Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 00:26
Behavioral task
behavioral1
Sample
105e56a8f722fc60cb17281dc8a0d073.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
105e56a8f722fc60cb17281dc8a0d073.exe
Resource
win10v2004-20240508-en
General
-
Target
105e56a8f722fc60cb17281dc8a0d073.exe
-
Size
1.1MB
-
MD5
105e56a8f722fc60cb17281dc8a0d073
-
SHA1
85bcb8e6b6c83f2a64260ae3ad2386b7e4aa0434
-
SHA256
9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab
-
SHA512
6b4fd698cb80400d610629b0390314de0d06067d3648ba893a1fed5198bb6f0194e52685d95c7f0afc79eace95188668dcc05f4c6f19b89ee6ca05ca6d2b1172
-
SSDEEP
24576:U2G/nvxW3Ww0txUX597x0D6TmBqndcQ71Ee:UbA30GPWD6BNd
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 208 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3596 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3656 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5032 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4692 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4372 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3564 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4048 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3540 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3588 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3180 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3736 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3664 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4768 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4736 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3360 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3312 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4184 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4772 4992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 4992 schtasks.exe -
Processes:
resource yara_rule C:\winDhcp\browserhostnet.exe dcrat behavioral2/memory/4052-13-0x0000000000B20000-0x0000000000BF6000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
105e56a8f722fc60cb17281dc8a0d073.exeWScript.exebrowserhostnet.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 105e56a8f722fc60cb17281dc8a0d073.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation browserhostnet.exe -
Executes dropped EXE 2 IoCs
Processes:
browserhostnet.exespoolsv.exepid process 4052 browserhostnet.exe 4476 spoolsv.exe -
Drops file in Program Files directory 6 IoCs
Processes:
browserhostnet.exedescription ioc process File created C:\Program Files\Windows Defender\en-US\unsecapp.exe browserhostnet.exe File created C:\Program Files\Windows Defender\en-US\29c1c3cc0f7685 browserhostnet.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sysmon.exe browserhostnet.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\121e5b5079f7c0 browserhostnet.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\cmd.exe browserhostnet.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\ebf1f9fa8afd6d browserhostnet.exe -
Drops file in Windows directory 10 IoCs
Processes:
browserhostnet.exedescription ioc process File created C:\Windows\Logs\WindowsUpdate\7a0fd90576e088 browserhostnet.exe File created C:\Windows\PrintDialog\en-US\Idle.exe browserhostnet.exe File created C:\Windows\PolicyDefinitions\fr-FR\6ccacd8608530f browserhostnet.exe File created C:\Windows\Sun\Java\Deployment\taskhostw.exe browserhostnet.exe File opened for modification C:\Windows\Sun\Java\Deployment\taskhostw.exe browserhostnet.exe File created C:\Windows\Logs\WindowsUpdate\explorer.exe browserhostnet.exe File created C:\Windows\Provisioning\Cosa\9e8d7a4ca61bd9 browserhostnet.exe File created C:\Windows\Sun\Java\Deployment\ea9f0e6c9e2dcd browserhostnet.exe File created C:\Windows\PolicyDefinitions\fr-FR\Idle.exe browserhostnet.exe File created C:\Windows\Provisioning\Cosa\RuntimeBroker.exe browserhostnet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
105e56a8f722fc60cb17281dc8a0d073.exebrowserhostnet.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 105e56a8f722fc60cb17281dc8a0d073.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings browserhostnet.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2176 schtasks.exe 3180 schtasks.exe 3312 schtasks.exe 4184 schtasks.exe 4772 schtasks.exe 3596 schtasks.exe 5024 schtasks.exe 3360 schtasks.exe 4692 schtasks.exe 3736 schtasks.exe 1356 schtasks.exe 208 schtasks.exe 2160 schtasks.exe 4552 schtasks.exe 1040 schtasks.exe 5020 schtasks.exe 1416 schtasks.exe 2044 schtasks.exe 468 schtasks.exe 4372 schtasks.exe 3564 schtasks.exe 3540 schtasks.exe 3664 schtasks.exe 2420 schtasks.exe 1912 schtasks.exe 376 schtasks.exe 1448 schtasks.exe 3656 schtasks.exe 4940 schtasks.exe 4048 schtasks.exe 4768 schtasks.exe 3588 schtasks.exe 1444 schtasks.exe 2636 schtasks.exe 4736 schtasks.exe 2028 schtasks.exe 5032 schtasks.exe 624 schtasks.exe 2652 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
browserhostnet.exespoolsv.exepid process 4052 browserhostnet.exe 4052 browserhostnet.exe 4052 browserhostnet.exe 4052 browserhostnet.exe 4052 browserhostnet.exe 4052 browserhostnet.exe 4052 browserhostnet.exe 4052 browserhostnet.exe 4052 browserhostnet.exe 4052 browserhostnet.exe 4052 browserhostnet.exe 4052 browserhostnet.exe 4052 browserhostnet.exe 4052 browserhostnet.exe 4052 browserhostnet.exe 4052 browserhostnet.exe 4052 browserhostnet.exe 4476 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
