 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe"C:\Users\Admin\AppData\Local\Temp\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Vm6AyPTELC.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67334af0-ab18-46ae-9e29-e087708f8664.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f700269a-5876-4307-8953-dc001eeb95a4.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34ec47c3-7e41-4290-8266-b67b8f656c9f.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13bcad8f-70cb-49b5-8a1d-1fda64777956.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b97b3595-54b7-4f17-97d8-221bf3d30d33.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1b64989-7a99-4cd6-b45d-b8414d0cf552.vbs"14⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9768e8a-2e14-4a21-a670-0549308b3fde.vbs"16⤵
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2c978d6-c2eb-43a8-a646-dec85acd5951.vbs"18⤵
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61d3a7d3-f808-4a7f-b072-194ad6a51285.vbs"20⤵
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d940619d-f4dd-438c-802b-5bacbe6a0d05.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bfa11ab-0b08-46f9-9035-52e2e61b67a0.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f41e957-e329-4f64-9732-35b0dfb4c614.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8593e207-f75f-4e04-ba3f-2a484d40b4a3.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d983d16b-ea45-4af4-9919-32ac673143a1.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9d4088d-21d3-4d49-ab20-f67c2c67c9c0.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b6db53a-815f-4e47-bbcc-058f731abd41.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c87781c-4f05-41e9-8f89-9135c67f191a.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e76a0edd-47aa-405c-9cca-e6355f0267ce.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\DESIGNER\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\DESIGNER\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa86" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa86" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Package Cache\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Windows\CbsTemp\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\CbsTemp\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Windows\CbsTemp\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD50624cb81236f6a0e8d0487a766458088
SHA136ea7baa5b367c60269eb1a277bd5ad4bc41b54b
SHA2566854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8
SHA512742d2c2d154133ba9b38c67b59fb4ddbcd16b8b420c8e7fbd14a4c4283c8a875ae62d17924a53b000caf04f5b627d15f031b12e7f98821f03079451008b86553
-
Filesize
1.7MB
MD52e7cf358b2c689089b87b955c41b20da
SHA15ad2a3fb03a68a9e2631f10bc32faf830cdcad4b
SHA2569f40627446d6d84852b247814f35eae5beb9ffaf604506db3057507e27dd92ed
SHA5127714e3929fe6d5bfb83003e1dde9875382149e4d8382408cb8a67fa6f69727c1abde38820da02dab0b5d1b860f25a839bb8a2500e4631a28452d4010bb6d74ff
-
Filesize
1.7MB
MD548830c90c7797fc072b54e4feef91e4b
SHA156da503a36b995de016affe71844f89462bd86ad
SHA256ada09c4b0f269df74d9fdd11bef8830f78d68ee05860487627017af1c33a9eb6
SHA512006d4411335996b83dc775cf55d77360daf3bdd67a08cd2925b3ca5e81029c7909121d64855674047c5fd9615b9638101cbc4bb36c302b456c34fc0247813dff
-
Filesize
1.7MB
MD5369f00fa66cee5382c44c7250db5f93a
SHA1a7a61e454b232fbb167c2d8d8965705d509aa0ee
SHA256115ad1760fd90bf5f2ea04993e9eb08488540a8d60de538113f44b2b2ac1f7a0
SHA5122fb2deb0f69c03c67dfd99eb5d7251533daf32d14eb0fd38bb8b044735f51ae199859d959a8472153abda3e5efc94c59fcc29aa8653c2c56fe4f4b73e0506db8
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
750B
MD57d04142961db4a9590284b050cd035c0
SHA10c14d69a20237e314c11b6c6e00f0643f5bb79dd
SHA2569a40e8761acb5c21b311c54abedf8a3fc799c077fa7af56b6ab217a42d647222
