Analysis
-
max time kernel
131s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 13:41
Behavioral task
behavioral1
Sample
ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe
Resource
win10v2004-20240508-en
General
-
Target
ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe
-
Size
1.1MB
-
MD5
2768c63cfbffae59b6c2c5483e804d14
-
SHA1
a577f6aa123f1b641a780ef4cf205b73c2b2bfc3
-
SHA256
ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4
-
SHA512
7ae59899ac9d77e98f5f52e2eeee350bade1aab284fc65bb64ba1ff605a8c7148ae535b8b69bb0fedfde6449becd87b5a0678ce241414d54b7b759c36dd0da04
-
SSDEEP
24576:U2G/nvxW3Ww0tkAyVPwER/v6Yq9/zI2SV6/6ODpvdcKRWksjQ:UbA30kAyRwE332SV6XDzRLs0
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 652 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 996 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 292 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 588 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2460 schtasks.exe -
Processes:
resource yara_rule \portMonitor\MsRuntimeperf.exe dcrat behavioral1/memory/2528-13-0x00000000009A0000-0x0000000000A76000-memory.dmp dcrat behavioral1/memory/1740-54-0x0000000000AF0000-0x0000000000BC6000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
MsRuntimeperf.exesmss.exepid process 2528 MsRuntimeperf.exe 1740 smss.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2052 cmd.exe 2052 cmd.exe -
Drops file in Program Files directory 14 IoCs
Processes:
MsRuntimeperf.exedescription ioc process File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\101b941d020240 MsRuntimeperf.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\0a1fd5f707cd16 MsRuntimeperf.exe File created C:\Program Files\Microsoft Games\csrss.exe MsRuntimeperf.exe File created C:\Program Files\7-Zip\Lang\Idle.exe MsRuntimeperf.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe MsRuntimeperf.exe File created C:\Program Files\Internet Explorer\de-DE\MsRuntimeperf.exe MsRuntimeperf.exe File created C:\Program Files\Internet Explorer\de-DE\20f8ab3cca85d5 MsRuntimeperf.exe File created C:\Program Files\Java\jre7\bin\6cb0b6c459d5d3 MsRuntimeperf.exe File created C:\Program Files\7-Zip\Lang\6ccacd8608530f MsRuntimeperf.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe MsRuntimeperf.exe File created C:\Program Files\Java\jre7\bin\dwm.exe MsRuntimeperf.exe File created C:\Program Files\Common Files\Services\886983d96e3d3e MsRuntimeperf.exe File created C:\Program Files\Microsoft Games\886983d96e3d3e MsRuntimeperf.exe File created C:\Program Files\Common Files\Services\csrss.exe MsRuntimeperf.exe -
Drops file in Windows directory 1 IoCs
Processes:
MsRuntimeperf.exedescription ioc process File created C:\Windows\CSC\v2.0.6\spoolsv.exe MsRuntimeperf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2992 schtasks.exe 2752 schtasks.exe 2224 schtasks.exe 1840 schtasks.exe 2204 schtasks.exe 1648 schtasks.exe 588 schtasks.exe 1640 schtasks.exe 1220 schtasks.exe 1524 schtasks.exe 2680 schtasks.exe 2816 schtasks.exe 2920 schtasks.exe 2800 schtasks.exe 1492 schtasks.exe 1836 schtasks.exe 3016 schtasks.exe 2932 schtasks.exe 2648 schtasks.exe 2288 schtasks.exe 2044 schtasks.exe 1252 schtasks.exe 1608 schtasks.exe 2848 schtasks.exe 2780 schtasks.exe 760 schtasks.exe 1188 schtasks.exe 2160 schtasks.exe 2484 schtasks.exe 1468 schtasks.exe 1044 schtasks.exe 996 schtasks.exe 2456 schtasks.exe 1016 schtasks.exe 2284 schtasks.exe 1292 schtasks.exe 2940 schtasks.exe 2840 schtasks.exe 2748 schtasks.exe 1960 schtasks.exe 2336 schtasks.exe 1316 schtasks.exe 292 schtasks.exe 652 schtasks.exe 1656 schtasks.exe 2080 schtasks.exe 1896 schtasks.exe 1748 schtasks.exe 1752 schtasks.exe 2788 schtasks.exe 1704 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
MsRuntimeperf.exesmss.exepid process 2528 MsRuntimeperf.exe 2528 MsRuntimeperf.exe 2528 MsRuntimeperf.exe 2528 MsRuntimeperf.exe 2528 MsRuntimeperf.exe 2528 MsRuntimeperf.exe 2528 MsRuntimeperf.exe 2528 MsRuntimeperf.exe 2528 MsRuntimeperf.exe 2528 MsRuntimeperf.exe 2528 MsRuntimeperf.exe 2528 MsRuntimeperf.exe 2528 MsRuntimeperf.exe 2528 MsRuntimeperf.exe 2528 MsRuntimeperf.exe 2528 MsRuntimeperf.exe 2528 MsRuntimeperf.exe 1740 smss.exe 1740 smss.exe 1740 smss.exe 1740 smss.exe 1740 smss.exe 1740 smss.exe 1740 smss.exe 1740 smss.exe 1740 smss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
