Analysis
-
max time kernel
136s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 08:56
Behavioral task
behavioral1
Sample
1b8dc013de93bb0edf121b38e7f8ab6f.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1b8dc013de93bb0edf121b38e7f8ab6f.exe
Resource
win10v2004-20240426-en
General
-
Target
1b8dc013de93bb0edf121b38e7f8ab6f.exe
-
Size
828KB
-
MD5
1b8dc013de93bb0edf121b38e7f8ab6f
-
SHA1
2c17ada00c2b779f5e04a801265f151591e11e18
-
SHA256
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c
-
SHA512
4b23622774ea394608ade50bac520aebd64788d626e9fc316e57db8f4a4628cec221420955adae70d7ddcd7c273f6cac409d64f931e01e1a490b275788370d33
-
SSDEEP
12288:K8rQgxfLc/EHk/2Wk3D0bdxTZiLaO4Vb/5:VrzxfLFkHbXdVLVb/5
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule behavioral2/memory/4524-0-0x0000000000610000-0x00000000006E6000-memory.dmp dcrat C:\Recovery\WindowsRE\fontdrvhost.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1b8dc013de93bb0edf121b38e7f8ab6f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 1b8dc013de93bb0edf121b38e7f8ab6f.exe -
Executes dropped EXE 1 IoCs
Processes:
backgroundTaskHost.exepid process 1420 backgroundTaskHost.exe -
Drops file in Program Files directory 13 IoCs
Processes:
1b8dc013de93bb0edf121b38e7f8ab6f.exedescription ioc process File created C:\Program Files\Windows Media Player\it-IT\RuntimeBroker.exe 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Program Files (x86)\Windows Media Player\fr-FR\Idle.exe 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Program Files (x86)\Windows Photo Viewer\dwm.exe 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Program Files (x86)\Windows Media Player\Skins\ea9f0e6c9e2dcd 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Program Files (x86)\Windows Defender\backgroundTaskHost.exe 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Program Files\ModifiableWindowsApps\dllhost.exe 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Program Files (x86)\Windows Media Player\uk-UA\5aa7343aadc6e6 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Program Files (x86)\Windows Media Player\fr-FR\6ccacd8608530f 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Program Files (x86)\Windows Photo Viewer\6cb0b6c459d5d3 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Program Files (x86)\Windows Media Player\uk-UA\1b8dc013de93bb0edf121b38e7f8ab6f.exe 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Program Files (x86)\Windows Defender\eddb19405b7ce1 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Program Files (x86)\Windows Media Player\Skins\taskhostw.exe 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Program Files\Windows Media Player\it-IT\9e8d7a4ca61bd9 1b8dc013de93bb0edf121b38e7f8ab6f.exe -
Drops file in Windows directory 11 IoCs
Processes:
1b8dc013de93bb0edf121b38e7f8ab6f.exedescription ioc process File created C:\Windows\SoftwareDistribution\DataStore\0a1fd5f707cd16 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Windows\SchCache\RuntimeBroker.exe 1b8dc013de93bb0edf121b38e7f8ab6f.exe File opened for modification C:\Windows\SchCache\RuntimeBroker.exe 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Windows\Media\6cb0b6c459d5d3 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Windows\CbsTemp\csrss.exe 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Windows\CbsTemp\886983d96e3d3e 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Windows\TAPI\unsecapp.exe 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Windows\SoftwareDistribution\DataStore\sppsvc.exe 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Windows\SchCache\9e8d7a4ca61bd9 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Windows\Media\dwm.exe 1b8dc013de93bb0edf121b38e7f8ab6f.exe File created C:\Windows\TAPI\29c1c3cc0f7685 1b8dc013de93bb0edf121b38e7f8ab6f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4048 schtasks.exe 5088 schtasks.exe 3540 schtasks.exe 4368 schtasks.exe 1612 schtasks.exe 3648 schtasks.exe 1864 schtasks.exe 3156 schtasks.exe 2880 schtasks.exe 1072 schtasks.exe 4408 schtasks.exe 5012 schtasks.exe 2884 schtasks.exe 536 schtasks.exe 4924 schtasks.exe 748 schtasks.exe 2396 schtasks.exe 3952 schtasks.exe 4272 schtasks.exe 640 schtasks.exe 3232 schtasks.exe 1724 schtasks.exe 3356 schtasks.exe 1728 schtasks.exe 1528 schtasks.exe 1312 schtasks.exe 4020 schtasks.exe 3588 schtasks.exe 5056 schtasks.exe 1448 schtasks.exe 5116 schtasks.exe 1208 schtasks.exe 4920 schtasks.exe 2436 schtasks.exe 1944 schtasks.exe 4004 schtasks.exe 2692 schtasks.exe 5024 schtasks.exe 2736 schtasks.exe 3932 schtasks.exe 2672 schtasks.exe 5072 schtasks.exe 4824 schtasks.exe 1128 schtasks.exe 3728 schtasks.exe 1568 schtasks.exe 440 schtasks.exe 3264 schtasks.exe 4628 schtasks.exe 3676 schtasks.exe 4576 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
1b8dc013de93bb0edf121b38e7f8ab6f.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings 1b8dc013de93bb0edf121b38e7f8ab6f.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
