Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
26/08/2023, 13:46
230826-q3a1aaaf29 1026/08/2023, 13:43
230826-q1fsraae94 1026/08/2023, 13:42
230826-qzw4caae79 1026/08/2023, 13:42
230826-qzq74aae76 1026/08/2023, 13:39
230826-qx3hcaae65 1026/08/2023, 13:37
230826-qw8mzaae57 1026/08/2023, 13:36
230826-qwa2pscd7t 1026/08/2023, 13:35
230826-qvphpsae53 1026/08/2023, 13:34
230826-qvlrtacd7s 1026/08/2023, 13:34
230826-qt543acd61 10Analysis
-
max time kernel
1776s -
max time network
1792s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
26/08/2023, 13:42
Static task
static1
Behavioral task
behavioral1
Sample
YammiBeta.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
YammiBeta.exe
Resource
win10-20230703-en
Behavioral task
behavioral3
Sample
YammiBeta.exe
Resource
win10v2004-20230824-en
General
-
Target
YammiBeta.exe
-
Size
1.1MB
-
MD5
6b5050c12abc27bad622f9af8ed7ebe3
-
SHA1
506be642a7d276c783bfd32a754a9bd1373abaea
-
SHA256
7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f
-
SHA512
22ffa4c6afd0661307ca1a3a349e19f9fbb8739e382e2fea7b1ec59200c3d7ca06241b2f5154246ce2b8165da26eac31e70f2a0f4ff586e5b09cf0c993b2d319
-
SSDEEP
24576:348l0DlMFVPNpQiWq5KMsEINq4pXCxTRg/9QyGTlouInmUf/6ix5GWZ:35yeVPRWq5KMspBpX+wLEojnm3RE
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 3424 schtasks.exe 74 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 3424 schtasks.exe 74 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 200 3424 schtasks.exe 74 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 3424 schtasks.exe 74 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3540 3424 schtasks.exe 74 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3884 3424 schtasks.exe 74 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3708 3424 schtasks.exe 74 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 3424 schtasks.exe 74 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4172 3424 schtasks.exe 74 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3944 3424 schtasks.exe 74 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 3424 schtasks.exe 74 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4888 3424 schtasks.exe 74 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 3424 schtasks.exe 74 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4872 3424 schtasks.exe 74 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3588 3424 schtasks.exe 74 -
resource yara_rule behavioral2/files/0x000800000001af46-11.dat dcrat behavioral2/files/0x000800000001af46-14.dat dcrat behavioral2/files/0x000700000001afcf-32.dat dcrat behavioral2/files/0x000700000001afcf-33.dat dcrat behavioral2/memory/3740-34-0x00000000003F0000-0x0000000000570000-memory.dmp dcrat behavioral2/files/0x000600000001afd6-48.dat dcrat behavioral2/files/0x000600000001afd2-72.dat dcrat behavioral2/files/0x000600000001afd2-70.dat dcrat -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 4460 Loader.exe 3740 MsServerfont.exe 456 spoolsv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ipinfo.io 11 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4288 YammiBeta.exe 4288 YammiBeta.exe 4288 YammiBeta.exe 4288 YammiBeta.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft.NET\RedistList\spoolsv.exe MsServerfont.