Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 00:25
Behavioral task
behavioral1
Sample
9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe
Resource
win10v2004-20240508-en
General
-
Target
9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe
-
Size
3.7MB
-
MD5
6f2466923bafbabe0788c6126ff713d9
-
SHA1
2fb2911f4a08458e9aa922e4b8f6e6b4a7c2c81c
-
SHA256
9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad
-
SHA512
ebc5f71d041828eb54781d5fee466b0026586dfe6929fb2327a7bfb016b13427f2177b7d405523ff3457f8a1808335d76fc24467de4ef0a9dcc0a41a638f5d30
-
SSDEEP
98304:+XXAzJltvwAu5QfCWC2UxdYZhOIeBXJcu3O:+HAzXtzu5QfCWPK+/2tJcz
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 452 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3980 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 716 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4896 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5012 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3224 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4276 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3220 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3512 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3436 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3568 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 224 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3180 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4800 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5000 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4140 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4728 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4528 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3996 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3348 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3848 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3776 656 schtasks.exe -
Processes:
resource yara_rule C:\bridgeComponentRuntimehostnet\componentRef.exe dcrat behavioral2/memory/332-16-0x0000000000E80000-0x00000000010F6000-memory.dmp dcrat -
Detects executables packed with SmartAssembly 1 IoCs
Processes:
resource yara_rule behavioral2/memory/332-26-0x000000001C450000-0x000000001C45A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exeWScript.execomponentRef.exeRuntimeBroker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation componentRef.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Executes dropped EXE 2 IoCs
Processes:
componentRef.exeRuntimeBroker.exepid process 332 componentRef.exe 3480 RuntimeBroker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exepid process 1700 9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe -
Drops file in Program Files directory 10 IoCs
Processes:
componentRef.exedescription ioc process File created C:\Program Files (x86)\Adobe\9e8d7a4ca61bd9 componentRef.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe componentRef.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\0a1fd5f707cd16 componentRef.exe File created C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\winlogon.exe componentRef.exe File created C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe componentRef.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cmd.exe componentRef.exe File created C:\Program Files (x86)\Adobe\RuntimeBroker.exe componentRef.exe File created C:\Program Files\Windows Security\BrowserCore\9e8d7a4ca61bd9 componentRef.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\ebf1f9fa8afd6d componentRef.exe File created C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\cc11b995f2a76d componentRef.exe -
Drops file in Windows directory 3 IoCs
Processes:
componentRef.exedescription ioc process File created C:\Windows\WinSxS\winlogon.exe componentRef.exe File created C:\Windows\SKB\LanguageModels\taskhostw.exe componentRef.exe File created C:\Windows\SKB\LanguageModels\ea9f0e6c9e2dcd componentRef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4496 schtasks.exe 224 schtasks.exe 3180 schtasks.exe 5000 schtasks.exe 3848 schtasks.exe 4896 schtasks.exe 3224 schtasks.exe 2676 schtasks.exe 2280 schtasks.exe 3220 schtasks.exe 3512 schtasks.exe 3568 schtasks.exe 4140 schtasks.exe 2704 schtasks.exe 2604 schtasks.exe 4276 schtasks.exe 3996 schtasks.exe 452 schtasks.exe 2204 schtasks.exe 4604 schtasks.exe 3980 schtasks.exe 716 schtasks.exe 5012 schtasks.exe 3348 schtasks.exe 2968 schtasks.exe 1308 schtasks.exe 3712 schtasks.exe 4728 schtasks.exe 4528 schtasks.exe 4876 schtasks.exe 4800 schtasks.exe 2256 schtasks.exe 3436 schtasks.exe 1808 schtasks.exe 2396 schtasks.exe 4468 schtasks.exe 1280 schtasks.exe 3776 schtasks.exe 2432 schtasks.exe -
Modifies registry class 3 IoCs
Processes:
