Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 01:14
Behavioral task
behavioral1
Sample
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe
Resource
win10v2004-20240508-en
General
-
Target
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe
-
Size
829KB
-
MD5
3bd8d1abdfdf35856a1b35c6824bd6f2
-
SHA1
3e6e83f044690b2e5ffec74ebdef0ec9d4e8a02b
-
SHA256
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4
-
SHA512
11387da3bb436ce4968eeaa03d0880b2eaa5cba780a8e393c060b0828e187d9527c24dd545f8fe3f8ad02a834cc0831d78d70e823047bf758ba42da01e0fc797
-
SSDEEP
12288:Qu1cCMKdiaT3Ok1MVBFdpkj6fe9BSbwfKyw8:VOlKUaT3O7VBFdpLWQEfKyP
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3608 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1268 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3956 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4020 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3568 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4920 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 984 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4380 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 512 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3932 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3884 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4084 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3596 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3208 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4044 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4016 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5044 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3108 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3372 1700 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5116 1700 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/4676-1-0x0000000000720000-0x00000000007F6000-memory.dmp dcrat C:\Recovery\WindowsRE\dllhost.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe -
Executes dropped EXE 1 IoCs
Processes:
lsass.exepid process 2716 lsass.exe -
Drops file in Program Files directory 8 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exedescription ioc process File created C:\Program Files (x86)\Microsoft\lsass.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\Microsoft\6203df4a6bafc7 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\0a1fd5f707cd16 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files\Windows Multimedia Platform\wininit.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files\Windows Multimedia Platform\56085415360792 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe -
Drops file in Windows directory 5 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exedescription ioc process File created C:\Windows\ShellComponents\RuntimeBroker.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\ShellComponents\9e8d7a4ca61bd9 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\uk-UA\StartMenuExperienceHost.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\uk-UA\55b276f4edf653 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\LanguageOverlayCache\dllhost.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3608 schtasks.exe 4020 schtasks.exe 3568 schtasks.exe 4380 schtasks.exe 2984 schtasks.exe 1592 schtasks.exe 5044 schtasks.exe 4920 schtasks.exe 5112 schtasks.exe 4044 schtasks.exe 3884 schtasks.exe 3596 schtasks.exe 4016 schtasks.exe 5116 schtasks.exe 2776 schtasks.exe 3108 schtasks.exe 1896 schtasks.exe 984 schtasks.exe 3932 schtasks.exe 3000 schtasks.exe 1472 schtasks.exe 3372 schtasks.exe 1268 schtasks.exe 3956 schtasks.exe 5092 schtasks.exe 4084 schtasks.exe 376 schtasks.exe 3940 schtasks.exe 5048 schtasks.exe 512 schtasks.exe 4076 schtasks.exe 1376 schtasks.exe 3208 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exelsass.exepid process 4676 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 4676 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 4676 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 4676 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 4676 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 4676 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 4676 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 2716 lsass.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exelsass.exedescription pid process Token: SeDebugPrivilege 4676 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe Token: SeDebugPrivilege 2716 lsass.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.execmd.exedescription pid process target process PID 4676 wrote to memory of 4936 4676 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe cmd.exe PID 4676 wrote to memory of 4936 4676 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe cmd.exe PID 4936 wrote to memory of 832 4936 cmd.exe w32tm.exe PID 4936 wrote to memory of 832 4936 cmd.exe w32tm.exe PID 4936 wrote to memory of 2716 4936 cmd.exe lsass.exe PID 4936 wrote to memory of 2716 4936 cmd.exe lsass.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe"C:\Users\Admin\AppData\Local\Temp\439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wxdqebA6cN.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:832
-
-
C:\Program Files (x86)\Microsoft\lsass.exe"C:\Program Files (x86)\Microsoft\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellComponents\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ShellComponents\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellComponents\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\uk-UA\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\uk-UA\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\uk-UA\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
829KB
MD53bd8d1abdfdf35856a1b35c6824bd6f2
SHA13e6e83f044690b2e5ffec74ebdef0ec9d4e8a02b
SHA256439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4
SHA51211387da3bb436ce4968eeaa03d0880b2eaa5cba780a8e393c060b0828e187d9527c24dd545f8fe3f8ad02a834cc0831d78d70e823047bf758ba42da01e0fc797
-
Filesize
207B
MD585db6b175bcd489319c99c4befe403e5
SHA10e5e6489b43c02c9257315a051540e470af69fdb
SHA2567ac867cee33d8c7b4a60fcf8992785165520ad746eb73d69ca19d894365cf59d
SHA512da5b5edc9ab71be889e0fa9afecb445809e686e3824228cea8ec893b7a122edb973ab9b9fc06b84d656b70b7db0661874141286823de40225e69e2770411660e