Analysis
-
max time kernel
93s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-01-2025 10:31
Behavioral task
behavioral1
Sample
d1793da857eca536d0d06e1bdfa657ab.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d1793da857eca536d0d06e1bdfa657ab.exe
Resource
win10v2004-20241007-en
General
-
Target
d1793da857eca536d0d06e1bdfa657ab.exe
-
Size
2.7MB
-
MD5
d1793da857eca536d0d06e1bdfa657ab
-
SHA1
bb07044f5867554c74063d4c9509248657322040
-
SHA256
60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2
-
SHA512
8d35eab524e898a14e17185c64e092c56e310f15e3cd2e0bfd533b15c55b78078dfc2dbaeba3d3a5027a96967fca11cf3c60a4fb859e5ecee28addda04238e4b
-
SSDEEP
49152:yqyJUSQelMhlk1w19BlUobhENGZXxRWi0UAuqYqqnc:PyJlQgGk1wPko1oO30UA7Yqq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4732 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3896 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5012 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3848 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3620 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4464 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3652 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3428 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3212 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4436 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3672 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 216 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4116 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3540 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4032 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3504 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4424 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4600 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3760 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3284 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4668 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4028 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4576 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3100 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4104 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4108 1224 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 1224 schtasks.exe 82 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d1793da857eca536d0d06e1bdfa657ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d1793da857eca536d0d06e1bdfa657ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d1793da857eca536d0d06e1bdfa657ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe -
resource yara_rule behavioral2/memory/4484-1-0x0000000000400000-0x00000000006B4000-memory.dmp dcrat behavioral2/files/0x0007000000023c92-30.dat dcrat behavioral2/files/0x0009000000023cbc-69.dat dcrat behavioral2/files/0x000d000000023c7f-104.dat dcrat behavioral2/files/0x0008000000023c9c-158.dat dcrat behavioral2/files/0x0008000000023ca0-181.dat dcrat behavioral2/files/0x0009000000023ca4-190.dat dcrat behavioral2/files/0x0008000000023ca9-214.dat dcrat behavioral2/memory/1396-310-0x00000000007F0000-0x0000000000AA4000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation d1793da857eca536d0d06e1bdfa657ab.exe -
Executes dropped EXE 1 IoCs
pid Process 1396 wininit.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d1793da857eca536d0d06e1bdfa657ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d1793da857eca536d0d06e1bdfa657ab.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe -
Drops file in Program Files directory 35 IoCs
description ioc Process File created C:\Program Files\Windows NT\Accessories\en-US\OfficeClickToRun.exe d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Skins\RCXBADE.tmp d1793da857eca536d0d06e1bdfa657ab.exe File created C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\dllhost.exe d1793da857eca536d0d06e1bdfa657ab.exe File created C:\Program Files (x86)\Common Files\Oracle\StartMenuExperienceHost.exe d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\RCXC061.tmp d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files\Windows NT\Accessories\en-US\RCXCA8A.tmp d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe d1793da857eca536d0d06e1bdfa657ab.exe File created C:\Program Files\Windows NT\Accessories\en-US\e6c9b481da804f d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Skins\RCXBADF.tmp d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files (x86)\Common Files\RCXBD62.tmp d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files (x86)\Common Files\csrss.exe d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files\Windows NT\Accessories\en-US\RCXCB08.tmp d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files\Windows NT\Accessories\en-US\RCXD36B.tmp d1793da857eca536d0d06e1bdfa657ab.exe File created C:\Program Files (x86)\Google\Update\unsecapp.exe d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Skins\sihost.exe d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\RCXBFE3.tmp d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files (x86)\Google\Update\RCXC5E3.tmp d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\RCXD57F.tmp d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\RCXD580.tmp d1793da857eca536d0d06e1bdfa657ab.exe File created C:\Program Files (x86)\Common Files\csrss.exe d1793da857eca536d0d06e1bdfa657ab.exe File created C:\Program Files (x86)\Common Files\886983d96e3d3e d1793da857eca536d0d06e1bdfa657ab.exe File created C:\Program Files\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe d1793da857eca536d0d06e1bdfa657ab.exe File created C:\Program Files (x86)\Common Files\Oracle\55b276f4edf653 d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files (x86)\Common Files\RCXBD61.tmp d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files (x86)\Google\Update\unsecapp.exe d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files\Windows NT\Accessories\en-US\RCXD2ED.tmp d1793da857eca536d0d06e1bdfa657ab.exe File created C:\Program Files (x86)\Windows Media Player\Skins\sihost.exe d1793da857eca536d0d06e1bdfa657ab.exe File created C:\Program Files (x86)\Google\Update\29c1c3cc0f7685 d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files\Windows NT\Accessories\en-US\OfficeClickToRun.exe d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\StartMenuExperienceHost.exe d1793da857eca536d0d06e1bdfa657ab.exe File created C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\5940a34987c991 d1793da857eca536d0d06e1bdfa657ab.exe File created C:\Program Files\Windows NT\Accessories\en-US\55b276f4edf653 d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\dllhost.exe d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Program Files (x86)\Google\Update\RCXC565.tmp d1793da857eca536d0d06e1bdfa657ab.exe File created C:\Program Files (x86)\Windows Media Player\Skins\66fc9ff0ee96c2 d1793da857eca536d0d06e1bdfa657ab.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File created C:\Windows\System\5940a34987c991 d1793da857eca536d0d06e1bdfa657ab.exe File created C:\Windows\PolicyDefinitions\wininit.exe d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Windows\ServiceProfiles\RCXC2E4.tmp d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Windows\PolicyDefinitions\wininit.exe d1793da857eca536d0d06e1bdfa657ab.exe File created C:\Windows\ServiceProfiles\csrss.exe d1793da857eca536d0d06e1bdfa657ab.exe File created C:\Windows\System\dllhost.exe d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Windows\ServiceProfiles\RCXC2E3.tmp d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Windows\ServiceProfiles\csrss.exe d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Windows\PolicyDefinitions\RCXCD2C.tmp d1793da857eca536d0d06e1bdfa657ab.exe File created C:\Windows\ServiceProfiles\886983d96e3d3e d1793da857eca536d0d06e1bdfa657ab.exe File created C:\Windows\PolicyDefinitions\56085415360792 d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Windows\System\RCXC807.tmp d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Windows\System\RCXC808.tmp d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Windows\PolicyDefinitions\RCXCDAA.tmp d1793da857eca536d0d06e1bdfa657ab.exe File opened for modification C:\Windows\System\dllhost.exe d1793da857eca536d0d06e1bdfa657ab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ d1793da857eca536d0d06e1bdfa657ab.