Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 02:36
Behavioral task
behavioral1
Sample
4b501fa87e3f05f21f0e85ed63f0deb4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4b501fa87e3f05f21f0e85ed63f0deb4.exe
Resource
win10v2004-20240508-en
General
-
Target
4b501fa87e3f05f21f0e85ed63f0deb4.exe
-
Size
1.2MB
-
MD5
4b501fa87e3f05f21f0e85ed63f0deb4
-
SHA1
ab1f15913d82d926441805a9cd847353836a7816
-
SHA256
a083297276d53c1ea773b6a44715daa36259a8a9efcbc9c18818903c25663847
-
SHA512
3e364b17ed3bc9c4b9a696ae30ef2ee001a1012c8e51c35da41234c1127b6998e81b668078aaf99ea12cbdd4ab5e29ec2ea63f1efec4b4c41c19cdd46c515de8
-
SSDEEP
24576:U2G/nvxW3Ww0t7lDVLfVQ8KMYD/KXZfjaV8bGjqHGrFo:UbA307HV7CEZ7HW7K
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3132 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3684 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4664 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4688 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3452 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3436 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3140 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 676 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3388 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 924 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4840 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4464 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4168 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3480 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3104 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 116 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4564 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4588 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4520 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3276 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3124 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3500 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4868 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3528 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4088 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4884 1820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4188 1820 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\blockBroker\refCrt.exe dcrat behavioral2/memory/448-13-0x00000000008A0000-0x0000000000988000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4b501fa87e3f05f21f0e85ed63f0deb4.exeWScript.exerefCrt.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 4b501fa87e3f05f21f0e85ed63f0deb4.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation refCrt.exe -
Executes dropped EXE 2 IoCs
Processes:
refCrt.execonhost.exepid process 448 refCrt.exe 1356 conhost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 ip-api.com -
Drops file in System32 directory 2 IoCs
Processes:
refCrt.exedescription ioc process File created C:\Windows\SysWOW64\th-TH\RuntimeBroker.exe refCrt.exe File created C:\Windows\SysWOW64\th-TH\9e8d7a4ca61bd9 refCrt.exe -
Drops file in Program Files directory 14 IoCs
Processes:
refCrt.exedescription ioc process File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe refCrt.exe File created C:\Program Files\Windows Mail\f3b6ecef712a24 refCrt.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\eddb19405b7ce1 refCrt.exe File created C:\Program Files (x86)\Adobe\fontdrvhost.exe refCrt.exe File created C:\Program Files (x86)\Google\Update\spoolsv.exe refCrt.exe File created C:\Program Files\Windows Mail\spoolsv.exe refCrt.exe File created C:\Program Files (x86)\Internet Explorer\es-ES\wininit.exe refCrt.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe refCrt.exe File created C:\Program Files (x86)\Google\Update\f3b6ecef712a24 refCrt.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\29c1c3cc0f7685 refCrt.exe File created C:\Program Files (x86)\Adobe\5b884080fd4f94 refCrt.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\c82b8037eab33d refCrt.exe File created C:\Program Files (x86)\Internet Explorer\es-ES\56085415360792 refCrt.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\WaaSMedicAgent.exe refCrt.exe -
Drops file in Windows directory 11 IoCs
Processes:
refCrt.exedescription ioc process File opened for modification C:\Windows\InputMethod\dllhost.exe refCrt.exe File created C:\Windows\ShellComponents\10df649f47da76 refCrt.exe File created C:\Windows\apppatch\en-US\SearchApp.exe refCrt.exe File created C:\Windows\apppatch\en-US\38384e6a620884 refCrt.exe File created C:\Windows\L2Schemas\conhost.exe refCrt.exe File created C:\Windows\InputMethod\dllhost.exe refCrt.exe File created C:\Windows\InputMethod\5940a34987c991 refCrt.exe File created C:\Windows\ShellComponents\refCrt.exe refCrt.exe File created C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\RuntimeBroker.exe refCrt.exe File created C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\9e8d7a4ca61bd9 refCrt.exe File created C:\Windows\L2Schemas\088424020bedd6 refCrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4664 schtasks.exe 2096 schtasks.exe 3132 schtasks.exe 2936 schtasks.exe 3140 schtasks.exe 2760 schtasks.exe 1892 schtasks.exe 1064 schtasks.exe 1956 schtasks.exe 