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\f3b6ecef712a24 MsServerfont.exe File created C:\Program Files (x86)\Windows Mail\spoolsv.exe MsServerfont.exe File created C:\Program Files (x86)\Windows Mail\f3b6ecef712a24 MsServerfont.exe File created C:\Program Files (x86)\Windows Portable Devices\sihost.exe MsServerfont.exe File created C:\Program Files (x86)\Windows Portable Devices\66fc9ff0ee96c2 MsServerfont.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2288 schtasks.exe 2172 schtasks.exe 3540 schtasks.exe 3884 schtasks.exe 4544 schtasks.exe 4172 schtasks.exe 4888 schtasks.exe 1416 schtasks.exe 200 schtasks.exe 2020 schtasks.exe 4872 schtasks.exe 3588 schtasks.exe 1364 schtasks.exe 3708 schtasks.exe 3944 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings Loader.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3740 MsServerfont.exe 3740 MsServerfont.exe 3740 MsServerfont.exe 456 spoolsv.exe 456 spoolsv.exe 3344 powershell.exe 3344 powershell.exe 2244 powershell.exe 2244 powershell.exe 4200 powershell.exe 4200 powershell.exe 4932 powershell.exe 4932 powershell.exe 1428 powershell.exe 1428 powershell.exe 4272 powershell.exe 4272 powershell.exe 1440 powershell.exe 1440 powershell.exe 4984 powershell.exe 4984 powershell.exe 3124 powershell.exe 3124 powershell.exe 4364 powershell.exe 4364 powershell.exe 4220 powershell.exe 4220 powershell.exe 2892 powershell.exe 2892 powershell.exe 3344 powershell.exe 3124 powershell.exe 4200 powershell.exe 2244 powershell.exe 1428 powershell.exe 4932 powershell.exe 3344 powershell.exe 4272 powershell.exe 4984 powershell.exe 1440 powershell.exe 4364 powershell.exe 4220 powershell.exe 2892 powershell.exe 4200 powershell.exe 3124 powershell.exe 2244 powershell.exe 4932 powershell.exe 1440 powershell.exe 2892 powershell.exe 4220 powershell.exe 4364 powershell.exe 1428 powershell.exe 4984 powershell.exe 4272 powershell.exe 4272 powershell.exe 456 spoolsv.exe 456 spoolsv.exe 456 spoolsv.exe 456 spoolsv.exe 456 spoolsv.exe 456 spoolsv.exe 456 spoolsv.exe 456 spoolsv.exe 456 spoolsv.exe 456 spoolsv.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 456 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4288 YammiBeta.exe Token: SeDebugPrivilege 3740 MsServerfont.exe Token: SeDebugPrivilege 456 spoolsv.exe Token: SeDebugPrivilege 3344 powershell.exe Token: SeDebugPrivilege 4200 powershell.exe Token: SeDebugPrivilege 2244 powershell.exe Token: SeDebugPrivilege 4932 powershell.exe Token: SeDebugPrivilege 1428 powershell.exe Token: SeDebugPrivilege 4272 powershell.exe Token: SeDebugPrivilege 1440 powershell.exe Token: SeDebugPrivilege 4984 powershell.exe Token: SeDebugPrivilege 3124 powershell.exe Token: SeDebugPrivilege 4364 powershell.exe Token: SeDebugPrivilege 4220 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeIncreaseQuotaPrivilege 3344 powershell.exe Token: SeSecurityPrivilege 3344 powershell.exe Token: SeTakeOwnershipPrivilege 3344 powershell.exe Token: SeLoadDriverPrivilege 3344 powershell.exe Token: SeSystemProfilePrivilege 3344 powershell.exe Token: SeSystemtimePrivilege 3344 powershell.exe Token: SeProfSingleProcessPrivilege 3344 powershell.exe Token: SeIncBasePriorityPrivilege 3344 powershell.exe Token: SeCreatePagefilePrivilege 3344 powershell.exe Token: SeBackupPrivilege 3344 