Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 08:11
Behavioral task
behavioral1
Sample
460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe
Resource
win10v2004-20240426-en
General
-
Target
460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe
-
Size
1.5MB
-
MD5
0aa11032569ed0cb4b5dc419ff4a9546
-
SHA1
231c007ce085606499eea34174fd92911852848c
-
SHA256
460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249
-
SHA512
27ceefa9ff530a84e5375aa45ad00b76039d28a35bed79f5f504952401bdde41834ae668790d4c83a9d2f4d61b20d78e425b9badddf27273c35779a088137079
-
SSDEEP
24576:U2G/nvxW3Ww0trsehgyBX9ONFTyvQa3bGl//rqtI1kg+QwZ0aHaCgPu8RYaJ:UbA30rscgjApSZWtI1t+QihaCUhYu
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 344 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1192 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 652 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 452 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 600 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 2800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2800 schtasks.exe -
Processes:
resource yara_rule C:\portfontruntimedhcpcommon\winIntocrt.exe dcrat behavioral1/memory/2664-13-0x0000000001110000-0x0000000001246000-memory.dmp dcrat behavioral1/memory/2552-62-0x00000000000C0000-0x00000000001F6000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
winIntocrt.exeSystem.exepid process 2664 winIntocrt.exe 2552 System.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2640 cmd.exe 2640 cmd.exe -
Drops file in System32 directory 1 IoCs
Processes:
winIntocrt.exedescription ioc process File created C:\Windows\SysWOW64\icsxml\conhost.exe winIntocrt.exe -
Drops file in Program Files directory 10 IoCs
Processes:
winIntocrt.exedescription ioc process File created C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe winIntocrt.exe File created C:\Program Files\Microsoft Office\Office14\1033\f3b6ecef712a24 winIntocrt.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\System.exe winIntocrt.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\27d1bcfc3c54e0 winIntocrt.exe File created C:\Program Files (x86)\Common Files\Services\winIntocrt.exe winIntocrt.exe File created C:\Program Files (x86)\Common Files\Services\24eadda12c9209 winIntocrt.exe File created C:\Program Files\Windows Sidebar\System.exe winIntocrt.exe File created C:\Program Files\Windows Sidebar\27d1bcfc3c54e0 winIntocrt.exe File created C:\Program Files\Microsoft Games\Minesweeper\ja-JP\lsm.exe winIntocrt.exe File created C:\Program Files\Microsoft Games\Minesweeper\ja-JP\101b941d020240 winIntocrt.exe -
Drops file in Windows directory 10 IoCs
Processes:
winIntocrt.exedescription ioc process File created C:\Windows\en-US\winlogon.exe winIntocrt.exe File created C:\Windows\fr-FR\smss.exe winIntocrt.exe File created C:\Windows\RemotePackages\RemoteDesktops\conhost.exe winIntocrt.exe File created C:\Windows\es-ES\services.exe winIntocrt.exe File created C:\Windows\es-ES\c5b4cb5e9653cc winIntocrt.exe File created C:\Windows\PLA\Rules\es-ES\winlogon.exe winIntocrt.exe File created C:\Windows\PLA\Rules\es-ES\cc11b995f2a76d winIntocrt.exe File created C:\Windows\en-US\cc11b995f2a76d winIntocrt.exe File created C:\Windows\fr-FR\69ddcba757bf72 winIntocrt.exe File created C:\Windows\RemotePackages\RemoteDesktops\088424020bedd6 winIntocrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2332 schtasks.exe 3052 schtasks.exe 1584 schtasks.exe 2456 schtasks.exe 324 schtasks.exe 580 schtasks.exe 1500 schtasks.exe 1644 schtasks.exe 572 schtasks.exe 1648 schtasks.exe 2628 schtasks.exe 2764 schtasks.exe 2052 schtasks.exe 2296 schtasks.exe 2504 schtasks.exe 344 schtasks.exe 3024 schtasks.exe 1784 schtasks.exe 2148 schtasks.exe 2272 schtasks.exe 1244 schtasks.exe 1828 schtasks.exe 1048 schtasks.exe 776 schtasks.exe 452 schtasks.exe 1896 schtasks.exe 2160 schtasks.exe 1192 schtasks.exe 2728 schtasks.exe 2108 schtasks.exe 1740 schtasks.exe 2000 schtasks.exe 2204 schtasks.exe 2392 schtasks.exe 2776 schtasks.exe 2264 schtasks.exe 820 schtasks.exe 1004 schtasks.exe 1736 schtasks.exe 2972 schtasks.exe 780 schtasks.exe 1404 schtasks.exe 1912 schtasks.exe 2300 schtasks.exe 2612 schtasks.exe 1588 schtasks.exe 2828 schtasks.exe 1100 schtasks.exe 2400 schtasks.exe 2260 schtasks.exe 2908 schtasks.exe 2824 schtasks.exe 2616 schtasks.exe 1324 schtasks.exe 2768 schtasks.exe 652 schtasks.exe 600 schtasks.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
winIntocrt.exeSystem.exepid process 2664 winIntocrt.exe 2664 winIntocrt.exe 2664 winIntocrt.exe 2552 System.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
