Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 16:27
Behavioral task
behavioral1
Sample
495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe
Resource
win10v2004-20241007-en
General
-
Target
495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe
-
Size
827KB
-
MD5
8dd4d6bc11e00b92762a60413bff8ccb
-
SHA1
b7e060163ea51cabb60aa11bbd1ec5cfb856a933
-
SHA256
495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707
-
SHA512
6bb31fbe4e5d8f13b4f243257b5f1fdb21de2526deba4081d1de1e43f0d3b37a21bc00390db6ecce19456d34db9bde01af5867e74433648c85482d3ef7c50a97
-
SSDEEP
24576:8mkzClvITluS4gHdPvqh0utgaHDS+6nf/Z:8/aIT2gtzYgajSf
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3600 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3480 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1340 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3212 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4304 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4968 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 932 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3728 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4704 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4004 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4180 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3872 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4148 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4796 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4224 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4596 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4588 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5064 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3436 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4008 1276 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3740 1276 schtasks.exe 82 -
resource yara_rule behavioral2/memory/1056-1-0x0000000000C20000-0x0000000000CF6000-memory.dmp dcrat behavioral2/files/0x000a000000023b97-11.dat dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe -
Executes dropped EXE 1 IoCs
pid Process 2104 SearchApp.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Defender\ja-JP\explorer.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\7a0fd90576e088 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\9e8d7a4ca61bd9 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Program Files\Internet Explorer\uk-UA\spoolsv.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\55b276f4edf653 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\Idle.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\6ccacd8608530f 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Program Files\Internet Explorer\uk-UA\f3b6ecef712a24 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\Migration\WTR\6203df4a6bafc7 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Windows\SoftwareDistribution\6ccacd8608530f 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Windows\SystemResources\ShellComponents\pris\services.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Windows\SystemResources\ShellComponents\pris\c5b4cb5e9653cc 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Windows\Speech_OneCore\Idle.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Windows\diagnostics\system\Keyboard\uk-UA\csrss.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Windows\System\Speech\sppsvc.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Windows\SoftwareDistribution\Idle.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Windows\Globalization\ELS\HyphenationDictionaries\Idle.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Windows\Speech_OneCore\6ccacd8608530f 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Windows\Migration\WTR\lsass.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4176 schtasks.exe 2232 schtasks.exe 2312 schtasks.exe 2284 schtasks.exe 2328 schtasks.exe 4144 schtasks.exe 3480 schtasks.exe 932 schtasks.exe 4704 schtasks.exe 4180 schtasks.exe 2552 schtasks.exe 3872 schtasks.exe 1108 schtasks.exe 3600 schtasks.exe 628 schtasks.exe 4004 schtasks.exe 4512 schtasks.exe 4148 schtasks.exe 3728 schtasks.exe 3032 schtasks.exe 2112 schtasks.exe 2860 schtasks.exe 2188 schtasks.exe 3212 schtasks.exe 4304 schtasks.exe 1448 schtasks.exe 1968 schtasks.exe 1760 schtasks.exe 4796 schtasks.exe 1496 schtasks.exe 1548 schtasks.exe 4808 schtasks.exe 4224 schtasks.exe 1368 schtasks.exe 4008 schtasks.exe 1308 schtasks.exe 4968 schtasks.exe 4596 schtasks.exe 1476 schtasks.exe 880 schtasks.exe 1340 schtasks.exe 2980 schtasks.exe 1148 schtasks.exe 2040 schtasks.exe 3436 schtasks.exe 4940 schtasks.exe 1624 schtasks.exe 1584 schtasks.exe 3740 schtasks.exe 2876 schtasks.exe 2260 schtasks.exe 1596 schtasks.exe 5064 schtasks.exe 4588 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 2104 SearchApp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe Token: SeDebugPrivilege 2104 SearchApp.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1056 wrote to memory of 4716 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 137 PID 1056 wrote to memory of 4716 1056 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 137 PID 4716 wrote to memory of 4912 4716 cmd.exe 139 PID 4716 wrote to memory of 4912 4716 cmd.exe 139 PID 4716 wrote to memory of 2104 4716 cmd.exe 143 PID 4716 wrote to memory of 2104 4716 cmd.exe 143 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe"C:\Users\Admin\AppData\Local\Temp\495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQ7DzPQJZh.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4912
-
-
C:\Users\Default\Music\SearchApp.exe"C:\Users\Default\Music\SearchApp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Videos\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\Videos\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Videos\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b57074" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707" /sc ONLOGON /tr "'C:\Users\Default\Recent\495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b57074" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Recent\495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech_OneCore\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\uk-UA\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\uk-UA\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\uk-UA\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Music\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\Music\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Music\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemResources\ShellComponents\pris\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\SystemResources\ShellComponents\pris\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemResources\ShellComponents\pris\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD58dd4d6bc11e00b92762a60413bff8ccb
SHA1b7e060163ea51cabb60aa11bbd1ec5cfb856a933
SHA256495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707
SHA5126bb31fbe4e5d8f13b4f243257b5f1fdb21de2526deba4081d1de1e43f0d3b37a21bc00390db6ecce19456d34db9bde01af5867e74433648c85482d3ef7c50a97
-
Filesize
201B
MD56781cbdde1709d84bb1a4e8f01512efc
SHA1d841509493eb26de268e02e7bf21bc55afd2baa9
SHA25621b0596a1c1c933409b87bc2e5293ed9eb857fd6adac7205585625c378f0639a
SHA512cc51eb057103ce5858e36f59cce672017736cda1cfd0919543082d2f824df06659f27a74216ad7b993ce0d7a388e687a722fae08963b6213019ec4a668b8919d