powershell.exe Token: SeRestorePrivilege 3344 powershell.exe Token: SeShutdownPrivilege 3344 powershell.exe Token: SeDebugPrivilege 3344 powershell.exe Token: SeSystemEnvironmentPrivilege 3344 powershell.exe Token: SeRemoteShutdownPrivilege 3344 powershell.exe Token: SeUndockPrivilege 3344 powershell.exe Token: SeManageVolumePrivilege 3344 powershell.exe Token: 33 3344 powershell.exe Token: 34 3344 powershell.exe Token: 35 3344 powershell.exe Token: 36 3344 powershell.exe Token: SeIncreaseQuotaPrivilege 4200 powershell.exe Token: SeSecurityPrivilege 4200 powershell.exe Token: SeTakeOwnershipPrivilege 4200 powershell.exe Token: SeLoadDriverPrivilege 4200 powershell.exe Token: SeSystemProfilePrivilege 4200 powershell.exe Token: SeSystemtimePrivilege 4200 powershell.exe Token: SeProfSingleProcessPrivilege 4200 powershell.exe Token: SeIncBasePriorityPrivilege 4200 powershell.exe Token: SeCreatePagefilePrivilege 4200 powershell.exe Token: SeBackupPrivilege 4200 powershell.exe Token: SeRestorePrivilege 4200 powershell.exe Token: SeShutdownPrivilege 4200 powershell.exe Token: SeDebugPrivilege 4200 powershell.exe Token: SeSystemEnvironmentPrivilege 4200 powershell.exe Token: SeRemoteShutdownPrivilege 4200 powershell.exe Token: SeUndockPrivilege 4200 powershell.exe Token: SeManageVolumePrivilege 4200 powershell.exe Token: 33 4200 powershell.exe Token: 34 4200 powershell.exe Token: 35 4200 powershell.exe Token: 36 4200 powershell.exe Token: SeIncreaseQuotaPrivilege 3124 powershell.exe Token: SeSecurityPrivilege 3124 powershell.exe Token: SeTakeOwnershipPrivilege 3124 powershell.exe Token: SeLoadDriverPrivilege 3124 powershell.exe Token: SeSystemProfilePrivilege 3124 powershell.exe Token: SeSystemtimePrivilege 3124 powershell.exe Token: SeProfSingleProcessPrivilege 3124 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4288 YammiBeta.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 4288 wrote to memory of 4460 4288 YammiBeta.exe 69 PID 4288 wrote to memory of 4460 4288 YammiBeta.exe 69 PID 4288 wrote to memory of 4460 4288 YammiBeta.exe 69 PID 4460 wrote to memory of 2536 4460 Loader.exe 70 PID 4460 wrote to memory of 2536 4460 Loader.exe 70 PID 4460 wrote to memory of 2536 4460 Loader.exe 70 PID 2536 wrote to memory of 2692 2536 WScript.exe 71 PID 2536 wrote to memory of 2692 2536 WScript.exe 71 PID 2536 wrote to memory of 2692 2536 WScript.exe 71 PID 2692 wrote to memory of 3740 2692 cmd.exe 73 PID 2692 wrote to memory of 3740 2692 cmd.exe 73 PID 3740 wrote to memory of 3344 3740 MsServerfont.exe 90 PID 3740 wrote to memory of 3344 3740 MsServerfont.exe 90 PID 3740 wrote to memory of 4984 3740 MsServerfont.exe 91 PID 3740 wrote to memory of 4984 3740 MsServerfont.exe 91 PID 3740 wrote to memory of 4932 3740 MsServerfont.exe 92 PID 3740 wrote to memory of 4932 3740 MsServerfont.exe 92 PID 3740 wrote to memory of 4272 3740 MsServerfont.exe 93 PID 3740 wrote to memory of 4272 3740 MsServerfont.exe 93 PID 3740 wrote to memory of 4220 3740 MsServerfont.exe 94 PID 3740 wrote to memory of 4220 3740 MsServerfont.exe 94 PID 3740 wrote to memory of 4200 3740 MsServerfont.exe 95 PID 3740 wrote to memory of 4200 3740 MsServerfont.exe 95 PID 3740 wrote to memory of 4364 3740 MsServerfont.exe 96 PID 3740 wrote to memory of 4364 