Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24/03/2024, 13:36
Behavioral task
behavioral1
Sample
1cf1c8a6b74890f6d1913bf3b9e46a79.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1cf1c8a6b74890f6d1913bf3b9e46a79.exe
Resource
win10v2004-20240226-en
General
-
Target
1cf1c8a6b74890f6d1913bf3b9e46a79.exe
-
Size
1.7MB
-
MD5
1cf1c8a6b74890f6d1913bf3b9e46a79
-
SHA1
3baa803148359d5ecd3afac11352e8ecab90ceee
-
SHA256
6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239
-
SHA512
6903889c69d4b6c13c768592abff2aa20b3f8c689381d4814f27c4647023bcfdbd20e99d98913e1d8ec19751d2eb1dbc5a8ca3e0a48be3acdcbd9a644ea5cc70
-
SSDEEP
24576:J2G/nvxW3WAAJElP9nCWgiFzoJNkvnw28BAc1eThSQFdO5q+4OvqLqzvXrJhtZ:JbA3Qa4h527ceSQFdOo+HqLqHfP
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3704 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4424 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3304 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4320 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4152 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 364 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3348 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4380 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4368 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4616 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4108 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4972 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4772 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3852 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3572 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4116 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4636 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3476 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3296 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3500 3260 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 3260 schtasks.exe 98 -
resource yara_rule behavioral2/files/0x0007000000023247-10.dat dcrat behavioral2/memory/4188-12-0x0000000000BC0000-0x0000000000D42000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation 1cf1c8a6b74890f6d1913bf3b9e46a79.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation hostnet.exe -
Executes dropped EXE 2 IoCs
pid Process 4188 hostnet.exe 2964 unsecapp.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Windows Media Player\ja-JP\6ccacd8608530f hostnet.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe hostnet.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\6203df4a6bafc7 hostnet.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe hostnet.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\886983d96e3d3e hostnet.exe File created C:\Program Files\Windows Media Player\ja-JP\Idle.exe hostnet.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\L2Schemas\69ddcba757bf72 hostnet.exe File created C:\Windows\Resources\Ease of Access Themes\StartMenuExperienceHost.exe hostnet.exe File created C:\Windows\Resources\Ease of Access Themes\55b276f4edf653 hostnet.exe File created C:\Windows\addins\RuntimeBroker.exe hostnet.exe File created C:\Windows\addins\9e8d7a4ca61bd9 hostnet.exe File created C:\Windows\L2Schemas\smss.exe hostnet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1868 schtasks.exe 3052 schtasks.exe 3348 schtasks.exe 1900 schtasks.exe 3068 schtasks.exe 536 schtasks.exe 2072 schtasks.exe 1104 schtasks.exe 5060 schtasks.exe 1108 schtasks.exe 4320 schtasks.exe 4108 schtasks.exe 3852 schtasks.exe 1236 schtasks.exe 4536 schtasks.exe 4368 schtasks.exe 4860 schtasks.exe 4616 schtasks.exe 4636 schtasks.exe 3500 schtasks.exe 392 schtasks.exe 532 schtasks.exe 4972 schtasks.exe 3060 schtasks.exe 1476 schtasks.exe 4116 schtasks.exe 4956 schtasks.exe 4380 schtasks.exe 4512 schtasks.exe 764 schtasks.exe 1404 schtasks.exe 364 schtasks.exe 2036 schtasks.exe 1992 schtasks.exe 2292 schtasks.exe 4772 schtasks.exe 3704 schtasks.exe 3304 schtasks.exe 1820 schtasks.exe 2096 schtasks.exe 1104 schtasks.exe 4508 schtasks.exe 3572 schtasks.exe 1696 schtasks.exe 2824 schtasks.exe 4152 schtasks.exe 2044 schtasks.exe 3476 schtasks.exe 1840 schtasks.exe 4424 schtasks.exe 464 schtasks.exe 2236 schtasks.exe 2492 schtasks.exe 3296 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings hostnet.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings 1cf1c8a6b74890f6d1913bf3b9e46a79.