Analysis
-
max time kernel
142s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 18:53
Behavioral task
behavioral1
Sample
149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe
Resource
win7-20240221-en
General
-
Target
149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe
-
Size
1.7MB
-
MD5
2654ed21f41ddf23c0bcad4b7fe550e1
-
SHA1
55191e232ee3851a66f264cc3f163a5a14c84843
-
SHA256
149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0
-
SHA512
748d64575954c442b1a261a8b647b4dd9af93b42382bb227972c977818ed155bc93a8afc1e7e7edcf62da32877581fb9a42b87521bc849be45a27711639a0c2d
-
SSDEEP
24576:w2G/nvxW3WieChFP0UI2K/L7OXxfeacboEkAGpkXqde7u0GUzzGQYpXTcviXSzDI:wbA3jYUI2JX68Ncu0fnS5yiXSzD
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4836 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3824 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3444 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3328 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4828 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3592 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 812 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4780 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3296 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3996 3656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 3656 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/4780-1-0x0000000000760000-0x000000000091C000-memory.dmp dcrat C:\Users\Admin\AppData\Local\Temp\dcrat1.exe dcrat C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe dcrat behavioral2/memory/832-44-0x0000000000A00000-0x0000000000B50000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exedcrat1.exeWScript.exedwm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation dcrat1.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation dwm.exe -
Executes dropped EXE 4 IoCs
Processes:
dcrat3.exedcrat1.exedwm.exewinlogon.exepid process 4804 dcrat3.exe 3524 dcrat1.exe 832 dwm.exe 4544 winlogon.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 11 IoCs
Processes:
dcrat1.exedescription ioc process File created C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\__tmp_rar_sfx_access_check_240664046 dcrat1.exe File created C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\6AixvTBYkcX8JRK4xN.bat dcrat1.exe File opened for modification C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe dcrat1.exe File opened for modification C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\wozFTjVIuw5Ij.vbe dcrat1.exe File opened for modification C:\Windows\SysWOW64\Microsoft dcrat1.exe File opened for modification C:\Windows\SysWOW64\Microsoft\Protect dcrat1.exe File opened for modification C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18 dcrat1.exe File opened for modification C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User dcrat1.exe File opened for modification C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\6AixvTBYkcX8JRK4xN.bat dcrat1.exe File created C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe dcrat1.exe File created C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\wozFTjVIuw5Ij.vbe dcrat1.exe -
Drops file in Program Files directory 6 IoCs
Processes:
dwm.exedescription ioc process File created C:\Program Files\Reference Assemblies\Microsoft\Framework\Idle.exe dwm.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\6ccacd8608530f dwm.exe File created C:\Program Files\Windows Photo Viewer\fr-FR\sihost.exe dwm.exe File created C:\Program Files\Windows Photo Viewer\fr-FR\66fc9ff0ee96c2 dwm.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\SearchApp.exe dwm.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\38384e6a620884 dwm.exe -
Drops file in Windows directory 3 IoCs
Processes:
dwm.exedescription ioc process File created C:\Windows\L2Schemas\61a52ddc9dd915 dwm.exe File created C:\Windows\L2Schemas\msedge.exe dwm.exe File opened for modification C:\Windows\L2Schemas\msedge.exe dwm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2376 schtasks.exe 748 schtasks.exe 4388 schtasks.exe 3228 schtasks.exe 1452 schtasks.exe 4836 schtasks.exe 3444 schtasks.exe 556 schtasks.exe 4780 schtasks.exe 916 schtasks.exe 3296 schtasks.exe 3996 schtasks.exe 3328 schtasks.exe 5068 schtasks.exe 4828 schtasks.exe 4548 schtasks.exe 812 schtasks.exe 3824 schtasks.exe 4496 schtasks.exe 1000 schtasks.exe 3592 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
dcrat1.exedwm.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings dcrat1.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings dwm.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