3740 MsServerfont.exe 96 PID 3740 wrote to memory of 3124 3740 MsServerfont.exe 97 PID 3740 wrote to memory of 3124 3740 MsServerfont.exe 97 PID 3740 wrote to memory of 1428 3740 MsServerfont.exe 98 PID 3740 wrote to memory of 1428 3740 MsServerfont.exe 98 PID 3740 wrote to memory of 2892 3740 MsServerfont.exe 99 PID 3740 wrote to memory of 2892 3740 MsServerfont.exe 99 PID 3740 wrote to memory of 1440 3740 MsServerfont.exe 113 PID 3740 wrote to memory of 1440 3740 MsServerfont.exe 113 PID 3740 wrote to memory of 2244 3740 MsServerfont.exe 112 PID 3740 wrote to memory of 2244 3740 MsServerfont.exe 112 PID 3740 wrote to memory of 456 3740 MsServerfont.exe 114 PID 3740 wrote to memory of 456 3740 MsServerfont.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe"C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe"C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
-
C:\Users\Admin\Cookies\spoolsv.exe"C:\Users\Admin\Cookies\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:456
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD518ae88963bf2b89b3ea24f1cd998c0dd
SHA10200af4fb7dbe83bb230f2ebf14c3561b4f2af85
SHA2561b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9
SHA51216c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1.5MB
MD518ae88963bf2b89b3ea24f1cd998c0dd
SHA10200af4fb7dbe83bb230f2ebf14c3561b4f2af85
SHA2561b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9
SHA51216c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157
-
Filesize
1KB
MD5cc5263f588f47d3e49ac2cd00a8a0535
SHA1ef2fc4af6b634cea62999c57e4fdbf1fa877f620
SHA256d2c9c6a1a8b3d5acee8a3142f2d375ee9b4e4a61edacfe2926bd7951c368947d
SHA512d45ad104ac32a88fd883506a821a93eed0b33f04ddb4a447421439b6a7f675a93d234748c3ce28c34bf3b2c600f4cd77d77bb662d4bc24b15e1945b995640cf8
-
Filesize
1KB
MD56c94a40b3cdb24202a53b6bbc3451f0a
SHA1f034762856970cac087f5613f1ee74f10ac94420
SHA2567e5e57300e1875f7f60f1af171ea7fd04e8469b66765c3c1829df77b3c41343d
SHA512dc4c80c93c671b7ad5485c462e915806e273968615778ef1977bc2e671fd1b9772e9ed846da472691ed11200df2ffef6af55283d7e6bee3307d856a1bdb72702
-
Filesize
1KB
MD56c94a40b3cdb24202a53b6bbc3451f0a
SHA1f034762856970cac087f5613f1ee74f10ac94420
SHA2567e5e57300e1875f7f60f1af171ea7fd04e8469b66765c3c1829df77b3c41343d
SHA512dc4c80c93c671b7ad5485c462e915806e273968615778ef1977bc2e671fd1b9772e9ed846da472691ed11200df2ffef6af55283d7e6bee3307d856a1bdb72702
-
Filesize
1KB
MD5164e9c8bb2db74c2d1f49cdd4849bb36
SHA1e57a88255d02bf48d654c223af7097b6562b024e
SHA256903c67b2d08237aa1790ea3362ffcb9a536cf461fade9beffd5aff6b7d44d514
SHA512d765d6e0dcf7a61ade2c91c28cce80d0ca5bfa7a50b21fa852979d4cf25ba06ab4710d837233420c00ec29548ded7f4f1cffa977b5fc7dd087640256ef52ff0e
-
Filesize
1KB
MD592733c7bd675b04ac21ad415ece0c0a8
SHA157000c4f3ac3c612042775fa18f4905f0713b851
SHA256fd07a562730f5c300a9e92122074a054c33f584eee55ef8c7bc06e5de343ff9d
SHA51215847b5b0c5b7de0901721d0daa4e3d6d638c0d7cadb2c7004e23df2c9a81b790ecf55aba7e14356ae3448073972d95629795b7b350e156ccd6295eaea8e9af9
-
Filesize
1KB
MD5608b83ce9ef93b381221f39cc3f3c34e
SHA1705b62534a78c2806a2285b697c13b6c22d025f5
SHA256d2b66207c26d19ce03366961d9a75af554857bf31115e90358720e133fa46d74
SHA512a7c9d608427ba0b5a898f64e2894e802e375231b65b9dd13df2f989299161a595df40ce72fef2ef65f05dcaa56b35d7e3dc57c663793f38936de4aa97b798237