SHA512a88ab6fd628cc03ecc3889f3959b16feb47f9c77618f515177afc950f0b6044fa445bdf4617eb9f6d5152768b76e56b125ba8fc5a392d5ad5b1ebc14c7e5e0df
-
Filesize
750B
MD50c97094f0183f87a2be3530e55efb493
SHA1f95df99ff65c3321740a28df3ee6225761dba160
SHA256cb5d4a69e331e687e5b79312cd876071bdd0597d8b678d2b8924c3eb9595caa9
SHA512437b26e46d1c6daa40f9f60578ffde7908a6b21ae77102ff5b758590f56d25ecd355b44d162fb7542a478ee8971ab5a061340d808bd3b375f0663f27701d50dc
-
Filesize
750B
MD506dbd1610cf8497f18f6213ad564f700
SHA17e54f2a95124c436959a6bda20c29b74013e5124
SHA256ebf3510d684e2d60adec09a5ca92035b4e3810fb268f27982696df303bc722b8
SHA5128a07216338d941c89350b6fe22959642d7b16d0b70fcfd73ac4934f8fadbd36dcaab3f4e937fee38629585ae056f3c8e10aa543c5da97705842f2963f1321f2b
-
Filesize
750B
MD5311977ea611e653c39e1e60287c3a1db
SHA10a001ab349442f07e3682818581dc25e08944aa5
SHA256ab094c349a38499b08b6e6f5747bf2aedc286c71fdf879d5210547486feb8ae1
SHA512a92f584f1eea73380e1cc2552c4a0eac575f52b1584dd5db69958e6420fa1eedb91a7d6424be6153e3c61e660c08fe16d7bcb7a13cc7c4313a0e352bb1ada6ed
-
Filesize
239B
MD5b3707bade894bf8669d3c33945681c83
SHA18dded8feccc776b0d3204070cf5632592b568f6a
SHA2562bb9e97999c6c8345df2f86d6fa341497ebc73b43fe1bfd55c86c3ed97be4bd2
SHA512afd17571f66a1cb96ccc43f72bc15d03146429983b90348c0d5b5a9af110e44a66983d2c34683ee901645debc5611ed3ae683aae956754f0512e13a0e0a39182
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
750B
MD5e840277d8104b6d725d0e7b898354133
SHA1473671a4c2fc7bd2408ebe86bea1a392231e95d3
SHA2562e0e1be2b2f32ed03ef92dc7df4aa8495f5f21201ff314b618b8e57451302b70
SHA512397f3017f9e4ca83cb33bdc8149fbaaa0e2cb0dd1f7ea7f3cfd4bcd4cc2e86fad267171ca56710cab385c66d971b70ae8e9984bf2ed1cbe203acc8219d956e08
-
Filesize
750B
MD586e946efc878002233b95f0c4a0a3716
SHA13300147faff984d9f90e19f8e0ac92d37f071911
SHA2560f311e24200155a82cce830134650629ecc1362ca2e856635c3fc94bb5a823eb
SHA512aff8d39dca82062c215f8f49cca4a93bbbd99bcac132da4f4d4a1cda38b0af9501d99e94a33c851415501a95d9460f616f8a8c9d80291dcbc117d20b0006b13f
-
Filesize
750B
MD502fbb9abab2bd2cc06a4f00d46d853b5
SHA1b52666081374354cc22b28f277c22e2bb4c892c7
SHA256b6eb04264009435a83fd8151bc2f5f02c3820b8b5bd44728e7780224cfbb156c
SHA512c7401b464617ec7037a26258578dbd68e0ff3c6cd1e717acd670c32d8f51f853f3705dee485c68c25f4da0d672753e8d877597c13ebe6b4e4f9e9f0a820bdf8f
-
Filesize
750B
MD5589f427b360d22e693d717ee6598fa29
SHA1bd02755731fe1d16320b665df226a55c0307be64
SHA256d6679e69a03d82ba31a281c74197629214c815ab9069070dd9cad38c6e7ef5f7
SHA51284b47fe0ae1ba7547b130a89ed43c606ef5e8bf4013c2fe997442b7a175cdb1989b0ae0989055a6d5c9cb250d27984740a2b907ff54fdd4565153cb3b30fd177
-
Filesize
526B
MD529adcaf560a2cf6d55c971fe1dfe5087
SHA11fe39b613268859f3f52c26d32e3f493db564005
SHA2560add9d3aebfc3959631fc857e9fb2c2eab206c4cb94e1fe05eae153c16c3ac79
SHA5126ae3c297031f69471c5b4cd8bc0abe951fee9d73c0f55769f64a3b8ce9d9ffddcc88495b3d796cc4b614d15e8f530f9f9cffefa821eb3f50a7e2ad8ec02c2840
-
Filesize
750B
MD57bbdce3181a86815b4c773917776cbf3
SHA1c8e110300ef6f01c3cbc435b83748287485f8e1e
SHA256569c6cc665f14b860680d4cbb46d8fcc33f3b4c42440ebe5fe36bd15f9d55965
SHA5126eee73a872f0481945f6e4bd3bf6f877bfcf8aa8d02ffe4cb6c199817b1ed6c2083151914b799d277a69fb160846d4d7eba4955ed9255c4d678bda4150ffd9a5
-
Filesize
1.7MB
MD5999e1acf02faa961f299125173f4751c
SHA1692bd56d3ce4b6874ef8046926ab59578cc85a0a
SHA25686f3910c36fcd84ef6f4f7102ecac9eb4bb49a253b962e8476a4e04456293a5b
SHA512abc77ab6e23f8dd50758ecb610b78925fc6ce95d387625a6f48c8a9320743be486517eeda9e53e18137c7aaa9c6282b818f516981381d175520053219650d905
-
Filesize
136KB
-
Filesize
1.8MB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
5.2MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
1.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
112KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
10.8MB
-
Filesize
8KB