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4188 hostnet.exe 4188 hostnet.exe 4188 hostnet.exe 4188 hostnet.exe 4188 hostnet.exe 4188 hostnet.exe 2964 unsecapp.exe 2964 unsecapp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4188 hostnet.exe Token: SeDebugPrivilege 2964 unsecapp.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1560 wrote to memory of 4964 1560 1cf1c8a6b74890f6d1913bf3b9e46a79.exe 92 PID 1560 wrote to memory of 4964 1560 1cf1c8a6b74890f6d1913bf3b9e46a79.exe 92 PID 1560 wrote to memory of 4964 1560 1cf1c8a6b74890f6d1913bf3b9e46a79.exe 92 PID 4964 wrote to memory of 1492 4964 WScript.exe 102 PID 4964 wrote to memory of 1492 4964 WScript.exe 102 PID 4964 wrote to memory of 1492 4964 WScript.exe 102 PID 1492 wrote to memory of 4188 1492 cmd.exe 104 PID 1492 wrote to memory of 4188 1492 cmd.exe 104 PID 4188 wrote to memory of 2128 4188 hostnet.exe 159 PID 4188 wrote to memory of 2128 4188 hostnet.exe 159 PID 2128 wrote to memory of 2156 2128 cmd.exe 161 PID 2128 wrote to memory of 2156 2128 cmd.exe 161 PID 2128 wrote to memory of 2964 2128 cmd.exe 162 PID 2128 wrote to memory of 2964 2128 cmd.exe 162 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe"C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BlockSurrogateagentFont\fQyg6J4g9nmbhwQ5lS61NpcW4.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BlockSurrogateagentFont\xRLfwMVgfRAMuw596iKz87.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\BlockSurrogateagentFont\hostnet.exe"C:\BlockSurrogateagentFont\hostnet.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G9KdyrGbAN.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2156
-
-
C:\Users\Admin\Downloads\unsecapp.exe"C:\Users\Admin\Downloads\unsecapp.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\BlockSurrogateagentFont\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\BlockSurrogateagentFont\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\BlockSurrogateagentFont\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\odt\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\odt\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\odt\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Ease of Access Themes\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Ease of Access Themes\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\ja-JP\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\ja-JP\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\odt\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Recent\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\Recent\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Recent\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Documents\My Videos\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\My Videos\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Downloads\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Downloads\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\BlockSurrogateagentFont\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\BlockSurrogateagentFont\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\BlockSurrogateagentFont\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\addins\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\BlockSurrogateagentFont\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\BlockSurrogateagentFont\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\BlockSurrogateagentFont\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223B
MD5277c7ccc3313d83f51d594cba0ae300d
SHA148531a959a24846841b8fda471c5fea259f2ca38
SHA256175078a008fd8a809b77f11c51933d1a9e5181282523819875e7afea24c52b96
SHA512311e654150ad8bf4bf9b38a7b876f205cf5a450be4b6a9ced8a7e3e15ca1137a4f1dbfac0dce058031a616b4621ec592592db17e10f1753f739f710b1f54c5ac
-
Filesize
1.5MB
MD553827648303c620a8fa81a2998ae5ae5
SHA18aa7c650f061e7d7f396718e6b4d8934392b60bb
SHA256b1f886a9cc761bbe9e6bb5287d414d3ba0e1402c6d1c055435985e3bcacbf652
SHA512273bb61dbde98abc172e9afe83f25e1d2b93d0dcb9a5dd8ebef03f70c677499c4d3c1788a9fa9e71131847ba1a2e6d4ffcdac20c3496b472377756f112d1550d
-
Filesize
40B
MD515611ce0ff6e3e772e3a8b7ac6cf4653
SHA175bc873877b06c9413cc8d1908106ed143cd4bf0
SHA256630c1433757569b9e123313255a23d50e82a629396121ff21df67a56ebf92ae3
SHA5121151ee66357bdb4946f534cfe5a509497ccc57668fb874d17977740db6a6796fbdd6893e3196c3dab0be44f9f1b4f1c0f8870593a960a384f978bd5a1813fe71
-
Filesize
202B
MD5ed901ff0dedb72a27a0dc7703f55cd09
SHA18873a3923614e33c146b79d475b0ffa6ec5c5e4b
SHA256af7a8612c1e13db35233cf7868f81f62ba32adc17d1310c75d34132424622b5a
SHA5123789c13bb9739ef1e272a439ed201281364096c97e1f12e5c44ab82a615a33c933aaab77dd6c769dc51f22fb0293913f1115c9983c4b43051361a5fadbf6a16e