-
Filesize
1KB
MD5ca922d9a392d25805fa73cc6c2085439
SHA1a6e1385fd68a1a7a12ba171db7f716b29586849d
SHA2562b55db40baca96eecc499c8047c1c34a060311294834ac86f0b456ab5c9862c2
SHA512616d116d85d62ce9ee0baac9edb571257b0675a8c7dfbdb1c91134b11ebc149d454379c449d54edd0d49ee1f6f09f8141ee5594fcf18d57420aa2a1a428dca98
-
Filesize
1KB
MD5e7358962705fd0dbe4a44f0aaabf963c
SHA17d795579ffd8c41fba78c9a188c2886911333147
SHA256a2bc257a1e0f46e69b0e391d5076fd3e2247b765838b6a156bb20b29d74f71a0
SHA512ccd7d308cdc91159a82529025023070eb7c3e24f79dab4e000f5d9286dc9c496fb85ca511c0e2699ab09aa0d6b8c4da4e5f82c26209392d04d25cbdd8d1a80da
-
Filesize
1KB
MD5361371abca5de9517ca78d5acb4b997b
SHA1b90d9c6301e1cd0af2ea23a517948a7ee3ecd98f
SHA256ee6c6a8eb09f5403f93e999f8e7d0c033849bfd29e2fdf090f46828b01e11406
SHA512834bd30f40963f038fb3cd75a5705ff6208156ef2f960bc3f434cee41ea66bd27a50b6fc08e145b7fc162bf8d09a74628e4f63e0f8a408c8b877cea202a40820
-
Filesize
1KB
MD5941c3267e6949856e71329a92cc0811c
SHA1b2afa3b49e4ca2455dd652ccdbd46d95f4c27a71
SHA2567ce2475f2fc9e98ef35a79aa0cfbf24d7ee6b5f440c4f0378225e4056def89ae
SHA512dbee0c4ed856b77976fb779efd23da60763bc019c0e7ff370dbba47cbbbcf7193ab8c7ac19b682472257923dab81e2d3300edfd669ca7a65267718136a1cc560
-
Filesize
1KB
MD5941c3267e6949856e71329a92cc0811c
SHA1b2afa3b49e4ca2455dd652ccdbd46d95f4c27a71
SHA2567ce2475f2fc9e98ef35a79aa0cfbf24d7ee6b5f440c4f0378225e4056def89ae
SHA512dbee0c4ed856b77976fb779efd23da60763bc019c0e7ff370dbba47cbbbcf7193ab8c7ac19b682472257923dab81e2d3300edfd669ca7a65267718136a1cc560
-
Filesize
1.5MB
MD518ae88963bf2b89b3ea24f1cd998c0dd
SHA10200af4fb7dbe83bb230f2ebf14c3561b4f2af85
SHA2561b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9
SHA51216c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157
-
Filesize
1.5MB
MD518ae88963bf2b89b3ea24f1cd998c0dd
SHA10200af4fb7dbe83bb230f2ebf14c3561b4f2af85
SHA2561b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9
SHA51216c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157
-
Filesize
214B
MD5f246d91170758c560dcc804e79b689ce
SHA18e9820729c33e492c5d76722607a38379b1cbd38
SHA2568558d7ec61aa5e0e6162d9f59103a6d3340cc359ee0526e765a061c6673a9665
SHA512dcc48971a6a4a1b3af13a420a8de6ddfd765c780bfe76cbf1a459a855c14f0ca6510994fc988dfecd92257b99b41e2caf68025991ca80663331ce1c61110e5c8
-
Filesize
37B
MD5c87d31ff7b6bc8e971808bc819561137
SHA1000f77a2d2596c87d3e2085ad74794b0627c034a
SHA256738675ead6e7e54b7f0298824578cdfb659584a16f4f0cc2a0bdba654a482872
SHA51234d995cf1fd3908a190aac08cefae4fb0d4fae7fd0cef2fb625a5e2d76864ce99724a2da4d1f05327bad80dab08f08038e17785e23c49087968e6c569964ffde
-
Filesize
1.7MB
MD5fea5051ff55437d8510d9dba5159efba
SHA1cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3
SHA2569d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f
SHA512796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5
-
Filesize
1.7MB
MD5fea5051ff55437d8510d9dba5159efba
SHA1cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3
SHA2569d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f
SHA512796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
1.5MB
MD518ae88963bf2b89b3ea24f1cd998c0dd
SHA10200af4fb7dbe83bb230f2ebf14c3561b4f2af85
SHA2561b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9
SHA51216c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157