Analysis
-
max time kernel
138s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
19/11/2023, 01:16
Behavioral task
behavioral1
Sample
11e9006a70a09fdb18197a2ab767335abad8b628302345fe4a97cfd52fca0358.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
11e9006a70a09fdb18197a2ab767335abad8b628302345fe4a97cfd52fca0358.exe
Resource
win10v2004-20231023-en
General
-
Target
11e9006a70a09fdb18197a2ab767335abad8b628302345fe4a97cfd52fca0358.exe
-
Size
1.1MB
-
MD5
200fbe006c4bd2254f52a2511351db06
-
SHA1
a861260bf97882d4c9bcd8c8ff20f55bd76ede83
-
SHA256
11e9006a70a09fdb18197a2ab767335abad8b628302345fe4a97cfd52fca0358
-
SHA512
cd17043118609474bd3206fee19448defab1dea375a19d7547b5282348ee5474aa827fd61adcaa1adc47886dfbf69636d0c4aa806f2c42639ed0807a29cb15fa
-
SSDEEP
24576:U2G/nvxW3Ww0tAz3pfv5IOTh+hGBJgHUvhMUo+VdiYm:UbA30Y3nVd5xTo+8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3956 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4920 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4344 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4644 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3360 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3208 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3588 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4792 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 756 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4812 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 216 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3912 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4652 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4196 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3664 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4452 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4668 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4316 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3476 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3764 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3084 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4596 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 60 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5004 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4288 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4988 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4800 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4556 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3948 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4152 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4068 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3320 4840 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 4840 schtasks.exe 98 -
resource yara_rule behavioral2/files/0x0007000000022cf7-10.dat dcrat behavioral2/files/0x0007000000022cf7-11.dat dcrat behavioral2/memory/3212-12-0x00000000009D0000-0x0000000000AA6000-memory.dmp dcrat behavioral2/files/0x0006000000022cfe-17.dat dcrat behavioral2/files/0x0006000000022d02-59.dat dcrat behavioral2/files/0x0006000000022d02-57.dat dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation 11e9006a70a09fdb18197a2ab767335abad8b628302345fe4a97cfd52fca0358.exe Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation msblock.exe -
Executes dropped EXE 2 IoCs
pid Process 3212 msblock.exe 4920 conhost.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 45 ipinfo.io 44 ipinfo.io -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Windows Portable Devices\upfc.exe msblock.exe File created C:\Program Files\Windows Portable Devices\ea1d8f6d871115 msblock.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\reader\Registry.exe msblock.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\reader\ee2ad38f3d4382 msblock.exe File created C:\Program Files (x86)\Google\Update\upfc.exe msblock.exe File created C:\Program Files (x86)\Google\Update\ea1d8f6d871115 msblock.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\LanguageOverlayCache\dllhost.exe msblock.exe File created C:\Windows\es-ES\fontdrvhost.exe msblock.exe File created C:\Windows\es-ES\5b884080fd4f94 msblock.exe File created C:\Windows\SKB\wininit.exe msblock.exe File created C:\Windows\SKB\56085415360792 msblock.exe File created C:\Windows\PolicyDefinitions\ja-JP\fontdrvhost.exe msblock.exe File created C:\Windows\PolicyDefinitions\ja-JP\5b884080fd4f94 msblock.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2256 schtasks.exe 1568 schtasks.exe 3664 schtasks.exe 3208 schtasks.exe 4920 schtasks.exe 3360 schtasks.exe 216 schtasks.exe 2068 schtasks.exe 4196 schtasks.exe 3320 schtasks.exe 5004 schtasks.exe 2936 schtasks.exe 4644 schtasks.exe 3588 schtasks.exe 756 schtasks.exe 3912 schtasks.exe 1260 schtasks.exe 1792 schtasks.exe 1648 schtasks.exe 1112 schtasks.exe 4652 schtasks.exe 4316 schtasks.exe 3764 schtasks.exe 3948 schtasks.exe 3956 schtasks.exe 5068 schtasks.exe 2644 schtasks.exe 4344 schtasks.exe 4452 schtasks.exe 1840 schtasks.exe 4596 schtasks.exe 4668 schtasks.exe 3084 schtasks.exe 872 schtasks.exe 3476 schtasks.exe 60 schtasks.exe 4988 schtasks.exe 4068 schtasks.exe 4792 schtasks.exe 2664 schtasks.exe 5112 schtasks.exe 4508 schtasks.exe 3020 schtasks.exe 4800 schtasks.exe 4152 schtasks.exe 3008 schtasks.exe 4812 schtasks.exe 4556 schtasks.exe 1924 schtasks.exe 4288 schtasks.exe 1728 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings 11e9006a70a09fdb18197a2ab767335abad8b628302345fe4a97cfd52fca0358.