smss.exepid process 1740 smss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MsRuntimeperf.exesmss.exedescription pid process Token: SeDebugPrivilege 2528 MsRuntimeperf.exe Token: SeDebugPrivilege 1740 smss.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exeWScript.execmd.exeMsRuntimeperf.exedescription pid process target process PID 2120 wrote to memory of 2124 2120 ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe WScript.exe PID 2120 wrote to memory of 2124 2120 ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe WScript.exe PID 2120 wrote to memory of 2124 2120 ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe WScript.exe PID 2120 wrote to memory of 2124 2120 ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe WScript.exe PID 2124 wrote to memory of 2052 2124 WScript.exe cmd.exe PID 2124 wrote to memory of 2052 2124 WScript.exe cmd.exe PID 2124 wrote to memory of 2052 2124 WScript.exe cmd.exe PID 2124 wrote to memory of 2052 2124 WScript.exe cmd.exe PID 2052 wrote to memory of 2528 2052 cmd.exe MsRuntimeperf.exe PID 2052 wrote to memory of 2528 2052 cmd.exe MsRuntimeperf.exe PID 2052 wrote to memory of 2528 2052 cmd.exe MsRuntimeperf.exe PID 2052 wrote to memory of 2528 2052 cmd.exe MsRuntimeperf.exe PID 2528 wrote to memory of 1740 2528 MsRuntimeperf.exe smss.exe PID 2528 wrote to memory of 1740 2528 MsRuntimeperf.exe smss.exe PID 2528 wrote to memory of 1740 2528 MsRuntimeperf.exe smss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe"C:\Users\Admin\AppData\Local\Temp\ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portMonitor\7qmHZrFz6PlKEeySf7g6q7bPLdDi.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\portMonitor\1iRUSp.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\portMonitor\MsRuntimeperf.exe"C:\portMonitor\MsRuntimeperf.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\All Users\Application Data\smss.exe"C:\Users\All Users\Application Data\smss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Videos\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsRuntimeperfM" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\de-DE\MsRuntimeperf.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsRuntimeperf" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\MsRuntimeperf.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsRuntimeperfM" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\de-DE\MsRuntimeperf.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Application Data\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\portMonitor\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\portMonitor\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\portMonitor\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\bin\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\portMonitor\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\portMonitor\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\portMonitor\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\SendTo\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SendTo\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Documents\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Documents\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD5e7d861bf32c0cfdce43a988f7624094b
SHA1ce94364c1662056c36487d1ad2a3910d60295567
SHA256bf1a6596c9cb4f855e364b1b2f4e065d3c3db14814e4cb933a45dc1929604bab
SHA512f4e9116284beb83c4b459f386fb1cb2573769c937082a3dd1efb5ebf73693e9ad03be4cb691476720d8a7841b29aea1bd8f57e7070e15baf293c0683dc553f04
-
Filesize
194B
MD5549bfbdf4b94348d8d90e99da8c2251e
SHA15a137b4eca702e1154f27729b4bd4de2e66e7562
SHA2563d992a2df8f78acb01aacd43662b8ef67810149dd6c40b96f5d88ce9ba8e215e
SHA512c3a5f93b0dde2d1a00133e22014d7b3b8d59c2780b426429d9fa98d3e32e66d6697de50af714b3375d82034f77feba7b90336b8d44767a2eaacd77129dc13793
-
Filesize
828KB
MD54168f956abf60ffe49acc17b2544866f
SHA192c00da15b67c3fbc23a74198b1220c55dc56fec
SHA25619ad2d50f71214129742f9e3901ee595f760b36d5cac676911c3ee0ec7c6546d
SHA512938a4e85094d517e0ca9ef96edd2dfef75accd5d7546da44a921be023dcd066fcab51688b1f7036f67f7dcd3d0e7aedafccc58abee2b22c15da1bb05ec002a0e