Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 00:25
Behavioral task
behavioral1
Sample
9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe
Resource
win10v2004-20240508-en
General
-
Target
9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe
-
Size
3.7MB
-
MD5
6f2466923bafbabe0788c6126ff713d9
-
SHA1
2fb2911f4a08458e9aa922e4b8f6e6b4a7c2c81c
-
SHA256
9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad
-
SHA512
ebc5f71d041828eb54781d5fee466b0026586dfe6929fb2327a7bfb016b13427f2177b7d405523ff3457f8a1808335d76fc24467de4ef0a9dcc0a41a638f5d30
-
SSDEEP
98304:+XXAzJltvwAu5QfCWC2UxdYZhOIeBXJcu3O:+HAzXtzu5QfCWPK+/2tJcz
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 47 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1344 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 992 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 332 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 2592 schtasks.exe -
Processes:
resource yara_rule \bridgeComponentRuntimehostnet\componentRef.exe dcrat behavioral1/memory/2644-16-0x0000000000F80000-0x00000000011F6000-memory.dmp dcrat behavioral1/memory/1948-66-0x0000000000300000-0x0000000000576000-memory.dmp dcrat -
Detects executables packed with SmartAssembly 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2644-24-0x0000000000BC0000-0x0000000000BCA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Executes dropped EXE 2 IoCs
Processes:
componentRef.exelsm.exepid process 2644 componentRef.exe 1948 lsm.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2572 cmd.exe 2572 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exepid process 1504 9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe -
Drops file in Program Files directory 6 IoCs
Processes:
componentRef.exedescription ioc process File created C:\Program Files\Mozilla Firefox\fonts\6ccacd8608530f componentRef.exe File created C:\Program Files\Windows Sidebar\ja-JP\taskhost.exe componentRef.exe File created C:\Program Files\Windows Sidebar\ja-JP\b75386f1303e64 componentRef.exe File created C:\Program Files\Windows Sidebar\de-DE\audiodg.exe componentRef.exe File created C:\Program Files\Windows Sidebar\de-DE\42af1c969fbb7b componentRef.exe File created C:\Program Files\Mozilla Firefox\fonts\Idle.exe componentRef.exe -
Drops file in Windows directory 7 IoCs
Processes:
componentRef.exedescription ioc process File created C:\Windows\servicing\de-DE\Idle.exe componentRef.exe File created C:\Windows\SchCache\audiodg.exe componentRef.exe File created C:\Windows\SchCache\42af1c969fbb7b componentRef.exe File created C:\Windows\TAPI\lsm.exe componentRef.exe File created C:\Windows\TAPI\101b941d020240 componentRef.exe File created C:\Windows\AppCompat\lsm.exe componentRef.exe File created C:\Windows\AppCompat\101b941d020240 componentRef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2004 schtasks.exe 332 schtasks.exe 2480 schtasks.exe 2780 schtasks.exe 2164 schtasks.exe 2748 schtasks.exe 1068 schtasks.exe 1848 schtasks.exe 2292 schtasks.exe 1040 schtasks.exe 1800 schtasks.exe 1316 schtasks.exe 2816 schtasks.exe 3052 schtasks.exe 1360 schtasks.exe 2600 schtasks.exe 2064 schtasks.exe 2204 schtasks.exe 584 schtasks.exe 2320 schtasks.exe 2880 schtasks.exe 2228 schtasks.exe 1500 schtasks.exe 2984 schtasks.exe 2248 schtasks.exe 2396 schtasks.exe 2284 schtasks.exe 2436 schtasks.exe 1308 schtasks.exe 912 schtasks.exe 2112 schtasks.exe 1472 schtasks.exe 1540 schtasks.exe 1516 schtasks.exe 1320 schtasks.exe 2936 schtasks.exe 1656 schtasks.exe 840 schtasks.exe 2312 schtasks.exe 992 schtasks.exe 772 schtasks.exe 2468 schtasks.exe 2308 schtasks.exe 2788 schtasks.exe 688 schtasks.exe 1344 schtasks.exe 1240 schtasks.exe 1252 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.execomponentRef.exelsm.exepid process 1504 9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe 2644 componentRef.exe 2644 componentRef.exe 2644 componentRef.exe 2644 componentRef.exe 2644 componentRef.exe 1948 lsm.exe 1948 lsm.exe 1948 lsm.exe 1948 lsm.exe 1948 lsm.exe 1948 lsm.exe 1948 lsm.exe 1948 lsm.exe 1948 lsm.exe 1948 lsm.exe 1948 lsm.exe 1948 lsm.exe 1948 lsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
lsm.exepid process 1948 lsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
componentRef.exelsm.exedescription pid process Token: SeDebugPrivilege 2644 componentRef.exe Token: SeDebugPrivilege 1948 lsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exepid process 1504 9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exeWScript.execmd.execomponentRef.execmd.exelsm.exedescription pid process target process PID 1504 wrote to memory of 2344 1504 9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe WScript.exe PID 1504 wrote to memory of 2344 1504 9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe WScript.exe PID 1504 wrote to memory of 2344 1504 9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe WScript.exe PID 1504 wrote to memory of 2344 1504 9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe WScript.exe PID 2344 wrote to memory of 2572 2344 WScript.exe cmd.exe PID 2344 wrote to memory of 2572 2344 WScript.exe cmd.exe PID 2344 wrote to memory of 2572 2344 WScript.exe cmd.exe PID 2344 wrote to memory of 2572 2344 WScript.exe cmd.exe PID 2572 wrote to memory of 2644 