Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 02:37
Behavioral task
behavioral1
Sample
4b501fa87e3f05f21f0e85ed63f0deb4.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4b501fa87e3f05f21f0e85ed63f0deb4.exe
Resource
win10v2004-20240426-en
General
-
Target
4b501fa87e3f05f21f0e85ed63f0deb4.exe
-
Size
1.2MB
-
MD5
4b501fa87e3f05f21f0e85ed63f0deb4
-
SHA1
ab1f15913d82d926441805a9cd847353836a7816
-
SHA256
a083297276d53c1ea773b6a44715daa36259a8a9efcbc9c18818903c25663847
-
SHA512
3e364b17ed3bc9c4b9a696ae30ef2ee001a1012c8e51c35da41234c1127b6998e81b668078aaf99ea12cbdd4ab5e29ec2ea63f1efec4b4c41c19cdd46c515de8
-
SSDEEP
24576:U2G/nvxW3Ww0t7lDVLfVQ8KMYD/KXZfjaV8bGjqHGrFo:UbA307HV7CEZ7HW7K
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3812 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3980 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4224 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3284 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3904 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3324 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3504 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1072 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4012 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3880 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3976 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3444 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4592 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3964 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3644 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4336 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4252 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3308 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4256 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4428 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3764 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4148 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4208 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5084 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4608 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3524 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 5048 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\blockBroker\refCrt.exe dcrat behavioral2/memory/4896-13-0x0000000000BC0000-0x0000000000CA8000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4b501fa87e3f05f21f0e85ed63f0deb4.exeWScript.exerefCrt.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 4b501fa87e3f05f21f0e85ed63f0deb4.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation refCrt.exe -
Executes dropped EXE 2 IoCs
Processes:
refCrt.exelsass.exepid process 4896 refCrt.exe 4004 lsass.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 26 ip-api.com -
Drops file in Program Files directory 11 IoCs
Processes:
refCrt.exedescription ioc process File created C:\Program Files (x86)\Common Files\Oracle\lsass.exe refCrt.exe File created C:\Program Files (x86)\Common Files\Oracle\6203df4a6bafc7 refCrt.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe refCrt.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\9e8d7a4ca61bd9 refCrt.exe File created C:\Program Files\Windows Multimedia Platform\csrss.exe refCrt.exe File created C:\Program Files\Microsoft Office 15\ClientX64\9e8d7a4ca61bd9 refCrt.exe File created C:\Program Files\Microsoft Office\Office16\Registry.exe refCrt.exe File created C:\Program Files\Microsoft Office\Office16\ee2ad38f3d4382 refCrt.exe File created C:\Program Files\Windows Multimedia Platform\886983d96e3d3e refCrt.exe File created C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe refCrt.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe refCrt.exe -
Drops file in Windows directory 9 IoCs
Processes:
refCrt.exedescription ioc process File created C:\Windows\PrintDialog\Assets\StartMenuExperienceHost.exe refCrt.exe File created C:\Windows\WinSxS\backgroundTaskHost.exe refCrt.exe File created C:\Windows\AppReadiness\TextInputHost.exe refCrt.exe File created C:\Windows\AppReadiness\22eafd247d37c3 refCrt.exe File created C:\Windows\PrintDialog\Assets\55b276f4edf653 refCrt.exe File created C:\Windows\Migration\WTR\dwm.exe refCrt.exe File created C:\Windows\Migration\WTR\6cb0b6c459d5d3 refCrt.exe File created C:\Windows\SoftwareDistribution\DataStore\Logs\spoolsv.exe refCrt.exe File created C:\Windows\SoftwareDistribution\DataStore\Logs\f3b6ecef712a24 refCrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4860 schtasks.exe 3764 schtasks.exe 3524 schtasks.exe 3904 schtasks.exe 3324 schtasks.exe 4608 schtasks.exe 4336 schtasks.exe 4252 schtasks.exe 1640 schtasks.exe 1472 schtasks.exe 3444 schtasks.exe 4944 schtasks.exe 2984 schtasks.exe 3980 schtasks.exe 2780 schtasks.exe 4148 schtasks.exe 4208 schtasks.exe 2168 schtasks.exe 1388 schtasks.exe 3644 schtasks.exe 3016 schtasks.exe 3976 schtasks.exe 4952 schtasks.exe 3308 schtasks.exe 3060 schtasks.exe 3504 schtasks.exe 1072 schtasks.exe 4012 schtasks.exe 3880 schtasks.exe 4592 schtasks.exe 1984 schtasks.exe 2076 schtasks.exe 1616 schtasks.exe 4224 schtasks.exe 3964 schtasks.exe 4428 schtasks.exe 4924 schtasks.exe 3812 schtasks.exe 2264 schtasks.exe 768 schtasks.exe 1952 schtasks.exe 4256 schtasks.exe 5084 schtasks.exe 3284 schtasks.exe 1796 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