winIntocrt.exeSystem.exedescription pid process Token: SeDebugPrivilege 2664 winIntocrt.exe Token: SeDebugPrivilege 2552 System.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exeWScript.execmd.exewinIntocrt.execmd.exedescription pid process target process PID 2760 wrote to memory of 1304 2760 460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe WScript.exe PID 2760 wrote to memory of 1304 2760 460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe WScript.exe PID 2760 wrote to memory of 1304 2760 460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe WScript.exe PID 2760 wrote to memory of 1304 2760 460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe WScript.exe PID 1304 wrote to memory of 2640 1304 WScript.exe cmd.exe PID 1304 wrote to memory of 2640 1304 WScript.exe cmd.exe PID 1304 wrote to memory of 2640 1304 WScript.exe cmd.exe PID 1304 wrote to memory of 2640 1304 WScript.exe cmd.exe PID 2640 wrote to memory of 2664 2640 cmd.exe winIntocrt.exe PID 2640 wrote to memory of 2664 2640 cmd.exe winIntocrt.exe PID 2640 wrote to memory of 2664 2640 cmd.exe winIntocrt.exe PID 2640 wrote to memory of 2664 2640 cmd.exe winIntocrt.exe PID 2664 wrote to memory of 1904 2664 winIntocrt.exe cmd.exe PID 2664 wrote to memory of 1904 2664 winIntocrt.exe cmd.exe PID 2664 wrote to memory of 1904 2664 winIntocrt.exe cmd.exe PID 2640 wrote to memory of 1696 2640 cmd.exe reg.exe PID 2640 wrote to memory of 1696 2640 cmd.exe reg.exe PID 2640 wrote to memory of 1696 2640 cmd.exe reg.exe PID 2640 wrote to memory of 1696 2640 cmd.exe reg.exe PID 1904 wrote to memory of 2128 1904 cmd.exe w32tm.exe PID 1904 wrote to memory of 2128 1904 cmd.exe w32tm.exe PID 1904 wrote to memory of 2128 1904 cmd.exe w32tm.exe PID 1904 wrote to memory of 2552 1904 cmd.exe System.exe PID 1904 wrote to memory of 2552 1904 cmd.exe System.exe PID 1904 wrote to memory of 2552 1904 cmd.exe System.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe"C:\Users\Admin\AppData\Local\Temp\460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portfontruntimedhcpcommon\2AtjMgNakJRkKYjukYN.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\portfontruntimedhcpcommon\ZlA6L6tE0pGuNWSWZqbtTT.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\portfontruntimedhcpcommon\winIntocrt.exe"C:\portfontruntimedhcpcommon\winIntocrt.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\moliYVpVnD.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2128
-
C:\Users\Public\System.exe"C:\Users\Public\System.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\en-US\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winIntocrtw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\winIntocrt.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winIntocrt" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\winIntocrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winIntocrtw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Services\winIntocrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Templates\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Templates\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Desktop\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteDesktops\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteDesktops\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\es-ES\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\Rules\es-ES\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\Rules\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\moliYVpVnD.batFilesize
191B
MD5f857d1db7560965a7d4bf4954af3ab0c
SHA18754265beefb3eb1feef7b104073409e64d4e1d1
SHA25652d5d0d4472636b44c5856a9b30fb88a043e17f8447bee24dda7c0767b098657
SHA512dc1152e10079fdf9a05458b14e5c4278ce9b9a28e6fee3db006d175e51cdcb62602324dce5e4f362757d60ed65a2e68e2df140ba3f33dfdf051d525fe52376f4
-
C:\portfontruntimedhcpcommon\2AtjMgNakJRkKYjukYN.vbeFilesize
224B
MD52d592334ab65a88655a2f86417777486
SHA143316e128f8cd05f2e783c8a90192aa6f423f9a5
SHA256e6b379acb737d1fff313a9090bd4d8d582c4e98209d63691718b1fda2115d1cf
SHA512364ef08f42a2ba6b7290929f62a8f9bd6d5084054aca3f886d8ca7de472ef37b0e4ec57c666fbfa70ef52f47f0ed31c56452b840ae5e9dcfb85231930394c65a
-
C:\portfontruntimedhcpcommon\ZlA6L6tE0pGuNWSWZqbtTT.batFilesize
157B
MD537a07b949b9630d9845c522bbf15f97c
SHA1b60e22be8a2b81f733cd0b7d00f28ad3da79124b
SHA256fd589c262fef893181690d62411fa304e79cf9d8470c3db7ebec775774ca28fb
SHA512c4c519a2b57d44ee4a3871c1a08ca666016ace84648c180b1f9caa6efd67d3b0d1cd23b9bcd7f467a57504feed9ae203ec862ec65e1bd2077a7cb874557a3640
-
C:\portfontruntimedhcpcommon\winIntocrt.exeFilesize
1.2MB
MD55da27eb690e92471d9d9669287011a75
SHA16e7f72f61d868c27c3e487586d959f35a96aeefc
SHA25632346c2a4a55dc3c85e9712f8994480a826b209a00a9aedc7f181f6dd69e60d6
SHA5120e47bbb8e2d72d1468308308d6e1444f824048d17f714d06135ca4ed63a4e2887aa8b327d36e4ef6243b5d0d734a1be3aff8b2c9f45efa97b739d2131392a291
-
memory/2552-62-0x00000000000C0000-0x00000000001F6000-memory.dmpFilesize
1.2MB
-
memory/2664-13-0x0000000001110000-0x0000000001246000-memory.dmpFilesize
1.2MB
-
memory/2664-14-0x0000000000750000-0x000000000076C000-memory.dmpFilesize
112KB
-
memory/2664-15-0x0000000000A10000-0x0000000000A26000-memory.dmpFilesize
88KB
-
memory/2664-16-0x0000000000A30000-0x0000000000A3E000-memory.dmpFilesize
56KB