2572 cmd.exe componentRef.exe PID 2572 wrote to memory of 2644 2572 cmd.exe componentRef.exe PID 2572 wrote to memory of 2644 2572 cmd.exe componentRef.exe PID 2572 wrote to memory of 2644 2572 cmd.exe componentRef.exe PID 2644 wrote to memory of 1704 2644 componentRef.exe cmd.exe PID 2644 wrote to memory of 1704 2644 componentRef.exe cmd.exe PID 2644 wrote to memory of 1704 2644 componentRef.exe cmd.exe PID 1704 wrote to memory of 1060 1704 cmd.exe w32tm.exe PID 1704 wrote to memory of 1060 1704 cmd.exe w32tm.exe PID 1704 wrote to memory of 1060 1704 cmd.exe w32tm.exe PID 1704 wrote to memory of 1948 1704 cmd.exe lsm.exe PID 1704 wrote to memory of 1948 1704 cmd.exe lsm.exe PID 1704 wrote to memory of 1948 1704 cmd.exe lsm.exe PID 1948 wrote to memory of 2500 1948 lsm.exe WScript.exe PID 1948 wrote to memory of 2500 1948 lsm.exe WScript.exe PID 1948 wrote to memory of 2500 1948 lsm.exe WScript.exe PID 1948 wrote to memory of 2784 1948 lsm.exe WScript.exe PID 1948 wrote to memory of 2784 1948 lsm.exe WScript.exe PID 1948 wrote to memory of 2784 1948 lsm.exe WScript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe"C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeComponentRuntimehostnet\RUoOQWhVCa6Opchlz1AD.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeComponentRuntimehostnet\worw0dI33.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\bridgeComponentRuntimehostnet\componentRef.exe"C:\bridgeComponentRuntimehostnet\componentRef.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rA5VqWe8jw.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1060
-
-
C:\Windows\TAPI\lsm.exe"C:\Windows\TAPI\lsm.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d61ed3b9-aa48-4eba-bfca-b974c8b81813.vbs"7⤵PID:2500
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce7a82a2-36c7-4f08-8f41-ff7e12726b0a.vbs"7⤵PID:2784
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /f1⤵
- Creates scheduled task(s)
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\de-DE\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\de-DE\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\AppCompat\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\AppCompat\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\ja-JP\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\ja-JP\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\bridgeComponentRuntimehostnet\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\bridgeComponentRuntimehostnet\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\bridgeComponentRuntimehostnet\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Pictures\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Pictures\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\bridgeComponentRuntimehostnet\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\bridgeComponentRuntimehostnet\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\bridgeComponentRuntimehostnet\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentRefc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\componentRef.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentRef" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\componentRef.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentRefc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\componentRef.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\SchCache\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\TAPI\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
475B
MD53e8576fb7323320a9e0791c6c83ef217
SHA1d9fa2cb7f8655451f31f5c5dc0d68299cefd6bbd
SHA256f9c45210d9d56bedde616cd4db9f8645d22976f6dfd9c621f1c4cbb29fd102f3
SHA51271708bcf8a1701f717993aa5d4d8b673f306e5da40cae74429c3aae8fc60214c30be6dab6e519f4882b7a24959d6b85fba6edc832334964dd5561d2f15a8ee20
-
Filesize
699B
MD50805f3d1d1145da00c49f6953106d619
SHA1e20e1e226c546263b9939bab91fe2e1b8908d62e
SHA256433488437c3e04b28e0aa2df41f27f1892c1fa5578a17c930b00096a28a73b61
SHA51220715595effcdbbb959a5ca8149bfb29e3160993a4e90805945a1bbc0f8e8871a87db401eedde81abbef9651b6f50ac68ac7174477075d637050bc35947fe1bd
-
Filesize
188B
MD549d59a86e8cea4c09a60ba4349a0e9ca
SHA1f4d979f13f9d7663e2d5e48bb7ce88ccb6c280e0
SHA256e430b9e4db49c4602765f3ed6efb00f67a8d969eb7f3cc6d240fca831648769a
SHA5124bcfb5090b5b2f1fc639d52dd8b4e24c926ba29b463c4b0a29ae35c98aaab0452f6c8977b0cf160cdddab9aa64ae3e27f99ee78c1b6ccba89d67594c53fec061
-
Filesize
215B
MD5403a1462c9f6034000cc5f6180be08b3
SHA1fd7f04eafaaa752786aaffba321366fc1938c062
SHA256adaf424ebd8d37a552019d5e4c8394031fadffa5411420db2a0ed8b002834424
SHA51261437b7aa711a1f6d598a00bcbb4919be2b72d58be5b6ad525272657992726c90ff79d39436dcae07a81f73978e01a223bcd11d0a2dce2423ac12de54d4f1e2c
-
Filesize
51B
MD5349cd009e089597bd6a43bdb489cd4d3
SHA1732820f42c008d4d5d10c04bc0f49ffcc9855619
SHA256e4039e78bca312c284c412fc8a05d28521421824776faa4a5549a7b32742f671
SHA512c5941a91c608027c924a366c38adff267fdad0f89b82b72db10ee632219bb5622255e97a0b02d4f46a2dd34130593ab1cf5d1c2b518b52e1c2d633c39bd9fd50
-
Filesize
2.4MB
MD5526153cbd86009228ad53cd262a9c6b3
SHA16bbe6ce1bdd69cfd516170d5abe2fe4379b6bac2
SHA2565cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48
SHA5129b01653e6f5b80d8497d8aba00aca45b305feaecd13fd4075ff4e1c06d9cb29d96d0422b3dce43d0b96316510f6fad1e2e49b64ac6038725961de98e7ba9d665