Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 18:36
Behavioral task
behavioral1
Sample
9d58a6e3c205e75ce97cfb19ede8caab8edaba08c3c425757acd728a6cbd6796.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
9d58a6e3c205e75ce97cfb19ede8caab8edaba08c3c425757acd728a6cbd6796.exe
Resource
win10v2004-20240709-en
General
-
Target
9d58a6e3c205e75ce97cfb19ede8caab8edaba08c3c425757acd728a6cbd6796.exe
-
Size
1.1MB
-
MD5
13da266da3cb746aa680db5c41148524
-
SHA1
1d56737f102966336681e40ae281e4d83b400de6
-
SHA256
9d58a6e3c205e75ce97cfb19ede8caab8edaba08c3c425757acd728a6cbd6796
-
SHA512
c7d738df05173767ace1af0c0660b275589808687024ab3670a32c9546b982dbd8addfa0f34764712b9a640c7748d29ac3d4446583535c5747cf358624554dd5
-
SSDEEP
24576:U2G/nvxW3Ww0t1rRGRMtRqFtFVc/pJGn4czXV:UbA301rRb+ip12l
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3408 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4980 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4000 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3580 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4792 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4752 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4816 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3096 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4320 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4164 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 684 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4628 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3704 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3468 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3396 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 5004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 5004 schtasks.exe -
Processes:
resource yara_rule C:\containerwinBroker\hostCrtnet.exe dcrat behavioral2/memory/2244-13-0x00000000005B0000-0x0000000000686000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9d58a6e3c205e75ce97cfb19ede8caab8edaba08c3c425757acd728a6cbd6796.exeWScript.exehostCrtnet.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 9d58a6e3c205e75ce97cfb19ede8caab8edaba08c3c425757acd728a6cbd6796.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation hostCrtnet.exe -
Executes dropped EXE 2 IoCs
Processes:
hostCrtnet.exeRuntimeBroker.exepid process 2244 hostCrtnet.exe 2344 RuntimeBroker.exe -
Drops file in Program Files directory 11 IoCs
Processes:
hostCrtnet.exedescription ioc process File created C:\Program Files\dotnet\SearchApp.exe hostCrtnet.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\OfficeClickToRun.exe hostCrtnet.exe File created C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe hostCrtnet.exe File created C:\Program Files\Microsoft Office 15\ClientX64\38384e6a620884 hostCrtnet.exe File created C:\Program Files\Windows Defender\de-DE\RuntimeBroker.exe hostCrtnet.exe File created C:\Program Files\Windows Defender\de-DE\9e8d7a4ca61bd9 hostCrtnet.exe File created C:\Program Files\dotnet\38384e6a620884 hostCrtnet.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\modules\OfficeClickToRun.exe hostCrtnet.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\modules\e6c9b481da804f hostCrtnet.exe File created C:\Program Files (x86)\Google\Temp\unsecapp.exe hostCrtnet.exe File created C:\Program Files (x86)\Google\Temp\29c1c3cc0f7685 hostCrtnet.exe -
Drops file in Windows directory 5 IoCs
Processes:
hostCrtnet.exedescription ioc process File created C:\Windows\System\Speech\unsecapp.exe hostCrtnet.exe File created C:\Windows\Migration\RuntimeBroker.exe hostCrtnet.exe File created C:\Windows\Migration\9e8d7a4ca61bd9 hostCrtnet.exe File created C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\OfficeClickToRun.exe hostCrtnet.exe File created C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\e6c9b481da804f hostCrtnet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
9d58a6e3c205e75ce97cfb19ede8caab8edaba08c3c425757acd728a6cbd6796.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 9d58a6e3c205e75ce97cfb19ede8caab8edaba08c3c425757acd728a6cbd6796.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3580 schtasks.exe 684 schtasks.exe 1228 schtasks.exe 1648 schtasks.exe 4000 schtasks.exe 2588 schtasks.exe 4752 schtasks.exe 4384 schtasks.exe 2424 schtasks.exe 4808 schtasks.exe 3408 schtasks.exe 2524 schtasks.exe 4980 schtasks.exe 2180 schtasks.exe 5068 schtasks.exe 1396 schtasks.exe 3396 schtasks.exe 1320 schtasks.exe 1084 schtasks.exe 752 schtasks.exe 1516 schtasks.exe 4544 schtasks.exe 1852 schtasks.exe 2384 schtasks.exe 4816 schtasks.exe 1356 schtasks.exe 4164 schtasks.exe 1032 schtasks.exe 3468 schtasks.exe 380 schtasks.exe 2540 schtasks.exe 3096 schtasks.exe 4364 schtasks.exe 4628 schtasks.exe 4792 schtasks.exe 4320 schtasks.exe 4448 schtasks.exe 1640 schtasks.exe 3704 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