9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.execomponentRef.exeRuntimeBroker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings 9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings componentRef.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings RuntimeBroker.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.execomponentRef.exeRuntimeBroker.exepid process 1700 9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe 1700 9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe 332 componentRef.exe 332 componentRef.exe 332 componentRef.exe 332 componentRef.exe 332 componentRef.exe 332 componentRef.exe 332 componentRef.exe 332 componentRef.exe 332 componentRef.exe 332 componentRef.exe 332 componentRef.exe 332 componentRef.exe 332 componentRef.exe 332 componentRef.exe 332 componentRef.exe 332 componentRef.exe 3480 RuntimeBroker.exe 3480 RuntimeBroker.exe 3480 RuntimeBroker.exe 3480 RuntimeBroker.exe 3480 RuntimeBroker.exe 3480 RuntimeBroker.exe 3480 RuntimeBroker.exe 3480 RuntimeBroker.exe 3480 RuntimeBroker.exe 3480 RuntimeBroker.exe 3480 RuntimeBroker.exe 3480 RuntimeBroker.exe 3480 RuntimeBroker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RuntimeBroker.exepid process 3480 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
componentRef.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 332 componentRef.exe Token: SeDebugPrivilege 3480 RuntimeBroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exepid process 1700 9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exeWScript.execmd.execomponentRef.execmd.exeRuntimeBroker.exedescription pid process target process PID 1700 wrote to memory of 2896 1700 9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe WScript.exe PID 1700 wrote to memory of 2896 1700 9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe WScript.exe PID 1700 wrote to memory of 2896 1700 9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe WScript.exe PID 2896 wrote to memory of 4716 2896 WScript.exe cmd.exe PID 2896 wrote to memory of 4716 2896 WScript.exe cmd.exe PID 2896 wrote to memory of 4716 2896 WScript.exe cmd.exe PID 4716 wrote to memory of 332 4716 cmd.exe componentRef.exe PID 4716 wrote to memory of 332 4716 cmd.exe componentRef.exe PID 332 wrote to memory of 696 332 componentRef.exe cmd.exe PID 332 wrote to memory of 696 332 componentRef.exe cmd.exe PID 696 wrote to memory of 3396 696 cmd.exe w32tm.exe PID 696 wrote to memory of 3396 696 cmd.exe w32tm.exe PID 696 wrote to memory of 3480 696 cmd.exe RuntimeBroker.exe PID 696 wrote to memory of 3480 696 cmd.exe RuntimeBroker.exe PID 3480 wrote to memory of 1688 3480 RuntimeBroker.exe WScript.exe PID 3480 wrote to memory of 1688 3480 RuntimeBroker.exe WScript.exe PID 3480 wrote to memory of 3112 3480 RuntimeBroker.exe WScript.exe PID 3480 wrote to memory of 3112 3480 RuntimeBroker.exe WScript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe"C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeComponentRuntimehostnet\RUoOQWhVCa6Opchlz1AD.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\bridgeComponentRuntimehostnet\worw0dI33.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\bridgeComponentRuntimehostnet\componentRef.exe"C:\bridgeComponentRuntimehostnet\componentRef.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DZ8Dwvi6fQ.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3396
-
-
C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1837dce6-ccdc-4b94-9bd2-a3daef544867.vbs"7⤵PID:1688
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ac48c4b-3cc5-4e10-9f14-837ae7bd1257.vbs"7⤵PID:3112
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\Videos\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\SKB\LanguageModels\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Windows\SKB\LanguageModels\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
739B
MD5d627f60ba2b58d0e9f08b372c2288bba
SHA1952b3daceb679e24df8d910e9dc135fe545f90ef
SHA256ae366485892bd07d2d38d7d478a04a3ebd208f364d85797fe79eed1996985d22
SHA51296a6d2cf025e18697b20de0d1322e1859d6863296cd7ed093815eb65cc8a4547930f7753cde576fe1e1357221ea81c2d5039423b5baf7c89589c379458239ea9
-
Filesize
515B
MD5fd71bf046507149a02b8266bea39ca5a
SHA1547858e0af078794b058e4c0d729129600687225
SHA256248de724be4295206e483acc7e3e7c7c908401e1224ec18269ee9042f2e72021
SHA512462d716864457f76b78cf1a3d720b7a2cc9fc9a72f482bfabdbef89c907e97f1a12a15c59811cfabc0d83e685abc292410234ee8312e60139d37c083b3942f68
-
Filesize
228B
MD527fa206b2865a6116d20efd9a5321c47
SHA16c2b8aeb48da6001ae176a3b4c64543aea98ae5f
SHA256ae3624eac1d2c2a289cdfaa037cb086673e92a53dbcaead32c5c34642bcd4873
SHA5124bd0b318d1ba75842262685edf001719953dff61da317035765cd9ded595c49b09bd7ba314ed38a8cb13e2ff0c8d3993c0628be01fffbded1cec13207d810a39
-
Filesize
215B
MD5403a1462c9f6034000cc5f6180be08b3
SHA1fd7f04eafaaa752786aaffba321366fc1938c062
SHA256adaf424ebd8d37a552019d5e4c8394031fadffa5411420db2a0ed8b002834424
SHA51261437b7aa711a1f6d598a00bcbb4919be2b72d58be5b6ad525272657992726c90ff79d39436dcae07a81f73978e01a223bcd11d0a2dce2423ac12de54d4f1e2c
-
Filesize
2.4MB
MD5526153cbd86009228ad53cd262a9c6b3
SHA16bbe6ce1bdd69cfd516170d5abe2fe4379b6bac2
SHA2565cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48
SHA5129b01653e6f5b80d8497d8aba00aca45b305feaecd13fd4075ff4e1c06d9cb29d96d0422b3dce43d0b96316510f6fad1e2e49b64ac6038725961de98e7ba9d665
-
Filesize
51B
MD5349cd009e089597bd6a43bdb489cd4d3
SHA1732820f42c008d4d5d10c04bc0f49ffcc9855619
SHA256e4039e78bca312c284c412fc8a05d28521421824776faa4a5549a7b32742f671
SHA512c5941a91c608027c924a366c38adff267fdad0f89b82b72db10ee632219bb5622255e97a0b02d4f46a2dd34130593ab1cf5d1c2b518b52e1c2d633c39bd9fd50