browserhostnet.exespoolsv.exedescription pid process Token: SeDebugPrivilege 4052 browserhostnet.exe Token: SeDebugPrivilege 4476 spoolsv.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
105e56a8f722fc60cb17281dc8a0d073.exeWScript.execmd.exebrowserhostnet.execmd.exedescription pid process target process PID 4888 wrote to memory of 2064 4888 105e56a8f722fc60cb17281dc8a0d073.exe WScript.exe PID 4888 wrote to memory of 2064 4888 105e56a8f722fc60cb17281dc8a0d073.exe WScript.exe PID 4888 wrote to memory of 2064 4888 105e56a8f722fc60cb17281dc8a0d073.exe WScript.exe PID 2064 wrote to memory of 1940 2064 WScript.exe cmd.exe PID 2064 wrote to memory of 1940 2064 WScript.exe cmd.exe PID 2064 wrote to memory of 1940 2064 WScript.exe cmd.exe PID 1940 wrote to memory of 4052 1940 cmd.exe browserhostnet.exe PID 1940 wrote to memory of 4052 1940 cmd.exe browserhostnet.exe PID 4052 wrote to memory of 4856 4052 browserhostnet.exe cmd.exe PID 4052 wrote to memory of 4856 4052 browserhostnet.exe cmd.exe PID 4856 wrote to memory of 4332 4856 cmd.exe w32tm.exe PID 4856 wrote to memory of 4332 4856 cmd.exe w32tm.exe PID 4856 wrote to memory of 4476 4856 cmd.exe spoolsv.exe PID 4856 wrote to memory of 4476 4856 cmd.exe spoolsv.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\105e56a8f722fc60cb17281dc8a0d073.exe"C:\Users\Admin\AppData\Local\Temp\105e56a8f722fc60cb17281dc8a0d073.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\winDhcp\DyOE67CiXFDK4.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\winDhcp\QlWrCKPitO3EBDJkoooUbfBub6XAu.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\winDhcp\browserhostnet.exe"C:\winDhcp\browserhostnet.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z4WJp69KRI.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4332
-
C:\Recovery\WindowsRE\spoolsv.exe"C:\Recovery\WindowsRE\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Windows\Sun\Java\Deployment\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\WindowsUpdate\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Logs\WindowsUpdate\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\WindowsUpdate\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "browserhostnetb" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Cookies\browserhostnet.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "browserhostnet" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\browserhostnet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "browserhostnetb" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Cookies\browserhostnet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\en-US\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\en-US\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\fr-FR\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\fr-FR\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\fr-FR\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\winDhcp\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\winDhcp\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\winDhcp\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\winDhcp\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\winDhcp\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\winDhcp\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Provisioning\Cosa\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Provisioning\Cosa\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Provisioning\Cosa\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Z4WJp69KRI.batFilesize
198B
MD5e1184387e2207bbce6b487d6aa5a3668
SHA1217d2fd3fbf7d21d78b0e609fe8cf113484d5aab
SHA256ebbc779cbe485b1100535e710f64266978dbcb533f25914d5de65a9ed43cfc55
SHA512a939a2aad5f27a2e3aafb7b86e5bf9c7ead34d311c3577ffe9e09f455be3bd9c7314913a04c6b2ae8297f44dee21fd1f5c970954dad1d8d2082cf7d0e09ffe03
-
C:\winDhcp\DyOE67CiXFDK4.vbeFilesize
213B
MD5a6895e1baccdda4b4f131a5d6b29884a
SHA15e53063494d49c65bb3f940edf030462a9646b0b
SHA2567218700f0f012caf18a92e2f012d56b3f1241414d11bb38d69e0633a33d80ff9
SHA512439eff2b5e330a534d582501053290dcf7a44f4de685cacb8b7a6b91bd76a59f044208f1e7eca52f857fe18a8c93441c0d4a62495a30b308035c6edce1b7e8a1
-
C:\winDhcp\QlWrCKPitO3EBDJkoooUbfBub6XAu.batFilesize
31B
MD50783953e91c834463a8af6965b8a6e82
SHA166d1c6db94b36f6112e393e33ae94f4b963f1b31
SHA256f1abb9924b1d91414efe342d4b3a2b7e9e49aaaeef4300f5f3a0cda9e7ad853d
SHA5120054fc1f4dbdc09ba5137d5b581d9da43878c23efb1ae888b71fbde8e28c09f9c39728423697dd5479063050fd5819c251856bb6b58155e9e8de99d8ee67165a
-
C:\winDhcp\browserhostnet.exeFilesize
827KB
MD568491d301f2370e9484c90a4ca8c458a
SHA157a7952959c07c419a2204939c1da301f6a47030
SHA256b92fd00e3af0abf5d62269056cf1a43e7da0efbf70467070ad2923bf41554c97
SHA5123e1f8e620ce892d222a624fe5a3d791e58ae5a3ac5048639854a5021099844feda6a32109ca78666690113014eea3c29821b955d462db73cd9c1807e2e815558
-
memory/4052-12-0x00007FFE96FF3000-0x00007FFE96FF5000-memory.dmpFilesize
8KB
-
memory/4052-13-0x0000000000B20000-0x0000000000BF6000-memory.dmpFilesize
856KB