Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 01:03
Behavioral task
behavioral1
Sample
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe
Resource
win10v2004-20240508-en
General
-
Target
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe
-
Size
827KB
-
MD5
3a1b3746d26413c8668fb533ab612284
-
SHA1
875d159c892558473519f947c0421672717f7e2c
-
SHA256
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924
-
SHA512
26f20ae889e6a327d6cd710082c0a2ccf4e94a6cc90bd8b3916f7b28a00e7f7c23448c7dfc817242b48e80468779b815133db64a7a4b7b77dc8729a940e5a8fe
-
SSDEEP
12288:DqUgxxQIWHTZu9PBjhP/i4TuI+sqBcDOC6hThC/8bMCHZR:uZQ9HTZu9lN/i4qI+sq6+nNj
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 436 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4020 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3152 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4608 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4596 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 224 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3144 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4120 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3980 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3328 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3172 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4812 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 824 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3688 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4480 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3676 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4688 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3584 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3080 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4692 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 452 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3224 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1192 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5056 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3808 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4664 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4324 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4828 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 1320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 1320 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/1968-1-0x0000000000400000-0x00000000004D6000-memory.dmp dcrat C:\Users\Public\AccountPictures\wininit.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe -
Executes dropped EXE 1 IoCs
Processes:
MusNotification.exepid process 4440 MusNotification.exe -
Drops file in Program Files directory 11 IoCs
Processes:
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exedescription ioc process File created C:\Program Files\Common Files\microsoft shared\Source Engine\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\SppExtComObj.exe 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files\Windows Portable Devices\Idle.exe 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files\Windows Portable Devices\6ccacd8608530f 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files\Windows Sidebar\Gadgets\backgroundTaskHost.exe 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files\Windows Sidebar\Gadgets\eddb19405b7ce1 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files\Common Files\microsoft shared\Source Engine\2fc4ebd81aba05 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\e1ef82546f0b02 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\7a0fd90576e088 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\System.exe 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe -
Drops file in Windows directory 6 IoCs
Processes:
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exedescription ioc process File created C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\services.exe 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\c5b4cb5e9653cc 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Windows\Web\MusNotification.exe 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Windows\Web\aa97147c4c782d 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Windows\CSC\TextInputHost.exe 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Windows\Speech\Engines\SR\en-US\spoolsv.exe 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3980 schtasks.exe 3224 schtasks.exe 4664 schtasks.exe 4144 schtasks.exe 2216 schtasks.exe 852 schtasks.exe 2516 schtasks.exe 3808 schtasks.exe 1364 schtasks.exe 3152 schtasks.exe 4812 schtasks.exe 1192 schtasks.exe 4324 schtasks.exe 1580 schtasks.exe 3688 schtasks.exe 4480 schtasks.exe 4660 schtasks.exe 3080 schtasks.exe 2064 schtasks.exe 4608 schtasks.exe 5036 schtasks.exe 4120 schtasks.exe 5056 schtasks.exe 436 schtasks.exe 4788 schtasks.exe 2300 schtasks.exe 4596 schtasks.exe 3144 schtasks.exe 2052 schtasks.exe 2008 schtasks.exe 2184 schtasks.exe 4692 schtasks.exe 4020 schtasks.exe 4808 schtasks.exe 2140 schtasks.exe 224 schtasks.exe 3328 schtasks.exe 3172 schtasks.exe 4688 schtasks.exe 3584 schtasks.exe 2316 schtasks.exe 1068 schtasks.exe 872 schtasks.exe 2424 schtasks.exe 2272 schtasks.exe 824 schtasks.exe 3676 schtasks.exe 1092 schtasks.exe 2428 schtasks.exe 452 schtasks.exe 4828 schtasks.exe 5104 schtasks.exe 628 schtasks.exe 1136 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exeMusNotification.exepid process 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 4440 MusNotification.exe 4440 MusNotification.exe 4440 MusNotification.exe 4440 MusNotification.exe 4440 MusNotification.exe 4440 MusNotification.exe 4440 MusNotification.exe 4440 MusNotification.exe 4440 MusNotification.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MusNotification.exepid process 4440 MusNotification.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exeMusNotification.exedescription pid process Token: SeDebugPrivilege 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe Token: SeDebugPrivilege 4440 MusNotification.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.execmd.exedescription pid process target process PID 1968 wrote to memory of 4540 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe cmd.exe PID 1968 wrote to memory of 4540 1968 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe cmd.exe PID 4540 wrote to memory of 4708 4540 cmd.exe w32tm.exe PID 4540 wrote to memory of 4708 4540 cmd.exe w32tm.exe PID 4540 wrote to memory of 4440 4540 cmd.exe MusNotification.exe PID 4540 wrote to memory of 4440 4540 cmd.exe MusNotification.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe"C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ClHr12lP5M.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4708
-
C:\Windows\Web\MusNotification.exe"C:\Windows\Web\MusNotification.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e579240" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e579240" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\MusNotification.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\Web\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default\Downloads\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Downloads\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Desktop\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Gadgets\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e579240" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e579240" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199B
MD55d07efcba474f9b2f7d07695b176c113
SHA147a0444fc72b55c9ad3e4f7c2a7611ab9cc643fa
SHA256afe0aebbadbfb680e425de4acc28c2dce8448e29302bb5ee5c1fee296ecc5661
SHA512720b258662f5a69aa8de824dca394bb17a938425c6aac7176ebdcd8524c6d0bf1c96b3c8668060c2efba8acfdc34114f78ab80c2b4a7e741c1bc7f064b261fd1
-
Filesize
827KB
MD53a1b3746d26413c8668fb533ab612284
SHA1875d159c892558473519f947c0421672717f7e2c
SHA2560d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924
SHA51226f20ae889e6a327d6cd710082c0a2ccf4e94a6cc90bd8b3916f7b28a00e7f7c23448c7dfc817242b48e80468779b815133db64a7a4b7b77dc8729a940e5a8fe