Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 14:21
Behavioral task
behavioral1
Sample
a65ef974cf4bc255d44fa7ab8acddf50.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
a65ef974cf4bc255d44fa7ab8acddf50.exe
Resource
win10v2004-20240508-en
General
-
Target
a65ef974cf4bc255d44fa7ab8acddf50.exe
-
Size
1.1MB
-
MD5
a65ef974cf4bc255d44fa7ab8acddf50
-
SHA1
dfbf0babf43166796c2f5cef62742e9bfc00c55b
-
SHA256
17df189cef5f2bdadd4265e9d5b2bf2408bbf5905389b6788aaa21bd59d889b2
-
SHA512
18bb4f417e84fea2c9b1eb20658c9bcb9a6317a50462db9c490b03ac7f7176d5c2a7c6cde9253a2991df70e866350c93ffe4ff2120f2ae85e26361d764a765dc
-
SSDEEP
24576:n8mNQarw3m8/2W9WRr0Lnw8Zaxy5KcT0zY/Or:DQa2/IRjc5K6
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4844 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3704 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4336 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4360 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4436 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4688 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3624 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4440 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4796 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4880 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3144 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3648 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3312 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3120 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4968 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 608 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3100 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 440 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4480 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3592 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4004 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5116 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3260 1236 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 1236 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/912-1-0x00000000001E0000-0x00000000002FA000-memory.dmp dcrat C:\ProgramData\explorer.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a65ef974cf4bc255d44fa7ab8acddf50.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation a65ef974cf4bc255d44fa7ab8acddf50.exe -
Executes dropped EXE 1 IoCs
Processes:
taskhostw.exepid process 1588 taskhostw.exe -
Drops file in Program Files directory 6 IoCs
Processes:
a65ef974cf4bc255d44fa7ab8acddf50.exedescription ioc process File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ee2ad38f3d4382 a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Program Files (x86)\Microsoft\spoolsv.exe a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Program Files (x86)\Microsoft\f3b6ecef712a24 a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Program Files (x86)\Windows Multimedia Platform\f3b6ecef712a24 a65ef974cf4bc255d44fa7ab8acddf50.exe -
Drops file in Windows directory 13 IoCs
Processes:
a65ef974cf4bc255d44fa7ab8acddf50.exedescription ioc process File created C:\Windows\Fonts\System.exe a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Windows\twain_32\SppExtComObj.exe a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Windows\appcompat\encapsulation\explorer.exe a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Windows\Downloaded Program Files\sppsvc.exe a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Windows\Downloaded Program Files\0a1fd5f707cd16 a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Windows\Speech_OneCore\Engines\TTS\RuntimeBroker.exe a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Windows\Speech_OneCore\Engines\TTS\9e8d7a4ca61bd9 a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Windows\PrintDialog\pris\27d1bcfc3c54e0 a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Windows\twain_32\e1ef82546f0b02 a65ef974cf4bc255d44fa7ab8acddf50.exe File opened for modification C:\Windows\appcompat\encapsulation\explorer.exe a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Windows\appcompat\encapsulation\7a0fd90576e088 a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Windows\Fonts\27d1bcfc3c54e0 a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Windows\PrintDialog\pris\System.exe a65ef974cf4bc255d44fa7ab8acddf50.