hostCrtnet.exeRuntimeBroker.exepid process 2244 hostCrtnet.exe 2244 hostCrtnet.exe 2244 hostCrtnet.exe 2244 hostCrtnet.exe 2244 hostCrtnet.exe 2244 hostCrtnet.exe 2244 hostCrtnet.exe 2244 hostCrtnet.exe 2244 hostCrtnet.exe 2244 hostCrtnet.exe 2244 hostCrtnet.exe 2244 hostCrtnet.exe 2244 hostCrtnet.exe 2344 RuntimeBroker.exe 2344 RuntimeBroker.exe 2344 RuntimeBroker.exe 2344 RuntimeBroker.exe 2344 RuntimeBroker.exe 2344 RuntimeBroker.exe 2344 RuntimeBroker.exe 2344 RuntimeBroker.exe 2344 RuntimeBroker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RuntimeBroker.exepid process 2344 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
hostCrtnet.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 2244 hostCrtnet.exe Token: SeDebugPrivilege 2344 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
9d58a6e3c205e75ce97cfb19ede8caab8edaba08c3c425757acd728a6cbd6796.exeWScript.execmd.exehostCrtnet.exedescription pid process target process PID 864 wrote to memory of 1664 864 9d58a6e3c205e75ce97cfb19ede8caab8edaba08c3c425757acd728a6cbd6796.exe WScript.exe PID 864 wrote to memory of 1664 864 9d58a6e3c205e75ce97cfb19ede8caab8edaba08c3c425757acd728a6cbd6796.exe WScript.exe PID 864 wrote to memory of 1664 864 9d58a6e3c205e75ce97cfb19ede8caab8edaba08c3c425757acd728a6cbd6796.exe WScript.exe PID 1664 wrote to memory of 960 1664 WScript.exe cmd.exe PID 1664 wrote to memory of 960 1664 WScript.exe cmd.exe PID 1664 wrote to memory of 960 1664 WScript.exe cmd.exe PID 960 wrote to memory of 2244 960 cmd.exe hostCrtnet.exe PID 960 wrote to memory of 2244 960 cmd.exe hostCrtnet.exe PID 2244 wrote to memory of 2344 2244 hostCrtnet.exe RuntimeBroker.exe PID 2244 wrote to memory of 2344 2244 hostCrtnet.exe RuntimeBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d58a6e3c205e75ce97cfb19ede8caab8edaba08c3c425757acd728a6cbd6796.exe"C:\Users\Admin\AppData\Local\Temp\9d58a6e3c205e75ce97cfb19ede8caab8edaba08c3c425757acd728a6cbd6796.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\containerwinBroker\e8Rlw8Qp2tIZEv6MWU8.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\containerwinBroker\bc42ZgAN7HZpE65W.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\containerwinBroker\hostCrtnet.exe"C:\containerwinBroker\hostCrtnet.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\intf\modules\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\intf\modules\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\lua\intf\modules\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\de-DE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\containerwinBroker\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\containerwinBroker\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\containerwinBroker\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\dotnet\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Desktop\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Migration\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\containerwinBroker\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\containerwinBroker\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\containerwinBroker\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Public\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\Public\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38B
MD5196b374439b47033484388410d253f0a
SHA1de7a5511926ea62f37cad9a69fc8e294b1f0298a
SHA256e23d98ea0e60b2406ff8a3fd9f38eeca302af3c64e3a31ccd785cfbc624f59e8
SHA512d5c79063c0d863ce7c0bfca3eb00d27c0b072fb2c73a7c6453e105d1eb1df672d394f3add6dac7ecabfbae0d593d76b9b638a077f39d29d26e6ac09a5a40b9da
-
Filesize
211B
MD5f1a9dd02c8a9a467956dcc1840a64471
SHA16547289aa1da405deda3493955d0ef4fc4932637
SHA256013a7cef251cc1f5665f20aa516762582b37a13d9225e973625c68e0778f45e4
SHA512397fbec54b88034093bdfe9694cae48527af71055b7dcc5bfdff2ac9a5796d5a279b90a3c45ae0db63f4724a886f1713c9415bf58ef9215efc647f91702091d2
-
Filesize
828KB
MD5d4bae6d782c8dd872ca7f43ed837fc62
SHA16b09e88a37cee804b17d7f61d7af6d6140eba32d
SHA2566087c2c5696e21141be618103de53764253007890df7f61b70be61214a1ff6e0
SHA51216b3a5478332e851c2c1ffb6a77cdab723edd17de70ebff4a0a8652646bc7702b0d128068cea7b00f83163e11dd5b17b1406a87779c766c47cebf6ad4cf77930