Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
32s -
max time network
54s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
23/01/2025, 15:13
Static task
static1
Behavioral task
behavioral1
Sample
CrackNursultan (2).exe
Resource
win10ltsc2021-20250113-en
General
-
Target
CrackNursultan (2).exe
-
Size
2.1MB
-
MD5
e9b8ce25037c26fe63171b24f06d04ec
-
SHA1
e33459bc02a1cd4824bb9f44c89b05dce7e20cec
-
SHA256
e7706dd5f9b91a20bc5881f9efd75af166942828a426879343df9454f767ece9
-
SHA512
ace3e8a023c6247b4e52cd09560c7c7f45af357dcaa14f26452741cddb2d09d94816b0e6bc79edefb03aa6e169385f0dfd039feba0e781a0e0884a3859100ef4
-
SSDEEP
24576:2TbBv5rUyXVs/ZFmQyOMPaRILC9j5oaKACNnAuuyGf2YnSeqjEwJdAXf0YaHssOq:IBJ8zAE9x5KNlueYSKdPNBp1rsvf
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Desktop\\unsecapp.exe\"" bridgeblocksurrogateServer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Desktop\\unsecapp.exe\", \"C:\\bridgeMsHyperServersaves\\upfc.exe\"" bridgeblocksurrogateServer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Desktop\\unsecapp.exe\", \"C:\\bridgeMsHyperServersaves\\upfc.exe\", \"C:\\Recovery\\OEM\\SearchApp.exe\"" bridgeblocksurrogateServer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Desktop\\unsecapp.exe\", \"C:\\bridgeMsHyperServersaves\\upfc.exe\", \"C:\\Recovery\\OEM\\SearchApp.exe\", \"C:\\Users\\Admin\\Start Menu\\fontdrvhost.exe\"" bridgeblocksurrogateServer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Desktop\\unsecapp.exe\", \"C:\\bridgeMsHyperServersaves\\upfc.exe\", \"C:\\Recovery\\OEM\\SearchApp.exe\", \"C:\\Users\\Admin\\Start Menu\\fontdrvhost.exe\", \"C:\\Users\\Default\\Desktop\\dllhost.exe\"" bridgeblocksurrogateServer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Desktop\\unsecapp.exe\", \"C:\\bridgeMsHyperServersaves\\upfc.exe\", \"C:\\Recovery\\OEM\\SearchApp.exe\", \"C:\\Users\\Admin\\Start Menu\\fontdrvhost.exe\", \"C:\\Users\\Default\\Desktop\\dllhost.exe\", \"C:\\bridgeMsHyperServersaves\\bridgeblocksurrogateServer.exe\"" bridgeblocksurrogateServer.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2228 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3424 2228 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3180 2228 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3204 2228 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 716 2228 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 788 2228 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2228 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3672 2228 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2228 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2228 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2228 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4752 2228 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2228 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3868 2228 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4600 2228 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 732 2228 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4920 2228 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3800 2228 schtasks.exe 86 -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation CrackNursultan (2).exe Key value queried \REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation bridgeblocksurrogateServer.exe -
Executes dropped EXE 2 IoCs
pid Process 1812 bridgeblocksurrogateServer.exe 3684 bridgeblocksurrogateServer.