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 3212 msblock.exe 3212 msblock.exe 3212 msblock.exe 3212 msblock.exe 3212 msblock.exe 4920 conhost.exe 4920 conhost.exe 4920 conhost.exe 4920 conhost.exe 4920 conhost.exe 4920 conhost.exe 4920 conhost.exe 4920 conhost.exe 4920 conhost.exe 4920 conhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4920 conhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3212 msblock.exe Token: SeDebugPrivilege 4920 conhost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4896 wrote to memory of 4044 4896 11e9006a70a09fdb18197a2ab767335abad8b628302345fe4a97cfd52fca0358.exe 91 PID 4896 wrote to memory of 4044 4896 11e9006a70a09fdb18197a2ab767335abad8b628302345fe4a97cfd52fca0358.exe 91 PID 4896 wrote to memory of 4044 4896 11e9006a70a09fdb18197a2ab767335abad8b628302345fe4a97cfd52fca0358.exe 91 PID 4044 wrote to memory of 4420 4044 WScript.exe 95 PID 4044 wrote to memory of 4420 4044 WScript.exe 95 PID 4044 wrote to memory of 4420 4044 WScript.exe 95 PID 4420 wrote to memory of 3212 4420 cmd.exe 97 PID 4420 wrote to memory of 3212 4420 cmd.exe 97 PID 3212 wrote to memory of 4920 3212 msblock.exe 151 PID 3212 wrote to memory of 4920 3212 msblock.exe 151 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\11e9006a70a09fdb18197a2ab767335abad8b628302345fe4a97cfd52fca0358.exe"C:\Users\Admin\AppData\Local\Temp\11e9006a70a09fdb18197a2ab767335abad8b628302345fe4a97cfd52fca0358.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\driverPerf\g4pK8s1dCKS6KxkAWsMtWcT.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\driverPerf\Tt0xWJ2ZExmQ.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\driverPerf\msblock.exe"C:\driverPerf\msblock.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\odt\conhost.exe"C:\odt\conhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\odt\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\odt\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\odt\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\odt\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\odt\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\SKB\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\SKB\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\SKB\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\odt\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\ja-JP\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\odt\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\meta\reader\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\meta\reader\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lua\meta\reader\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Links\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\Links\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Links\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
826KB
MD5dee33f30963672c3ced45d21865491e7
SHA132ba23ca2c1a5a417598e74f40ea3f565af576a5
SHA256d4fbd231478b43f169e0fc0ae2f08d13bae4e0918d11265e417f4d8d0e44e394
SHA5122f028b8ef81b194a77e29f894a9eb990f7b68faef7731c6b8abea4a7000210c8e755e34beae362a93eff45deb03b686921fb923955f64a2ff99ec65c9622c704
-
Filesize
27B
MD5500c80074d17912910553f55d7b055da
SHA16f162d1302f47e6602253c6d15cd3c0d80809168
SHA25623a5a450f50a53f642fece0d41d53836338eb3b0ea30b12fba65b2f68c2a55ec
SHA512a139df792b36b179378ccb21cce89d89eaa4a43a35c45916bfbded939436bd2d391f11ec368fcd0620623db0bcb43fcf7ea47e03f24db52093eabf8d1ff5a1d9
-
Filesize
199B
MD53804e3ae55ee7bf3584bb2b6709de114
SHA14b5cf16a8fd49ca13c22e0088e223fddc4fd84ae
SHA256cc35cdbd169f4ac11ca2550a61aefa051b3407347d8e0798209212649657aa19
SHA512dba42db3ee28ea3ad40d2440c0c116c064751eea148607dd9043126ba3de75b2d58abb0a7f890193eb6ebb0d1c02d7928e72a73ca40fa5b4ab8389110e6835fb
-
Filesize
826KB
MD5dee33f30963672c3ced45d21865491e7
SHA132ba23ca2c1a5a417598e74f40ea3f565af576a5
SHA256d4fbd231478b43f169e0fc0ae2f08d13bae4e0918d11265e417f4d8d0e44e394
SHA5122f028b8ef81b194a77e29f894a9eb990f7b68faef7731c6b8abea4a7000210c8e755e34beae362a93eff45deb03b686921fb923955f64a2ff99ec65c9622c704
-
Filesize
826KB
MD5dee33f30963672c3ced45d21865491e7
SHA132ba23ca2c1a5a417598e74f40ea3f565af576a5
SHA256d4fbd231478b43f169e0fc0ae2f08d13bae4e0918d11265e417f4d8d0e44e394
SHA5122f028b8ef81b194a77e29f894a9eb990f7b68faef7731c6b8abea4a7000210c8e755e34beae362a93eff45deb03b686921fb923955f64a2ff99ec65c9622c704
-
Filesize
826KB
MD5dee33f30963672c3ced45d21865491e7
SHA132ba23ca2c1a5a417598e74f40ea3f565af576a5
SHA256d4fbd231478b43f169e0fc0ae2f08d13bae4e0918d11265e417f4d8d0e44e394
SHA5122f028b8ef81b194a77e29f894a9eb990f7b68faef7731c6b8abea4a7000210c8e755e34beae362a93eff45deb03b686921fb923955f64a2ff99ec65c9622c704
-
Filesize
826KB
MD5dee33f30963672c3ced45d21865491e7
SHA132ba23ca2c1a5a417598e74f40ea3f565af576a5
SHA256d4fbd231478b43f169e0fc0ae2f08d13bae4e0918d11265e417f4d8d0e44e394
SHA5122f028b8ef81b194a77e29f894a9eb990f7b68faef7731c6b8abea4a7000210c8e755e34beae362a93eff45deb03b686921fb923955f64a2ff99ec65c9622c704