Analysis
-
max time kernel
139s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2024 19:31
Behavioral task
behavioral1
Sample
z2DYSM12rQX8EmA4l5Eobd3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
z2DYSM12rQX8EmA4l5Eobd3.exe
Resource
win10v2004-20231215-en
General
-
Target
z2DYSM12rQX8EmA4l5Eobd3.exe
-
Size
1.5MB
-
MD5
813189503ba0d948993203ca259d5810
-
SHA1
5553917d633963716eda6954c50a8ff0efd01cfb
-
SHA256
c4ec5d7b7a9bf60de2c201ebaca15ef8da3590033d4abc42fa402bcd2e5abd79
-
SHA512
8e46d84b7da61eed6f4b78023ed4b5deefe4324a1e1a985f46ebd496063abb5dc208f4a3008f7761b46cc9decb19846e8ea21c62b3490e6c5fb777a57ac13338
-
SSDEEP
24576:ceaMajUi+6C+mDjn7gbkFaSH7Wu4mIWGE1Sy/fBEXTHhaTEEER71RM4I13:ceaj9bHmMbkBHVdGE1Sy/ujhaIh+1
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3416 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4480 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4016 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3464 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4704 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3952 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3760 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 260 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4084 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 944 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4540 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5052 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3780 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 212 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4460 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4000 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3432 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3436 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3240 1304 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3588 1304 schtasks.exe 87 -
resource yara_rule behavioral2/memory/1732-0-0x00000000007D0000-0x000000000095E000-memory.dmp dcrat behavioral2/files/0x000600000002310d-30.dat dcrat behavioral2/files/0x000600000002276d-151.dat dcrat -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts z2DYSM12rQX8EmA4l5Eobd3.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation z2DYSM12rQX8EmA4l5Eobd3.exe -
Executes dropped EXE 1 IoCs
pid Process 3436 Idle.exe -
Drops file in Program Files directory 36 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\explorer.exe z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Program Files\Windows Defender\27d1bcfc3c54e0 z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Program Files\Windows Photo Viewer\es-ES\55b276f4edf653 z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\explorer.exe z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Program Files (x86)\Google\explorer.exe z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files\Windows Defender\System.exe z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files\Windows Security\Idle.exe z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\StartMenuExperienceHost.exe z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\eddb19405b7ce1 z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Program Files\Windows Photo Viewer\es-ES\StartMenuExperienceHost.exe z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\RCXFC77.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\fr-FR\backgroundTaskHost.exe z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\RCXFFE5.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files\Windows Security\RCX4CA.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files\Windows Security\sysmon.exe z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\7a0fd90576e088 z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files\Windows Security\RCXF02A.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Program Files\ModifiableWindowsApps\unsecapp.exe z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Program Files\Windows Security\sysmon.exe z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Program Files (x86)\Google\7a0fd90576e088 z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files\Windows Defender\RCXEDB6.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files\Windows Security\RCXF009.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files (x86)\Google\RCX962.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\backgroundTaskHost.exe z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\explorer.exe z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files\Windows Security\RCX4EA.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Program Files\Windows Security\6ccacd8608530f z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\RCXFC97.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files (x86)\Google\RCX973.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Program Files\Windows Defender\System.exe z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Program Files\Windows Security\Idle.exe z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Program Files\Windows Security\121e5b5079f7c0 z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCXE6E9.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCXE6FA.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files\Windows Defender\RCXEDE5.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\RCXFEAC.tmp z2DYSM12rQX8EmA4l5Eobd3.exe -
