Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
13-01-2025 12:30
General
-
Target
SAMP_CHEAT_ATVECHAU2.exe.bin.exe
-
Size
2.2MB
-
MD5
be4ae5e0b545e43608ae6a60ce297871
-
SHA1
ded512ee44ed38b7a6541b4e1d797387a27a5d93
-
SHA256
076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533
-
SHA512
45aafc3ec5787b1bf143a1d6b9f8ce79447157879c684849486d87a3a7b357862688016809277ff2c9e57a6d06a0613e12009c5a279d07ced4ecc3b3bc9cd0c3
-
SSDEEP
24576:2TbBv5rUyXVoEmEVLqBMwOk+ADUZjmwMUuTEZ/iJJjhs4P/r+iHtxItZPFtOObx5:IBJvZ+qwOZFM+aJJbL+iNuuMxoyW29L
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 13 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 5 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SAMP_CHEAT_ATVECHAU2.exe.bin.exe"C:\Users\Admin\AppData\Local\Temp\SAMP_CHEAT_ATVECHAU2.exe.bin.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\msportComWin\xtUjCOEXV8hvxooNRYyHQv7v29HXxWwl.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\msportComWin\5Jq5kgQebZBPc8KIFjklSaK6KtfwfF1rpT92XeRglY4x6Z5YYulxiLU9VV.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\msportComWin\BridgePortsurrogateserverref.exe"C:\msportComWin/BridgePortsurrogateserverref.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fbqx23rp\fbqx23rp.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES781D.tmp" "c:\Windows\System32\CSCC87F0DDCBF9E4799AAA2A639447DD946.TMP"6⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/msportComWin/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\es-ES\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\BridgePortsurrogateserverref.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GGA3gcfYy4.bat"5⤵
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTvWQnNRQU.bat"7⤵
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7yfvayqnt7.bat"9⤵
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JQt66VEtJ1.bat"11⤵
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XJaDrOzS3U.bat"13⤵
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4wM4wqHWVF.bat"15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wh6Yr0oKcq.bat"17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PfaLCNk3Y7.bat"19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m2M6WqyfOt.bat"21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9O9rrJCHDg.bat"23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat"25⤵
-
C:\Windows\system32\chcp.comchcp 6500126⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7laNmMQDQm.bat"27⤵
-
C:\Windows\system32\chcp.comchcp 6500128⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZLKnXXaim4.bat"29⤵
-
C:\Windows\system32\chcp.comchcp 6500130⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\wininit.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgePortsurrogateserverrefB" /sc MINUTE /mo 7 /tr "'C:\msportComWin\BridgePortsurrogateserverref.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgePortsurrogateserverref" /sc ONLOGON /tr "'C:\msportComWin\BridgePortsurrogateserverref.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgePortsurrogateserverrefB" /sc MINUTE /mo 14 /tr "'C:\msportComWin\BridgePortsurrogateserverref.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251B
