Analysis
-
max time kernel
119s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 01:03
Behavioral task
behavioral1
Sample
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe
Resource
win10v2004-20240508-en
General
-
Target
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe
-
Size
827KB
-
MD5
3a1b3746d26413c8668fb533ab612284
-
SHA1
875d159c892558473519f947c0421672717f7e2c
-
SHA256
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924
-
SHA512
26f20ae889e6a327d6cd710082c0a2ccf4e94a6cc90bd8b3916f7b28a00e7f7c23448c7dfc817242b48e80468779b815133db64a7a4b7b77dc8729a940e5a8fe
-
SSDEEP
12288:DqUgxxQIWHTZu9PBjhP/i4TuI+sqBcDOC6hThC/8bMCHZR:uZQ9HTZu9lN/i4qI+sq6+nNj
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 904 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 3008 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/2944-1-0x0000000000AF0000-0x0000000000BC6000-memory.dmp dcrat C:\Users\Public\Favorites\services.exe dcrat behavioral1/memory/2956-47-0x0000000001170000-0x0000000001246000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
lsm.exepid process 2956 lsm.exe -
Drops file in Program Files directory 11 IoCs
Processes:
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exedescription ioc process File opened for modification C:\Program Files (x86)\Windows Sidebar\de-DE\smss.exe 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files (x86)\Windows Sidebar\de-DE\69ddcba757bf72 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files\7-Zip\Lang\56085415360792 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files\Mozilla Firefox\fonts\dllhost.exe 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\winlogon.exe 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\cc11b995f2a76d 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files (x86)\Windows Sidebar\de-DE\smss.exe 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files\7-Zip\Lang\wininit.exe 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files\Mozilla Firefox\fonts\5940a34987c991 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files\MSBuild\csrss.exe 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Program Files\MSBuild\886983d96e3d3e 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe -
Drops file in Windows directory 5 IoCs
Processes:
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exedescription ioc process File created C:\Windows\Registration\CRMLog\lsass.exe 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Windows\Registration\CRMLog\6203df4a6bafc7 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Windows\Downloaded Program Files\dwm.exe 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Windows\Downloaded Program Files\6cb0b6c459d5d3 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe File created C:\Windows\diagnostics\system\Device\taskhost.exe 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2304 schtasks.exe 2776 schtasks.exe 1672 schtasks.exe 692 schtasks.exe 2084 schtasks.exe 2568 schtasks.exe 2604 schtasks.exe 1968 schtasks.exe 1308 schtasks.exe 1592 schtasks.exe 1036 schtasks.exe 2308 schtasks.exe 1816 schtasks.exe 1088 schtasks.exe 1984 schtasks.exe 1032 schtasks.exe 1632 schtasks.exe 1224 schtasks.exe 2344 schtasks.exe 1856 schtasks.exe 3044 schtasks.exe 2508 schtasks.exe 1312 schtasks.exe 1644 schtasks.exe 1100 schtasks.exe 1812 schtasks.exe 572 schtasks.exe 2932 schtasks.exe 2864 schtasks.exe 960 schtasks.exe 904 schtasks.exe 2688 schtasks.exe 1432 schtasks.exe 1908 schtasks.exe 2288 schtasks.exe 2428 schtasks.exe 2996 schtasks.exe 316 schtasks.exe 2480 schtasks.exe 2612 schtasks.exe 2672 schtasks.exe 2852 schtasks.exe 2960 schtasks.exe 1528 schtasks.exe 2092 schtasks.exe 2064 schtasks.exe 1048 schtasks.exe 2724 schtasks.exe 2436 schtasks.exe 2388 schtasks.exe 1304 schtasks.exe 1240 schtasks.exe 1376 schtasks.exe 2732 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exelsm.exepid process 2944 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 2944 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 2944 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe 2956 lsm.exe 2956 lsm.exe 2956 lsm.exe 2956 lsm.exe 2956 lsm.exe 2956 lsm.exe 2956 lsm.exe 2956 lsm.exe 2956 lsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
lsm.exepid process 2956 lsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exelsm.exedescription pid process Token: SeDebugPrivilege 2944 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe Token: SeDebugPrivilege 2956 lsm.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.execmd.exedescription pid process target process PID 2944 wrote to memory of 2004 2944 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe cmd.exe PID 2944 wrote to memory of 2004 2944 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe cmd.exe PID 2944 wrote to memory of 2004 2944 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe cmd.exe PID 2004 wrote to memory of 2420 2004 cmd.exe w32tm.exe PID 2004 wrote to memory of 2420 2004 cmd.exe w32tm.exe PID 2004 wrote to memory of 2420 2004 cmd.exe w32tm.exe PID 2004 wrote to memory of 2956 2004 cmd.exe lsm.exe PID 2004 wrote to memory of 2956 2004 cmd.exe lsm.exe PID 2004 wrote to memory of 2956 2004 cmd.exe lsm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe"C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YEA7wgkB3K.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2420
-
C:\Users\Public\Desktop\lsm.exe"C:\Users\Public\Desktop\lsm.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e579240" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e579240" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e579240" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Videos\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924" /sc ONLOGON /tr "'C:\Users\Default\Videos\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e579240" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Videos\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Favorites\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Desktop\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\Vault\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Vault\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\Vault\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Templates\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Templates\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196B
MD525605db4dc3fffef2cd62eb9f11892bb
SHA1b46eb670e9fe78e70a95e06119500e4b2eb59a47
SHA256ba938e898bb081145ddca44f44ddd18af46921fc9b450c140a863825df16fc73
SHA5126d562b18b82970e05472a1e1db60586c40538c9b84c501b3907e7bdbe0ed739250acfb134d54a90e53a641672c62a5d21f0a3117701b5fcab6be36df969bb83b
-
Filesize
827KB
MD53a1b3746d26413c8668fb533ab612284
SHA1875d159c892558473519f947c0421672717f7e2c
SHA2560d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924
SHA51226f20ae889e6a327d6cd710082c0a2ccf4e94a6cc90bd8b3916f7b28a00e7f7c23448c7dfc817242b48e80468779b815133db64a7a4b7b77dc8729a940e5a8fe