Analysis
-
max time kernel
92s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 02:20
Behavioral task
behavioral1
Sample
500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe
Resource
win10v2004-20241007-en
General
-
Target
500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe
-
Size
2.3MB
-
MD5
97177514cab51539083ef130f005bbd1
-
SHA1
49e2661ee3e8f6fd6b06334b00543590ed8fe208
-
SHA256
500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015
-
SHA512
7ce6e7255d482b7c78f759098f9744f5f0ef462a79ad061d19f8036061b807963c924665bbe66e23e26a36990b5849d527b750ab6d0e9f6010cf4d665ec3d897
-
SSDEEP
49152:2QZEVRb3qgQujSIZijBW7vrGGzt2q5je54Ng3q1qrFBZT4:2GEVRagQujSei5GpZJCmqrZT
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3760 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4368 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3816 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3604 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5040 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4188 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 212 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3300 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4420 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 452 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3124 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4580 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 648 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3108 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 4008 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 4008 schtasks.exe 82 -
resource yara_rule behavioral2/memory/1848-1-0x0000000000180000-0x00000000003D2000-memory.dmp dcrat behavioral2/files/0x0008000000023c11-20.dat dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe -
Executes dropped EXE 1 IoCs
pid Process 2236 Idle.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Temp\27d1bcfc3c54e0 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Program Files\Microsoft Office 15\Registry.exe 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Program Files\Windows Defender\it-IT\fontdrvhost.exe 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\9e8d7a4ca61bd9 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Program Files\Microsoft Office 15\ClientX64\7a0fd90576e088 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Program Files (x86)\Google\Temp\System.exe 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Program Files\Microsoft Office 15\ee2ad38f3d4382 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\upfc.exe 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\ea1d8f6d871115 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Program Files\Windows Defender\it-IT\5b884080fd4f94 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\ServiceState\StartMenuExperienceHost.exe 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Windows\RemotePackages\RemoteDesktops\SearchApp.exe 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Windows\RemotePackages\RemoteDesktops\38384e6a620884 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Windows\Panther\UnattendGC\lsass.exe 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Windows\Panther\UnattendGC\6203df4a6bafc7 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2384 schtasks.exe 5040 schtasks.exe 4420 schtasks.exe 648 schtasks.exe 4368 schtasks.exe 2544 schtasks.exe 832 schtasks.exe 4188 schtasks.exe 2064 schtasks.exe 3300 schtasks.exe 2536 schtasks.exe 4976 schtasks.exe 2272 schtasks.exe 1736 schtasks.exe 1980 schtasks.exe 2660 schtasks.exe 2292 schtasks.exe 1768 schtasks.exe 4580 schtasks.exe 1688 schtasks.exe 3124 schtasks.exe 2164 schtasks.exe 1216 schtasks.exe 5036 schtasks.exe 4956 schtasks.exe 3760 schtasks.exe 3816 schtasks.exe 2728 schtasks.exe 212 schtasks.exe 5048 schtasks.exe 1588 schtasks.exe 452 schtasks.exe 3604 schtasks.exe 1464 schtasks.exe 3044 schtasks.exe 2392 schtasks.exe 1296 schtasks.exe 2792 schtasks.exe 3108 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1848 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 1848 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 1848 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 1848 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 1848 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 1848 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 1848 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 1848 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 1848 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 1848 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 1848 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 1848 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 1848 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 1848 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 1848 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 2236 Idle.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1848 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe Token: SeDebugPrivilege 2236 Idle.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1848 wrote to memory of 2236 1848 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 122 PID 1848 wrote to memory of 2236 1848 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 122 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe"C:\Users\Admin\AppData\Local\Temp\500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\Videos\Idle.exe"C:\Users\Admin\Videos\Idle.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\RemotePackages\RemoteDesktops\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\RemoteDesktops\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Videos\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Videos\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\it-IT\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\it-IT\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Favorites\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Favorites\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Videos\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\UnattendGC\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\UnattendGC\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD597177514cab51539083ef130f005bbd1
SHA149e2661ee3e8f6fd6b06334b00543590ed8fe208
SHA256500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015
SHA5127ce6e7255d482b7c78f759098f9744f5f0ef462a79ad061d19f8036061b807963c924665bbe66e23e26a36990b5849d527b750ab6d0e9f6010cf4d665ec3d897