4b501fa87e3f05f21f0e85ed63f0deb4.exerefCrt.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings 4b501fa87e3f05f21f0e85ed63f0deb4.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings refCrt.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
refCrt.exelsass.exepid process 4896 refCrt.exe 4896 refCrt.exe 4896 refCrt.exe 4896 refCrt.exe 4896 refCrt.exe 4896 refCrt.exe 4896 refCrt.exe 4896 refCrt.exe 4896 refCrt.exe 4896 refCrt.exe 4896 refCrt.exe 4896 refCrt.exe 4896 refCrt.exe 4896 refCrt.exe 4896 refCrt.exe 4896 refCrt.exe 4896 refCrt.exe 4896 refCrt.exe 4896 refCrt.exe 4004 lsass.exe 4004 lsass.exe 4004 lsass.exe 4004 lsass.exe 4004 lsass.exe 4004 lsass.exe 4004 lsass.exe 4004 lsass.exe 4004 lsass.exe 4004 lsass.exe 4004 lsass.exe 4004 lsass.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
lsass.exepid process 4004 lsass.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
refCrt.exelsass.exedescription pid process Token: SeDebugPrivilege 4896 refCrt.exe Token: SeDebugPrivilege 4004 lsass.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
4b501fa87e3f05f21f0e85ed63f0deb4.exeWScript.execmd.exerefCrt.execmd.exedescription pid process target process PID 2984 wrote to memory of 428 2984 4b501fa87e3f05f21f0e85ed63f0deb4.exe WScript.exe PID 2984 wrote to memory of 428 2984 4b501fa87e3f05f21f0e85ed63f0deb4.exe WScript.exe PID 2984 wrote to memory of 428 2984 4b501fa87e3f05f21f0e85ed63f0deb4.exe WScript.exe PID 428 wrote to memory of 1608 428 WScript.exe cmd.exe PID 428 wrote to memory of 1608 428 WScript.exe cmd.exe PID 428 wrote to memory of 1608 428 WScript.exe cmd.exe PID 1608 wrote to memory of 4896 1608 cmd.exe refCrt.exe PID 1608 wrote to memory of 4896 1608 cmd.exe refCrt.exe PID 4896 wrote to memory of 4868 4896 refCrt.exe cmd.exe PID 4896 wrote to memory of 4868 4896 refCrt.exe cmd.exe PID 4868 wrote to memory of 640 4868 cmd.exe w32tm.exe PID 4868 wrote to memory of 640 4868 cmd.exe w32tm.exe PID 4868 wrote to memory of 4004 4868 cmd.exe lsass.exe PID 4868 wrote to memory of 4004 4868 cmd.exe lsass.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b501fa87e3f05f21f0e85ed63f0deb4.exe"C:\Users\Admin\AppData\Local\Temp\4b501fa87e3f05f21f0e85ed63f0deb4.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\blockBroker\dCDa6ALGfvXR9eU7o.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\blockBroker\oXLzHTz.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\blockBroker\refCrt.exe"C:\Users\Admin\AppData\Local\Temp\blockBroker\refCrt.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DVGZ1ebnCh.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:640
-
C:\Program Files (x86)\Common Files\Oracle\lsass.exe"C:\Program Files (x86)\Common Files\Oracle\lsass.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Oracle\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Oracle\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Windows\AppReadiness\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\AppReadiness\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Windows\AppReadiness\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\PrintDialog\Assets\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\PrintDialog\Assets\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\PrintDialog\Assets\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\WindowsHolographicDevices\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\WindowsHolographicDevices\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
217B
MD557ba347c02222fddc46f29e57068098a
SHA13bab57cbee92b4a88d386b085d51d60492f971e6
SHA25633b103531e2bfd4fd2b7169eec4ecd3dbd35afc5c1592dcd8bc00dd554c1c453
SHA512aa5bfdde1bdf5320ff7a393b40b7bcc7ef48ad7f3106ed3b6b24eb02f270b79510e22e408aead558fb6efffd2b8a46a20b41d291c384b8d9dfe2a88e6bcb43a0
-
Filesize
199B
MD5d82ab8a29099adb65e97dd5eb7bb9acc
SHA1bff5f9f5d5793ca27e0f2f26fa437317209da5c9
SHA2567df61b5dc400e66c13e84a0fe0d0af679ed73cacc1e80877224f5dbf52594cc0
SHA512d953272aab88a6ef226b3316a8da7e145cc7bea23ca0f16e0f44dc41e6b5875ba19275234690c079572da89eb2524dbae0a87330ce33c1bd6966161e5ec5e7d1
-
Filesize
31B
MD5f2a70d75ba065b27796739df5ed59503
SHA16761a00a1b4dfc1bdc8b38ebdc1031d4878d0863
SHA2565d8b9079a09b672d42794c2948e409ee1a8a182e7cd591b3697af4ca51c73f16
SHA512931994e6ecbd19d2e804d8b9bc6015ef7d031e99497b6a585c5aed967a07894fc615981bb504dd270711e71eae9a61eb6aed0faf914c18e569adc48e847f6d84
-
Filesize
901KB
MD54a8fd7bb970c86e0650a3e110fb5e6d0
SHA1514e8249d87435de3b34bfd06e3dea9a6fb0fc96
SHA25686e9ac84264ae29059d78e2a3ebedea8d3b6c1083d03b82bdab8e32d306fd8a9
SHA512390a7e834dec74cbcc49efeee1adddb05bbe2e972e08a0ec5e6cfbecc92e4a864f6c33ce1a1d293acd42cc4f8f6ca89a8226820819170f8d86ff5e5d301e5910