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblocksurrogateServer = "\"C:\\bridgeMsHyperServersaves\\bridgeblocksurrogateServer.exe\"" bridgeblocksurrogateServer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default\\Desktop\\unsecapp.exe\"" bridgeblocksurrogateServer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default\\Desktop\\unsecapp.exe\"" bridgeblocksurrogateServer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\bridgeMsHyperServersaves\\upfc.exe\"" bridgeblocksurrogateServer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\Start Menu\\fontdrvhost.exe\"" bridgeblocksurrogateServer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\Desktop\\dllhost.exe\"" bridgeblocksurrogateServer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblocksurrogateServer = "\"C:\\bridgeMsHyperServersaves\\bridgeblocksurrogateServer.exe\"" bridgeblocksurrogateServer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\bridgeMsHyperServersaves\\upfc.exe\"" bridgeblocksurrogateServer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\OEM\\SearchApp.exe\"" bridgeblocksurrogateServer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\OEM\\SearchApp.exe\"" bridgeblocksurrogateServer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\Start Menu\\fontdrvhost.exe\"" bridgeblocksurrogateServer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\Desktop\\dllhost.exe\"" bridgeblocksurrogateServer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\hyotfa.exe csc.exe File created \??\c:\Windows\System32\CSC115069E4A73E414AAB1828EE5A5C34AA.TMP csc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CrackNursultan (2).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000_Classes\Local Settings CrackNursultan (2).exe Key created \REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000_Classes\Local Settings bridgeblocksurrogateServer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1500 schtasks.exe 788 schtasks.exe 2636 schtasks.exe 4920 schtasks.exe 3424 schtasks.exe 2424 schtasks.exe 4752 schtasks.exe 1744 schtasks.exe 1944 schtasks.exe 3868 schtasks.exe 3180 schtasks.exe 716 schtasks.exe 2996 schtasks.exe 3672 schtasks.exe 3204 schtasks.exe 4600 schtasks.exe 732 schtasks.exe 3800 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe 1812 bridgeblocksurrogateServer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1812 bridgeblocksurrogateServer.exe Token: SeDebugPrivilege 3684 bridgeblocksurrogateServer.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1432 wrote to memory of 3708 1432 CrackNursultan (2).exe 81 PID 1432 wrote to memory of 3708 1432 CrackNursultan (2).exe 81 PID 1432 wrote to memory of 3708 1432 CrackNursultan (2).exe 81 PID 3708 wrote to memory of 1200 3708 WScript.exe 90 PID 3708 wrote to memory of 1200 3708 WScript.exe 90 PID 3708 wrote to memory of 1200 3708 WScript.exe 90 PID 1200 wrote to memory of 1812 1200 cmd.exe 92 PID 1200 wrote to memory of 1812 1200 cmd.exe 92 PID 1812 wrote to memory of 1328 1812 bridgeblocksurrogateServer.exe 96 PID 1812 wrote to memory of 1328 1812 bridgeblocksurrogateServer.exe 96 PID 1328 wrote to memory of 2504 1328 csc.exe 98 PID 1328 wrote to memory of 2504 1328 csc.exe 98 PID 1812 wrote to memory of 3292 1812 bridgeblocksurrogateServer.exe 114 PID 1812 wrote to memory of 3292 1812 bridgeblocksurrogateServer.exe 114 PID 3292 wrote to memory of 2924 3292 cmd.exe 116 PID 3292 wrote to memory of 2924 3292 cmd.exe 116 PID 3292 wrote to memory of 2676 3292 cmd.exe 117 PID 3292 wrote to memory of 2676 3292 cmd.exe 117 PID 3292 wrote to memory of 3684 3292 cmd.exe 118 PID 3292 wrote to memory of 3684 3292 cmd.exe 118 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CrackNursultan (2).exe"C:\Users\Admin\AppData\Local\Temp\CrackNursultan (2).exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeMsHyperServersaves\8aU1Ht2JGPOaPOAacGdrdRd2tVHIcbmBVM.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\bridgeMsHyperServersaves\dmYoBflZKuj0WytFkBvrEdy5GIZt.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\bridgeMsHyperServersaves\bridgeblocksurrogateServer.exe"C:\bridgeMsHyperServersaves/bridgeblocksurrogateServer.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ctjihkrh\ctjihkrh.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF136.tmp" "c:\Windows\System32\CSC115069E4A73E414AAB1828EE5A5C34AA.TMP"6⤵PID:2504
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nTZrWZMheg.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2924
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2676