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1660 schtasks.exe 5072 schtasks.exe 3120 schtasks.exe 2764 schtasks.exe 2164 schtasks.exe 3592 schtasks.exe 2256 schtasks.exe 2592 schtasks.exe 4968 schtasks.exe 3100 schtasks.exe 4620 schtasks.exe 5116 schtasks.exe 2432 schtasks.exe 3624 schtasks.exe 2248 schtasks.exe 4860 schtasks.exe 4436 schtasks.exe 4880 schtasks.exe 468 schtasks.exe 1632 schtasks.exe 1528 schtasks.exe 4336 schtasks.exe 2728 schtasks.exe 1132 schtasks.exe 3712 schtasks.exe 1048 schtasks.exe 4688 schtasks.exe 1412 schtasks.exe 4440 schtasks.exe 4796 schtasks.exe 3144 schtasks.exe 3312 schtasks.exe 1964 schtasks.exe 608 schtasks.exe 440 schtasks.exe 3260 schtasks.exe 2204 schtasks.exe 4844 schtasks.exe 1720 schtasks.exe 4360 schtasks.exe 1576 schtasks.exe 1704 schtasks.exe 3704 schtasks.exe 2316 schtasks.exe 3648 schtasks.exe 1604 schtasks.exe 4480 schtasks.exe 4004 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
a65ef974cf4bc255d44fa7ab8acddf50.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings a65ef974cf4bc255d44fa7ab8acddf50.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
a65ef974cf4bc255d44fa7ab8acddf50.exetaskhostw.exepid process 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 912 a65ef974cf4bc255d44fa7ab8acddf50.exe 1588 taskhostw.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a65ef974cf4bc255d44fa7ab8acddf50.exetaskhostw.exedescription pid process Token: SeDebugPrivilege 912 a65ef974cf4bc255d44fa7ab8acddf50.exe Token: SeDebugPrivilege 1588 taskhostw.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a65ef974cf4bc255d44fa7ab8acddf50.execmd.exedescription pid process target process PID 912 wrote to memory of 3676 912 a65ef974cf4bc255d44fa7ab8acddf50.exe cmd.exe PID 912 wrote to memory of 3676 912 a65ef974cf4bc255d44fa7ab8acddf50.exe cmd.exe PID 3676 wrote to memory of 3652 3676 cmd.exe w32tm.exe PID 3676 wrote to memory of 3652 3676 cmd.exe w32tm.exe PID 3676 wrote to memory of 1588 3676 cmd.exe taskhostw.exe PID 3676 wrote to memory of 1588 3676 cmd.exe taskhostw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe"C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPrqJdYU34.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3652
-
C:\Recovery\WindowsRE\taskhostw.exe"C:\Recovery\WindowsRE\taskhostw.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\appcompat\encapsulation\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\appcompat\encapsulation\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Default\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Default\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Videos\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\PrintDialog\pris\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PrintDialog\pris\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\PrintDialog\pris\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\twain_32\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\explorer.exeFilesize
1.1MB
MD5a65ef974cf4bc255d44fa7ab8acddf50
SHA1dfbf0babf43166796c2f5cef62742e9bfc00c55b
SHA25617df189cef5f2bdadd4265e9d5b2bf2408bbf5905389b6788aaa21bd59d889b2
SHA51218bb4f417e84fea2c9b1eb20658c9bcb9a6317a50462db9c490b03ac7f7176d5c2a7c6cde9253a2991df70e866350c93ffe4ff2120f2ae85e26361d764a765dc
-
C:\Users\Admin\AppData\Local\Temp\UPrqJdYU34.batFilesize
200B
MD548f5d9785168984b4438df9c6ba65741
SHA1cd111b19e68b76d9159cf3e6875a2de153f2e817
SHA256bcbe4b39f07e243a8aba71418ec39991746ae208bbc969ce7ee0564a9bba1413
SHA512c5f738f424bcbf62902915c1ac13005e00a585ce3e343378e9d102129c738a79f57264c3fe7c746cad07a0bf2a182f001d6911cdb70e37fc4383230cd44e55f3
-
memory/912-0-0x00007FF84DF63000-0x00007FF84DF65000-memory.dmpFilesize
8KB
-
memory/912-1-0x00000000001E0000-0x00000000002FA000-memory.dmpFilesize
1.1MB
-
memory/912-2-0x00007FF84DF60000-0x00007FF84EA21000-memory.dmpFilesize
10.8MB
-
memory/912-3-0x0000000002410000-0x000000000242C000-memory.dmpFilesize
112KB
-
memory/912-5-0x0000000002430000-0x0000000002442000-memory.dmpFilesize
72KB
-
memory/912-4-0x000000001AFB0000-0x000000001B000000-memory.dmpFilesize
320KB
-
memory/912-6-0x000000001BB90000-0x000000001C0B8000-memory.dmpFilesize
5.2MB
-
memory/912-44-0x00007FF84DF60000-0x00007FF84EA21000-memory.dmpFilesize
10.8MB