Drops file in Windows directory 20 IoCs
description ioc Process File created C:\Windows\Provisioning\Autopilot\fontdrvhost.exe z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Windows\SchCache\9e8d7a4ca61bd9 z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Windows\Provisioning\Autopilot\RCXE91E.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Windows\Provisioning\Autopilot\fontdrvhost.exe z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Windows\Speech\e6c9b481da804f z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Windows\Provisioning\Autopilot\RCXE94E.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Windows\Speech\RCXF81F.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Windows\SchCache\RCX2A6.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Windows\SchCache\RCXFA44.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Windows\SchCache\RuntimeBroker.exe z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Windows\Provisioning\Autopilot\5b884080fd4f94 z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Windows\SchCache\RuntimeBroker.exe z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Windows\SchCache\69ddcba757bf72 z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Windows\Speech\RCXF7DF.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Windows\Speech\OfficeClickToRun.exe z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Windows\SchCache\RCXFA33.tmp z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Windows\SchCache\smss.exe z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Windows\Speech\OfficeClickToRun.exe z2DYSM12rQX8EmA4l5Eobd3.exe File created C:\Windows\SchCache\smss.exe z2DYSM12rQX8EmA4l5Eobd3.exe File opened for modification C:\Windows\SchCache\RCX296.tmp z2DYSM12rQX8EmA4l5Eobd3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3416 schtasks.exe 2736 schtasks.exe 3952 schtasks.exe 2976 schtasks.exe 3588 schtasks.exe 4460 schtasks.exe 3436 schtasks.exe 2968 schtasks.exe 4016 schtasks.exe 1296 schtasks.exe 3464 schtasks.exe 876 schtasks.exe 760 schtasks.exe 3240 schtasks.exe 4084 schtasks.exe 944 schtasks.exe 1680 schtasks.exe 2636 schtasks.exe 2972 schtasks.exe 1244 schtasks.exe 260 schtasks.exe 1960 schtasks.exe 5052 schtasks.exe 4000 schtasks.exe 2512 schtasks.exe 3760 schtasks.exe 3000 schtasks.exe 3432 schtasks.exe 2292 schtasks.exe 2676 schtasks.exe 4620 schtasks.exe 1492 schtasks.exe 4704 schtasks.exe 1552 schtasks.exe 2612 schtasks.exe 2272 schtasks.exe 2288 schtasks.exe 1992 schtasks.exe 1496 schtasks.exe 3164 schtasks.exe 2892 schtasks.exe 1112 schtasks.exe 3780 schtasks.exe 212 schtasks.exe 4480 schtasks.exe 640 schtasks.exe 2208 schtasks.exe 4540 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings z2DYSM12rQX8EmA4l5Eobd3.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 1732 z2DYSM12rQX8EmA4l5Eobd3.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1732 z2DYSM12rQX8EmA4l5Eobd3.exe Token: SeDebugPrivilege 3436 Idle.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1324 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 142 PID 1732 wrote to memory of 1324 1732 z2DYSM12rQX8EmA4l5Eobd3.exe 142 PID 1324 wrote to memory of 3780 1324 cmd.exe 144 PID 1324 wrote to memory of 3780 1324 cmd.exe 144 PID 1324 wrote to memory of 3436 1324 cmd.exe 145 PID 1324 wrote to memory of 3436 1324 cmd.exe 145 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\z2DYSM12rQX8EmA4l5Eobd3.exe"C:\Users\Admin\AppData\Local\Temp\z2DYSM12rQX8EmA4l5Eobd3.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J4eIa89C4M.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3780
-
-
C:\Recovery\WindowsRE\Idle.exe"C:\Recovery\WindowsRE\Idle.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3436
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Provisioning\Autopilot\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Provisioning\Autopilot\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Provisioning\Autopilot\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Security\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Speech\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SchCache\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Security\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 12 /tr "'C:\odt\MusNotification.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\odt\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 8 /tr "'C:\odt\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5813189503ba0d948993203ca259d5810
SHA15553917d633963716eda6954c50a8ff0efd01cfb
SHA256c4ec5d7b7a9bf60de2c201ebaca15ef8da3590033d4abc42fa402bcd2e5abd79
SHA5128e46d84b7da61eed6f4b78023ed4b5deefe4324a1e1a985f46ebd496063abb5dc208f4a3008f7761b46cc9decb19846e8ea21c62b3490e6c5fb777a57ac13338
-
Filesize
195B
MD59b128e4d51d53bfae4daab927648433e
SHA1f23946d8e2b4c3355bfd0e0b46b9620f0bc4767a
SHA25692ebf8e02086257b22d4a527f5d52f9ad4c92dcbef49bef9ae8968e10e83a127
SHA5128150def1d11115e136b11fef66c8965f057bc432db46bebc4394a8bd38ad70702e0d4ce0b68459b0d23de1531992aba0fdb46faa32537daad21eb372c2c70898
-
Filesize
1.5MB
MD58650034f250898c60bd58bf8b4fb3716
SHA1f1dbb44139570eac848da69c7bb5218f71574ccb
SHA2560b0f6786c6f95b2225d37bd38aeca12bebec99ace58a93fd46781d3ff8eafd49
SHA512c558a6221532cf5bc92b9b010b438a97729331970635fb3bda605d51e887bfbcf2f77e983d1d7dbe885a543e97f5382813873819cd889f91685e8db6a35af18b