1b8dc013de93bb0edf121b38e7f8ab6f.exebackgroundTaskHost.exepid process 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe 1420 backgroundTaskHost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1b8dc013de93bb0edf121b38e7f8ab6f.exebackgroundTaskHost.exedescription pid process Token: SeDebugPrivilege 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe Token: SeDebugPrivilege 1420 backgroundTaskHost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1b8dc013de93bb0edf121b38e7f8ab6f.execmd.exedescription pid process target process PID 4524 wrote to memory of 1796 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe cmd.exe PID 4524 wrote to memory of 1796 4524 1b8dc013de93bb0edf121b38e7f8ab6f.exe cmd.exe PID 1796 wrote to memory of 1824 1796 cmd.exe w32tm.exe PID 1796 wrote to memory of 1824 1796 cmd.exe w32tm.exe PID 1796 wrote to memory of 1420 1796 cmd.exe backgroundTaskHost.exe PID 1796 wrote to memory of 1420 1796 cmd.exe backgroundTaskHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b8dc013de93bb0edf121b38e7f8ab6f.exe"C:\Users\Admin\AppData\Local\Temp\1b8dc013de93bb0edf121b38e7f8ab6f.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G7KEsLrQzU.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1824
-
-
C:\Program Files (x86)\Windows Defender\backgroundTaskHost.exe"C:\Program Files (x86)\Windows Defender\backgroundTaskHost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /f1⤵
- Creates scheduled task(s)
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:5012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\dwm.exe'" /f1⤵
- Creates scheduled task(s)
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Media\dwm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\Media\dwm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\backgroundTaskHost.exe'" /f1⤵
- Creates scheduled task(s)
PID:4020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\Favorites\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:4272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Creates scheduled task(s)
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Creates scheduled task(s)
PID:1128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:4368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Creates scheduled task(s)
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:4920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\MusNotification.exe'" /f1⤵
- Creates scheduled task(s)
PID:5056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Users\Default User\MusNotification.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\MusNotification.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "1b8dc013de93bb0edf121b38e7f8ab6f1" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\1b8dc013de93bb0edf121b38e7f8ab6f.exe'" /f1⤵
- Creates scheduled task(s)
PID:3156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "1b8dc013de93bb0edf121b38e7f8ab6f" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\1b8dc013de93bb0edf121b38e7f8ab6f.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:4576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "1b8dc013de93bb0edf121b38e7f8ab6f1" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\1b8dc013de93bb0edf121b38e7f8ab6f.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\it-IT\RuntimeBroker.exe'" /f1⤵
- Creates scheduled task(s)
PID:3952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\CbsTemp\csrss.exe'" /f1⤵
- Creates scheduled task(s)
PID:3932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\CbsTemp\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:4824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\CbsTemp\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:4408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\Idle.exe'" /f1⤵
- Creates scheduled task(s)
PID:4004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\Idle.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\Idle.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:4628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\dwm.exe'" /f1⤵
- Creates scheduled task(s)
PID:4924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\taskhostw.exe'" /f1⤵
- Creates scheduled task(s)
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\taskhostw.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\taskhostw.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\WindowsHolographicDevices\Idle.exe'" /f1⤵
- Creates scheduled task(s)
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\Idle.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:5116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\WindowsHolographicDevices\Idle.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:4048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\backgroundTaskHost.exe'" /f1⤵
- Creates scheduled task(s)
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\unsecapp.exe'" /f1⤵
- Creates scheduled task(s)
PID:5088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\TAPI\unsecapp.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\unsecapp.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\DataStore\sppsvc.exe'" /f1⤵
- Creates scheduled task(s)
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\sppsvc.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\DataStore\sppsvc.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:5024
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
828KB
MD51b8dc013de93bb0edf121b38e7f8ab6f
SHA12c17ada00c2b779f5e04a801265f151591e11e18
SHA25600126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c
SHA5124b23622774ea394608ade50bac520aebd64788d626e9fc316e57db8f4a4628cec221420955adae70d7ddcd7c273f6cac409d64f931e01e1a490b275788370d33
-
Filesize
227B
MD56c7391d0742c725876fed8ce72ffc3a5
SHA192081f10425bc41bd3d1936792fc347150a89263
SHA256b10a4f6e7cf520d57872d7ee7a71b04060dd2961d36eae57ed3af13163ecf1d4
SHA512041ce25604e311c1e7cd3dfad7d3856ad9881ce1c22fca1289e78c94815f081dd26ee417cdb61fe6a1fdac24d35573586c590c7c917cb3734ee0699296a76ebf