-
-
C:\bridgeMsHyperServersaves\bridgeblocksurrogateServer.exe"C:\bridgeMsHyperServersaves\bridgeblocksurrogateServer.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3684
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Desktop\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\bridgeMsHyperServersaves\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\bridgeMsHyperServersaves\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\bridgeMsHyperServersaves\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\OEM\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\OEM\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Recovery\OEM\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Desktop\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeblocksurrogateServerb" /sc MINUTE /mo 13 /tr "'C:\bridgeMsHyperServersaves\bridgeblocksurrogateServer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeblocksurrogateServer" /sc ONLOGON /tr "'C:\bridgeMsHyperServersaves\bridgeblocksurrogateServer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeblocksurrogateServerb" /sc MINUTE /mo 6 /tr "'C:\bridgeMsHyperServersaves\bridgeblocksurrogateServer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3800
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53472240ba9018b36cebbb3fa4d9ecde2
SHA1fa7d94af70df8bd1719c25cc1485c093354e3cb6
SHA2564ff5eaa183765d37205065b36b4212117fe7cc93216a5cdc88649d8943b4f449
SHA5124ac5bedcf0e686dd86e82ca4dc02f6ec0b5a3a5dd06056856dee7ef230f3abbf37e8237a08f3d9d31e24bf9c8a21eca04a824846a2f5bd50d6defd470a53db3a
-
Filesize
1KB
MD58c8386085480092250476d4b48a893b9
SHA1c488328032ade7648ea2f787478ae6e301d9ba72
SHA2562361b8b7231de42266fba1fdcd2b7d4ffa152232edb15067cbba2eaf8e65fb2d
SHA512fd7f8b6e1a5f6a9ba1a55dee710d4a3c4fc566ef9190739b0571d56e1d7067571e05a2ad5b0a818a9507dadcf355051dc5a91d1feb444bd1c81dbb1d1ee1cc82
-
Filesize
234B
MD58f8ba20a0562829e3948435751916ace
SHA19e34e3ab1ee23ff59067d30e8295c82b9f8729bd
SHA2566a7c823df0144ade7039e85650b0da54a2354efd8d764d4745af864961046edd
SHA5129b4bd6c83092f00acd4a0dd53cbca8c686ccc66918394958ab254594abfcf002e40ba7938395e06b4177ef8a1b6010251daaafabad3729f50aee7fc446c71c89
-
Filesize
231B
MD5ee9dbcbdf3bea0aa067657fc427f311d
SHA12fa9586b66a720bde1de53a8f3748f2b3488b7bc
SHA256db75336fe141a767a78d6461ff1ad7b1366edc73c8c220d1aa9e1a5338d82793
SHA5124db077f0bc0bdf24b32e4c1b2d43ce1f65666d68d4762090e54534b8b47ded35855d304599eaef35d44531604577d120a98859aa9759d68421350805dd0e1313
-
Filesize
1.8MB
MD59fff2599728f7a89e003899e01dc5f96
SHA1d76587d6504cdaa13c5645602dc52dc4ea26f381
SHA25629916607d62a33514dc43b137788d90f0db59bf2943f19fcee50867b8455ddbb
SHA5128793bb247a0e888adcf0f534392c7e6c8549111ac5ebebf79ca4028b20b85d4583cb96ca9b444fa16625718caf4d929f35061791090384eb88444f1428989cf1
-
Filesize
104B
MD5dae798d37141fc446a8618bcda6c9e09
SHA1bc4ded12200267bbb3e03e70d61e601ce9b43f4e
SHA256207b1a4a610b6007bdd9f18b82fdc9d3dd2e15d9eac96984fd00a5188646b7e1
SHA5128e9861790a1a0ddbb09df0b7646ae7cd5257f62cafb766c8d03d90e75401d93f445c667df47daacd048e9cd6e23d45ed5af60137403b3b49bde646e4f5cd30a0
-
Filesize
369B
MD59e846830a5e793cfbd198a45018cb7f2
SHA15f82036bf2cfbff74b1b8ef8e517c9dc018a51f3
SHA2565365424fea85344b877f56aaed8988db558e643e18291ba2195718831a21a555
SHA51294107231278f5c5036911e711a19c2d485247d29b27d4f15a3de0b8eec2904cf37a938df2f18ef2f328fe6967a38ae3ca91c1267efd7209b160db29b7e1e5f43
-
Filesize
235B
MD5722c13dfc2f35cb9da8e9a503127c6b6
SHA1569c2b7b4f421cea248e824241e1672a0f70c50d
SHA2569c9da8a611b8c9770e7ca0e4d0d5fbb5ac2dbccf4ac34bcb167dada6602ea911
SHA512b593bc71680b28597de9c9af09e42918195b2534780a4e776fe2619c80977717e5a0e6d78af2ac7b70b1f7d8e50c28796675d3ce97b7538f1364d188060b73af
-
Filesize
1KB
MD52a16f9c51fd2d80a216b5684e263650f
SHA17aaa9f96182e91584c17e7ba9ebfe2b3cf9c1ecb
SHA256d8f3f017a2f66e367cd6ffde3a56e0512b23007d109003b26d502f74749ea742
SHA512a4fd5d7cb8f77ac95863b12407ed4433e8c62ceda705cbea37c559a0b2def6ed993b235129ab5531332651ac1810519be9880e3292d794f7fe6e21ea01f1e735