MD507ff6c675bec6fa093aa982fb88cd0fa
SHA1b750f7645d351c414ea8a3df9b9fdacef6d97250
SHA2568018bbe697d623a6f3717310eff49ccf009116f78bd7b448653f0cc8049fc300
SHA512bf4d03dde1b5051cfa0c2d1a0aaa9e3e14555dbb7947f3da8ec8494bcce121e84cef1f097c3f9b3d67dacab364defd8c43684d5d46ccacaaba3ed2be84562a06
-
Filesize
203B
MD5fd141b63b1a1a0f6f52937be88e439ab
SHA11d04b32eac1afe70328c9e6bfeeb6f1687638f9d
SHA2567856d6c5fdce4b72a5e78228350f8ffb596ba645a86816c19770e7d1a180d0ad
SHA51283a537ffa06be33539820c2926f164482eb5d198de8df21e2d901ae2222d1e510e715387df4cb518f11b6668f6971545d6bcc3d7c05bc4f78eb88dcfddbd6bce
-
Filesize
203B
MD5647cb06b3ba2f2dd2ce276c6d516d330
SHA19c13ef95c8243082933d23f88445bc117fda842e
SHA25672e27f4f11f9123cd973d062647f8cad89cc912cb91e10731e024261253b8c84
SHA512b4545fcfbe4aa407ef18e36a2ff25cfd5ad24bae8d5042dd3fd30029d8cc16209603f2767e0346794db99ad5f19b2d54717ab6868bf03b0cbc3fb2ef5693a932
-
Filesize
251B
MD58295adc3a0fef9130e5cb710b8498607
SHA1608b6c4619cc08bcb218dc0d20228d9655f618a0
SHA256ce6e3483a80cb68f2da19f60dd984fe58c69076c113ffa2f7ea655f5ace2de7f
SHA5124293cc04450aedfbd8c3eb29cfff432fe89d49883226214ba13fb4ff0245f7854a93b52baef52cdc18a930b5fef405007f7efde7ecc80d16483685fd80b6a69f
-
Filesize
203B
MD5166b1f9a45deb2d6531b085a055fe35a
SHA128d42e51f33a87f642378a774994eebd18fe4dd0
SHA25634629caffd478917f1c8546caa7ab3a3474c09223e3dd81126d94d139251e66d
SHA512a374b87a9cdd5b17651ae65b49e59eeecdb90487f3538428ed0d16c1082708fc931a2f2b028ac447276f2941a675b85b6b444631e235af12b63dd946ee5ef22f
-
Filesize
251B
MD50250ae5368962cba51205b2a7b98027e
SHA1c150286d1bfad0645100096f1c880ceac1ad7232
SHA2566456340719d767a567fd3a82006ade829ba9b6230e84e6711419c6f4fc7430fb
SHA512e878598b1cb681de32bc04406c84c2a907aee7888fbbb740cf7a5f078b10b6b2bfe50293b8e14a745af879181391b83232cdea78441584ec4a4faa6d50253358
-
Filesize
203B
MD597153454e25f42a565867089d1d86f45
SHA1477cc2ac09fd860e3c32cae7e5620b0fe196ecee
SHA256970aa14ab8d62aa305b7362ab56717816ed4990db259781d24b4e889e4f04842
SHA51219b0dbe553f40da1476ef70e448020c7051cc2d1a8257b25cf605c4d3329a8766ab8a07c0e5fd6de3592ab3a36e32a397655ea9f07bff0d248998cdfb02d31f5
-
Filesize
251B
MD51ef69a09c2bed7e9c484da54223cdc28
SHA15c261bce82ad5d25e6383d60ef2fd0fd4ad9affa
SHA2566d9a58a381ee75e64a154dd0bb1e70aad5ffc0b83588b404fe7a503a5406d38f
SHA512bc40832672ab3a4bece6c10d2611416916a79c7c43ab23833948f99623380bacf967990679fdc020d933ded8afb1942a78475cefe497134f114eca514ed3c4a6
-
Filesize
251B
MD5bd1ffff5ebf9efbe47436d25494e585b
SHA1e2f8e278f937d1943d0bed9492bf3662224642cd
SHA2569f6d58c06ab2f9da4d4b2e58ca1fd16821f942c198017eed8ed4b83e88add5ea
SHA51201bbb13e22c20a92338cc0ccb3f594f9007f0f9580c261ad888616a8c1d237e25922e00a29c14b04de17006b77c39bd454211c834bfe82700f111e92aece6f01
-
Filesize
1KB
MD50d283d5b6fda79e048cd56d41d085545
SHA13eb7e951446d3abac0b7651e17472b6fc25cf310
SHA256d2e475d5eab013800aeed6f9b5f58b87f546e97eb0d42fdfb9354fb238075be2
SHA512f4d91070021217faea86bc3f6a353637e54ec85d970c96fe2f7503b5862e9a1b4559cdc04dc9e2f545ed5ddcf00718a6a20958bf8e4028591af5c29d384f1449
-
Filesize
203B
MD54bb17fcf19c12ef4fd84afd54fd16ebd
SHA146b7dd0426aa8dbe956ddf0bcdd2cd457e8c4257
SHA256ddcb78b68f675452a74068f949b41c56c8303007f4b9797d012a092b78de0459