dwm.exewinlogon.exepid process 832 dwm.exe 832 dwm.exe 832 dwm.exe 4544 winlogon.exe 4544 winlogon.exe 4544 winlogon.exe 4544 winlogon.exe 4544 winlogon.exe 4544 winlogon.exe 4544 winlogon.exe 4544 winlogon.exe 4544 winlogon.exe 4544 winlogon.exe 4544 winlogon.exe 4544 winlogon.exe 4544 winlogon.exe 4544 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dwm.exewinlogon.exedescription pid process Token: SeDebugPrivilege 832 dwm.exe Token: SeDebugPrivilege 4544 winlogon.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exedcrat3.exedcrat1.exeWScript.exejavaw.execmd.exedwm.execmd.exedescription pid process target process PID 4780 wrote to memory of 4804 4780 149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe dcrat3.exe PID 4780 wrote to memory of 4804 4780 149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe dcrat3.exe PID 4780 wrote to memory of 4804 4780 149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe dcrat3.exe PID 4804 wrote to memory of 1784 4804 dcrat3.exe javaw.exe PID 4804 wrote to memory of 1784 4804 dcrat3.exe javaw.exe PID 4780 wrote to memory of 3524 4780 149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe dcrat1.exe PID 4780 wrote to memory of 3524 4780 149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe dcrat1.exe PID 4780 wrote to memory of 3524 4780 149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe dcrat1.exe PID 3524 wrote to memory of 3252 3524 dcrat1.exe WScript.exe PID 3524 wrote to memory of 3252 3524 dcrat1.exe WScript.exe PID 3524 wrote to memory of 3252 3524 dcrat1.exe WScript.exe PID 3252 wrote to memory of 3064 3252 WScript.exe cmd.exe PID 3252 wrote to memory of 3064 3252 WScript.exe cmd.exe PID 3252 wrote to memory of 3064 3252 WScript.exe cmd.exe PID 1784 wrote to memory of 1856 1784 javaw.exe icacls.exe PID 1784 wrote to memory of 1856 1784 javaw.exe icacls.exe PID 3064 wrote to memory of 832 3064 cmd.exe dwm.exe PID 3064 wrote to memory of 832 3064 cmd.exe dwm.exe PID 832 wrote to memory of 1384 832 dwm.exe cmd.exe PID 832 wrote to memory of 1384 832 dwm.exe cmd.exe PID 1384 wrote to memory of 1268 1384 cmd.exe w32tm.exe PID 1384 wrote to memory of 1268 1384 cmd.exe w32tm.exe PID 3064 wrote to memory of 2880 3064 cmd.exe reg.exe PID 3064 wrote to memory of 2880 3064 cmd.exe reg.exe PID 3064 wrote to memory of 2880 3064 cmd.exe reg.exe PID 1384 wrote to memory of 4544 1384 cmd.exe winlogon.exe PID 1384 wrote to memory of 4544 1384 cmd.exe winlogon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe"C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\dcrat3.exe"C:\Users\Admin\AppData\Local\Temp\dcrat3.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dprism.dirtyopts=false -Dfile.encoding=UTF-8 -classpath " org.develnext.jphp.ext.javafx.FXLauncher3⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M4⤵
- Modifies file permissions
PID:1856
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dcrat1.exe"C:\Users\Admin\AppData\Local\Temp\dcrat1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\wozFTjVIuw5Ij.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\6AixvTBYkcX8JRK4xN.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe"C:\\Windows\System32\Microsoft\Protect\S-1-5-18\User\dwm.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mljoRSYxag.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1268
-
-
C:\odt\winlogon.exe"C:\odt\winlogon.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- Modifies registry key
PID:2880
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:81⤵PID:4560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\L2Schemas\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\odt\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\USOShared\Logs\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\USOShared\Logs\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD581e978a9392b56444619c5fc28bcf0b0
SHA1cf322f5be4a9c3fad09714a1efb7e730ba977c40
SHA25670eae81f9363375c7301e4d48a7c5bc5588a9100cbd300eb358fed2327c40dbe
SHA512370e4faf61c93d47b3e60196fc1f8c17de35b076b383566a817c5a2358396dd6a7dc5677b86115cd61d413e4c717ddc5c426aaa2590f47b63643bbfab148d76c
-
Filesize
72KB
MD52c7d37e90dd8ab57d06dad5bc7956885
SHA1da789c107c4c68b8250b6589e45e5a3cf7a9a143
SHA2565ede5d774ab65f25357cf5a1fa5e354f6f2a9868651a0fa717485802b21b1939
SHA512e74ae891771bfd9c6fcdfbe8e4f33f0d5f7c3457cd84b257500cdaf8fa8b16fe458a18db9b3a60591465982fc2871f4c3f2e7541c765f00a0516f805e7e9ca0f
-
Filesize
184B
MD53adcf57e62576707b7515ddf1a315eb7
SHA1170ba54762bdee18e604dcc827607d9e1485f796
SHA25608e3a2fd20cc880de4c7f9f1e2cd88a8ebdbdb7d38f2620dbd3c1f62c4b09f49
SHA512c4b38fc7517818d3f56bfd2108799dccb331f7395a3b70fc7bc2a6cf2a5906cde006a547fdcc2e641f935d0ba89423668851d0837e06358650463e078d5b9dcb
-
Filesize
174B
MD5d140d65ea96f1a8e52a20c00b8092225
SHA14f7831d9ee21770079e91f083b8c4ce77a544695
SHA2562dc114e83c3e2339c249a58648875ec0988dec9158ab35cbfe9cff50171ae3ac
SHA5124c0539d4584d7814ea3c73b771a80321fc58208e9a122f29129898621d0dbe4de72c05100c9fac7f503b0b7a0ada4045cedd7fb9434bd904bb51b8b9a74f3830
-
Filesize
1.3MB
MD56a052712569ad65c7bd5a0ffab54c051
SHA10dbff6cdf01b13465a729e2370cf2244fe5a0218
SHA256ab64355e0ceb9e47a235a8f1be8d557d22e267521be47733d476f8004a3a69e0
SHA5128875cd956120870a452dd85113e90cf3b3fe7132bf6b699caf9944a72b8700dced4e5e41e882c021b34a376fa645c2a841e454eba49bda684285512baaa91cda
-
Filesize
244B
MD530a1a984f3afcec8d166e9b90ae4dded
SHA15dd5a1fb85732376bcb5478e5f627d251ef79983
SHA2566fc7d156666453ba430f30ea19b47c55a0bf88a7c1a8ce407322270e8f596929
SHA51263e72a5178fbffda94382356177f07a0781bb4a597be67075395c3afe4002a9c186d5b5edb5b7e4bed6c38c8c8b06acc0c623a0ec963fa4216383a6112ffc768