4884 schtasks.exe 4840 schtasks.exe 1584 schtasks.exe 1680 schtasks.exe 4088 schtasks.exe 4176 schtasks.exe 3124 schtasks.exe 4188 schtasks.exe 676 schtasks.exe 4588 schtasks.exe 3276 schtasks.exe 2876 schtasks.exe 892 schtasks.exe 2296 schtasks.exe 4488 schtasks.exe 1736 schtasks.exe 768 schtasks.exe 1116 schtasks.exe 116 schtasks.exe 1544 schtasks.exe 3684 schtasks.exe 924 schtasks.exe 4868 schtasks.exe 4520 schtasks.exe 3500 schtasks.exe 3452 schtasks.exe 2796 schtasks.exe 3388 schtasks.exe 3480 schtasks.exe 4564 schtasks.exe 1796 schtasks.exe 4688 schtasks.exe 4464 schtasks.exe 3104 schtasks.exe 4788 schtasks.exe 628 schtasks.exe 2232 schtasks.exe 2348 schtasks.exe 3436 schtasks.exe 1648 schtasks.exe 5072 schtasks.exe 2616 schtasks.exe 4168 schtasks.exe 2448 schtasks.exe 3528 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
4b501fa87e3f05f21f0e85ed63f0deb4.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 4b501fa87e3f05f21f0e85ed63f0deb4.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
refCrt.execonhost.exepid process 448 refCrt.exe 448 refCrt.exe 448 refCrt.exe 448 refCrt.exe 448 refCrt.exe 448 refCrt.exe 448 refCrt.exe 448 refCrt.exe 448 refCrt.exe 448 refCrt.exe 448 refCrt.exe 448 refCrt.exe 448 refCrt.exe 448 refCrt.exe 448 refCrt.exe 448 refCrt.exe 448 refCrt.exe 448 refCrt.exe 1356 conhost.exe 1356 conhost.exe 1356 conhost.exe 1356 conhost.exe 1356 conhost.exe 1356 conhost.exe 1356 conhost.exe 1356 conhost.exe 1356 conhost.exe 1356 conhost.exe 1356 conhost.exe 1356 conhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
conhost.exepid process 1356 conhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
refCrt.execonhost.exedescription pid process Token: SeDebugPrivilege 448 refCrt.exe Token: SeDebugPrivilege 1356 conhost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
4b501fa87e3f05f21f0e85ed63f0deb4.exeWScript.execmd.exerefCrt.exedescription pid process target process PID 3052 wrote to memory of 2840 3052 4b501fa87e3f05f21f0e85ed63f0deb4.exe WScript.exe PID 3052 wrote to memory of 2840 3052 4b501fa87e3f05f21f0e85ed63f0deb4.exe WScript.exe PID 3052 wrote to memory of 2840 3052 4b501fa87e3f05f21f0e85ed63f0deb4.exe WScript.exe PID 2840 wrote to memory of 4776 2840 WScript.exe cmd.exe PID 2840 wrote to memory of 4776 2840 WScript.exe cmd.exe PID 2840 wrote to memory of 4776 2840 WScript.exe cmd.exe PID 4776 wrote to memory of 448 4776 cmd.exe refCrt.exe PID 4776 wrote to memory of 448 4776 cmd.exe refCrt.exe PID 448 wrote to memory of 1356 448 refCrt.exe conhost.exe PID 448 wrote to memory of 1356 448 refCrt.exe conhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b501fa87e3f05f21f0e85ed63f0deb4.exe"C:\Users\Admin\AppData\Local\Temp\4b501fa87e3f05f21f0e85ed63f0deb4.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\blockBroker\dCDa6ALGfvXR9eU7o.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\blockBroker\oXLzHTz.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\blockBroker\refCrt.exe"C:\Users\Admin\AppData\Local\Temp\blockBroker\refCrt.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\L2Schemas\conhost.exe"C:\Windows\L2Schemas\conhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\InputMethod\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\InputMethod\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\InputMethod\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "refCrtr" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellComponents\refCrt.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "refCrt" /sc ONLOGON /tr "'C:\Windows\ShellComponents\refCrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "refCrtr" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellComponents\refCrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\apppatch\en-US\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\apppatch\en-US\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\apppatch\en-US\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\th-TH\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SysWOW64\th-TH\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\SysWOW64\th-TH\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\ssh\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\ssh\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\ssh\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199B
MD5d82ab8a29099adb65e97dd5eb7bb9acc
SHA1bff5f9f5d5793ca27e0f2f26fa437317209da5c9
SHA2567df61b5dc400e66c13e84a0fe0d0af679ed73cacc1e80877224f5dbf52594cc0
SHA512d953272aab88a6ef226b3316a8da7e145cc7bea23ca0f16e0f44dc41e6b5875ba19275234690c079572da89eb2524dbae0a87330ce33c1bd6966161e5ec5e7d1
-
Filesize
31B
MD5f2a70d75ba065b27796739df5ed59503
SHA16761a00a1b4dfc1bdc8b38ebdc1031d4878d0863
SHA2565d8b9079a09b672d42794c2948e409ee1a8a182e7cd591b3697af4ca51c73f16
SHA512931994e6ecbd19d2e804d8b9bc6015ef7d031e99497b6a585c5aed967a07894fc615981bb504dd270711e71eae9a61eb6aed0faf914c18e569adc48e847f6d84
-
Filesize
901KB
MD54a8fd7bb970c86e0650a3e110fb5e6d0
SHA1514e8249d87435de3b34bfd06e3dea9a6fb0fc96
SHA25686e9ac84264ae29059d78e2a3ebedea8d3b6c1083d03b82bdab8e32d306fd8a9
SHA512390a7e834dec74cbcc49efeee1adddb05bbe2e972e08a0ec5e6cfbecc92e4a864f6c33ce1a1d293acd42cc4f8f6ca89a8226820819170f8d86ff5e5d301e5910