SHA512eb845a00a454567c4b3b739c527f1440eff12dfc5ca9d5ef08e043d1fcfd23b263e68f773d80c6e96baa9f615a096f443cd69cdde07bf7af7e9e20649dccc0c3
-
Filesize
251B
MD591dc03fccfdb96e120d9acf86f6a7b3f
SHA10cb9963803f65a1bea386ef154169456a0add477
SHA2566cb5c19ccd24b44775bac7d741ae0b9c107d7588fcab3029a12b056254f04762
SHA512fccf781061bc7e0a7e21c583265eda6159b3cb07bc22b55f0a479cbc2644942d8735c86509ae6bde03a4633f888071d9dd6520145b6296ccf4dd7443a8f48e6a
-
Filesize
251B
MD570f063d86b2a07b91843742dd17dd367
SHA1a3cb7a617bc2f5935d18acec7df535e13fed3b42
SHA2565b967e9bbf18f918fa42dc2e47314f926e2eb35e9f895b773f6f5c724d020c7e
SHA512e263048af0b36bb204bb3e159f9a09165906d9aaafd189de133d42071ae337533dc5a2a817b7261ef9f6a4e73a3e323386f60c277d1532a283ef58bff5018325
-
Filesize
251B
MD5bc4a7a292908cffbe6cda158f67029c1
SHA13e092253ea4ec01e4491a123afa9204d27ff2d46
SHA2561c1e062f3e8650cc1a556e8eab4fde0a58d643d2d4a90ef68313ce192e95869b
SHA512465650241edde3173e6ac0c46755608001579d22a6eeb7d9bb4d41032def7d3c20be20355ff2d8877e4ba47842022e6af37af07f88355e99d20a32ea9c951ed7
-
Filesize
7KB
MD57853294d27d9946ab3e07fb259bcc084
SHA18fc5d8392b26cd56390445e89467d753a7cd438a
SHA2565705032e0de06f88b5cf49c1093afcef0e61149c57b94d56376d4641c2ff6761
SHA5126e334b2ce8f2af4c559f7914a13f022fe80ebbfa6c6db1601a718274a510e228165fa87d11d86779e0be953bc4cf1df8914417cd4ae8dcee7de778a8e08d2ec6
-
Filesize
1.9MB
MD55f80a11e82cc7495cf5ad7df3d052721
SHA13a20eb31195a97cf5da7d3c20c1b8c4913b95a13
SHA256851aa5f3636700f9bb71a4c0d040255f19871ba306f87d9f66b39f3b207ec15b
SHA5127acdd2a4f5170212beabeba86dcb7a6be74c4c83815db3bb328d6541f6a259ec3c6ff469f103eb125163371f103ae3060404e1c34622f2d4d9cb34d2cc7b3c0d
-
Filesize
114B
MD5ec4930435249e865ec0910b90ce34010
SHA1e00242ba6b91abe0291ee6c003c7cda9f280a20c
SHA256aecaccc8288e076efa186171eab1ce946b8c0438e607f00a442b04e1e080dfbb
SHA512f1bb3a20bd279b62b94349d253b64a4bb9227fa214785e265b5f5457a552bddb141faea48109ed80a6d77f34c8ba68fd2911daa178893daee52259e89a6b80aa
-
Filesize
248B
MD5528d2d62b3a0a43e28f6c5bc9e59fb49
SHA1b8347b3f11fdb951bf4c930bef813180c42f98c1
SHA2569d271ddb2a3de2347db1800f94865bab4758e8f89760f7f0fc6368eb14a9597b
SHA512a208e41f97a080ab5550632daa10ac7d4d43ca603207406df14e749765662089f38ff52feced3083dbcb08daa2821e9fc6df511fa1a1f18b4b9e8e38f68fa171
-
Filesize
365B
MD53de860348a22784a349feccfdf126efb
SHA132448156de131a5ffa8d7cef483031fc1822d3c7
SHA256fb68044bfe5b554c6d362a3d71fc34607781a2691762a15aa146635512c15c37
SHA5123d7f4e3d3bb6f7df088bae45fc6b7576c98bc335e1dbd00825c645b478bca086c0c06eaa55244f295dc7baa0f6507e60bd3c57feae4e4b73e63faf011f74fac7
-
Filesize
235B
MD5c2c8ac960087318008ae82afaf747e6a
SHA1154d6741a412d65bf5f0b9e263085d9480e6d24e
SHA256812ce866501b2ed8419460ccf7b3664324517ab991abb8c9478fe72fdc2fb3ac
SHA512cdae55475351edadc938a12e9e0a71bb1774b58be3bc3ad7ea2104f7e03a0920f2177669ce61c37f7bbcee9bfc4a85d4fec4e251830a4ed8e8468dc1b973f792
-
Filesize
1KB
MD5167c870490dc33ec13a83ebb533b1bf6
SHA1182378ebfa7c8372a988dee50a7dd6f8cda6a367
SHA2563f742a374ad5a8da8fba9dfea27c7382dde145d46732cfc0002a53a1311df5e6
SHA5121b48bb5f270f5d99d9dd98cd9da5866aed9377957d92bf1d686878522c438b38a444073c1a0ed4cc85f97315d2ef6abf05b74ab2265fecb20be5795b2ccef64e
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
1.9MB