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4424 schtasks.exe 4104 schtasks.exe 2800 schtasks.exe 3540 schtasks.exe 2992 schtasks.exe 4712 schtasks.exe 2684 schtasks.exe 3940 schtasks.exe 2292 schtasks.exe 4436 schtasks.exe 2616 schtasks.exe 4600 schtasks.exe 4668 schtasks.exe 3896 schtasks.exe 4464 schtasks.exe 3672 schtasks.exe 2328 schtasks.exe 4032 schtasks.exe 4028 schtasks.exe 4108 schtasks.exe 2788 schtasks.exe 5012 schtasks.exe 3620 schtasks.exe 3652 schtasks.exe 3504 schtasks.exe 3164 schtasks.exe 3284 schtasks.exe 4576 schtasks.exe 4732 schtasks.exe 2832 schtasks.exe 3428 schtasks.exe 3040 schtasks.exe 3100 schtasks.exe 2640 schtasks.exe 1648 schtasks.exe 1624 schtasks.exe 3848 schtasks.exe 4944 schtasks.exe 1812 schtasks.exe 1528 schtasks.exe 1924 schtasks.exe 2996 schtasks.exe 2200 schtasks.exe 3212 schtasks.exe 1476 schtasks.exe 216 schtasks.exe 1048 schtasks.exe 1332 schtasks.exe 2628 schtasks.exe 4116 schtasks.exe 3760 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4484 d1793da857eca536d0d06e1bdfa657ab.exe 4484 d1793da857eca536d0d06e1bdfa657ab.exe 4484 d1793da857eca536d0d06e1bdfa657ab.exe 4484 d1793da857eca536d0d06e1bdfa657ab.exe 4484 d1793da857eca536d0d06e1bdfa657ab.exe 4484 d1793da857eca536d0d06e1bdfa657ab.exe 4484 d1793da857eca536d0d06e1bdfa657ab.exe 1396 wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4484 d1793da857eca536d0d06e1bdfa657ab.exe Token: SeDebugPrivilege 1396 wininit.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4484 wrote to memory of 1396 4484 d1793da857eca536d0d06e1bdfa657ab.exe 140 PID 4484 wrote to memory of 1396 4484 d1793da857eca536d0d06e1bdfa657ab.exe 140 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d1793da857eca536d0d06e1bdfa657ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d1793da857eca536d0d06e1bdfa657ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d1793da857eca536d0d06e1bdfa657ab.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1793da857eca536d0d06e1bdfa657ab.exe"C:\Users\Admin\AppData\Local\Temp\d1793da857eca536d0d06e1bdfa657ab.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4484 -
C:\Windows\PolicyDefinitions\wininit.exe"C:\Windows\PolicyDefinitions\wininit.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1396
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Music\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Music\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\ServiceProfiles\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\System\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\System\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\en-US\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Oracle\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Oracle\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD51c92fd173b2fe45f26ff083c7127533c
SHA1aeec4714cc9e88fdf4ae961cfeb947ad0ae5b18d
SHA2569dcef7952749bf8735cbca004635a7b3110cb3638f360ebf823a983c09f23bbc
SHA51244ebc6da73ba86bf776350bceacc1d3c4342e7bae2dc7e3ae8cc4161821bb744cf6e6585950a1b1536498049439d713e7736c050dd1057cba8e2cdeb99bf1b96
-
Filesize
2.7MB
MD5d1793da857eca536d0d06e1bdfa657ab
SHA1bb07044f5867554c74063d4c9509248657322040
SHA25660f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2
SHA5128d35eab524e898a14e17185c64e092c56e310f15e3cd2e0bfd533b15c55b78078dfc2dbaeba3d3a5027a96967fca11cf3c60a4fb859e5ecee28addda04238e4b
-
Filesize
2.7MB
MD5ca8abc09395a2e03a028ee6a5ce4d444
SHA1430ed9a12f61ada726b69f2c7c606a2c2c2a29dd
SHA256e5d5cedb68b6c1db028771b6aeeb95fbd09e4ccd139592c212ec2487e872c657
SHA512e9e9a6a24429f3fa95de1eb8ce06963bb551a639b039d70d724f376e5653d36d573a238ea5a6faf68a639cf63d6cad133557387181dc5de9186301a7b5e5f330
-
Filesize
2.7MB
MD562f03cecbfc3cd7f4d13aa92c571b744
SHA1ff4935926948d893dd0954dac815a0adfc444a86
SHA256eb33222c177d43273d92466f131c65ab62b371d3a76e8fa9801dfc43f4a1d0c2
SHA512c7b37f2da01d67fb463145e30e3c62965deb4a9992a0ff4dbf76ef29efb89a0f91460a23ec0706722f3cc84a588a1597194be075f725467719da3cc6047c1663
-
Filesize
2.7MB
MD5fabc0bcc88ce064a55364038af4a5a81
SHA17666d127ba980b19bfb519a2a5d66275f0672096
SHA256079d32fca34af0567d051cfe05329e09921cf958edd15bd63972896bbd2e607f
SHA5129e80bb5eb6b5d70d109df0096a6d67ab526f375968f2219ce85a183f8193ca8cde8f6e60d62ed0a47c1430b9268fcb9cf8ae0e834bd262627bd39d3a3da1fdce
-
Filesize
2.7MB
MD58b4dac487a24a738f5e618cf5945380a
SHA1146c1bd5b38cb2d28e8715146a8e7dcdf7ee75c4
SHA25601bb36d372caaf5dc7e00bff10d6a81a634ee3cf981e6cb5dad549e1de96e913
SHA512a5cb23aef1a604e0d79aaeb27f56dc884e8e2a16413ca011eaded465671b2d69e17dbbe67bdd7d54769d4dff0e387b72e550241c6454afcbc8e1ccbda508d98c
-
Filesize
2.7MB
MD5879c2132a0ef9ec3cd32f9886e89e7d5
SHA1ddba003b1702c8bb42745344815c123a545b5aaa
SHA256995d46d9da40eb5c5ae5256571a0d87a043c395652404cceea2c7548ac4379c6
SHA512b5b3ef30b9af71cafc1418fb540f1291ce6ae4c816f6b5c1c58e22d514e95b4fab1dfce02b46172bf02d47cb6991954c684ea621668b57afc5b362a2a6689510