Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 13:39
Behavioral task
behavioral1
Sample
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe
Resource
win10v2004-20240226-en
General
-
Target
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe
-
Size
829KB
-
MD5
3bd8d1abdfdf35856a1b35c6824bd6f2
-
SHA1
3e6e83f044690b2e5ffec74ebdef0ec9d4e8a02b
-
SHA256
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4
-
SHA512
11387da3bb436ce4968eeaa03d0880b2eaa5cba780a8e393c060b0828e187d9527c24dd545f8fe3f8ad02a834cc0831d78d70e823047bf758ba42da01e0fc797
-
SSDEEP
12288:Qu1cCMKdiaT3Ok1MVBFdpkj6fe9BSbwfKyw8:VOlKUaT3O7VBFdpLWQEfKyP
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 304 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 2520 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/2056-1-0x0000000000B20000-0x0000000000BF6000-memory.dmp dcrat C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe dcrat behavioral1/memory/2892-32-0x0000000000300000-0x00000000003D6000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
taskhost.exepid process 2892 taskhost.exe -
Drops file in Program Files directory 6 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exedescription ioc process File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6ccacd8608530f 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\Google\CrashReports\lsass.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\Google\CrashReports\6203df4a6bafc7 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files\7-Zip\Lang\lsass.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files\7-Zip\Lang\6203df4a6bafc7 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe -
Drops file in Windows directory 7 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exedescription ioc process File created C:\Windows\Prefetch\ReadyBoot\winlogon.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\Prefetch\ReadyBoot\cc11b995f2a76d 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\Resources\Ease of Access Themes\wininit.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\Resources\Ease of Access Themes\56085415360792 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\Prefetch\ReadyBoot\spoolsv.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File opened for modification C:\Windows\Prefetch\ReadyBoot\spoolsv.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\Prefetch\ReadyBoot\f3b6ecef712a24 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2460 schtasks.exe 2640 schtasks.exe 2816 schtasks.exe 1904 schtasks.exe 1068 schtasks.exe 2228 schtasks.exe 2992 schtasks.exe 3012 schtasks.exe 2456 schtasks.exe 2972 schtasks.exe 2516 schtasks.exe 2148 schtasks.exe 1440 schtasks.exe 2744 schtasks.exe 2596 schtasks.exe 1064 schtasks.exe 1540 schtasks.exe 2472 schtasks.exe 304 schtasks.exe 2576 schtasks.exe 2724 schtasks.exe 2548 schtasks.exe 1448 schtasks.exe 2736 schtasks.exe 2984 schtasks.exe 2624 schtasks.exe 2088 schtasks.exe 2752 schtasks.exe 2560 schtasks.exe 2296 schtasks.exe 2800 schtasks.exe 1788 schtasks.exe 2468 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exetaskhost.exepid process 2056 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 2056 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 2056 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 2056 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 2056 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 2056 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 2056 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 2056 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 2056 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 2056 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 2056 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 2056 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 2056 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 2892 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exetaskhost.exedescription pid process Token: SeDebugPrivilege 2056 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe Token: SeDebugPrivilege 2892 taskhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exedescription pid process target process PID 2056 wrote to memory of 2892 2056 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe taskhost.exe PID 2056 wrote to memory of 2892 2056 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe taskhost.exe PID 2056 wrote to memory of 2892 2056 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe taskhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe"C:\Users\Admin\AppData\Local\Temp\439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Default User\taskhost.exe"C:\Users\Default User\taskhost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Templates\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\Sample Music\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\Sample Music\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Documents\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
829KB
MD53bd8d1abdfdf35856a1b35c6824bd6f2
SHA13e6e83f044690b2e5ffec74ebdef0ec9d4e8a02b
SHA256439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4
SHA51211387da3bb436ce4968eeaa03d0880b2eaa5cba780a8e393c060b0828e187d9527c24dd545f8fe3f8ad02a834cc0831d78d70e823047bf758ba42da01e0fc797