Analysis
-
max time kernel
125s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 02:37
Behavioral task
behavioral1
Sample
4b501fa87e3f05f21f0e85ed63f0deb4.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4b501fa87e3f05f21f0e85ed63f0deb4.exe
Resource
win10v2004-20240426-en
General
-
Target
4b501fa87e3f05f21f0e85ed63f0deb4.exe
-
Size
1.2MB
-
MD5
4b501fa87e3f05f21f0e85ed63f0deb4
-
SHA1
ab1f15913d82d926441805a9cd847353836a7816
-
SHA256
a083297276d53c1ea773b6a44715daa36259a8a9efcbc9c18818903c25663847
-
SHA512
3e364b17ed3bc9c4b9a696ae30ef2ee001a1012c8e51c35da41234c1127b6998e81b668078aaf99ea12cbdd4ab5e29ec2ea63f1efec4b4c41c19cdd46c515de8
-
SSDEEP
24576:U2G/nvxW3Ww0t7lDVLfVQ8KMYD/KXZfjaV8bGjqHGrFo:UbA307HV7CEZ7HW7K
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1352 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 660 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 756 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 372 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2520 schtasks.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\blockBroker\refCrt.exe dcrat behavioral1/memory/2596-13-0x0000000000EC0000-0x0000000000FA8000-memory.dmp dcrat behavioral1/memory/2316-57-0x0000000000B10000-0x0000000000BF8000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
refCrt.exelsm.exepid process 2596 refCrt.exe 2316 lsm.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2724 cmd.exe 2724 cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Drops file in Program Files directory 13 IoCs
Processes:
refCrt.exedescription ioc process File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\101b941d020240 refCrt.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\csrss.exe refCrt.exe File created C:\Program Files\Windows Media Player\it-IT\sppsvc.exe refCrt.exe File created C:\Program Files (x86)\Windows Defender\en-US\f3b6ecef712a24 refCrt.exe File created C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e refCrt.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe refCrt.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\10df649f47da76 refCrt.exe File created C:\Program Files (x86)\Windows Defender\en-US\spoolsv.exe refCrt.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\886983d96e3d3e refCrt.exe File created C:\Program Files (x86)\Windows Portable Devices\csrss.exe refCrt.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\refCrt.exe refCrt.exe File opened for modification C:\Program Files\Windows Media Player\it-IT\sppsvc.exe refCrt.exe File created C:\Program Files\Windows Media Player\it-IT\0a1fd5f707cd16 refCrt.exe -
Drops file in Windows directory 3 IoCs
Processes:
refCrt.exedescription ioc process File created C:\Windows\winsxs\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_en-us_19328f568d3b4e53\csrss.exe refCrt.exe File created C:\Windows\DigitalLocker\fr-FR\services.exe refCrt.exe File created C:\Windows\DigitalLocker\fr-FR\c5b4cb5e9653cc refCrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1544 schtasks.exe 2560 schtasks.exe 2800 schtasks.exe 552 schtasks.exe 1252 schtasks.exe 372 schtasks.exe 1672 schtasks.exe 548 schtasks.exe 1320 schtasks.exe 660 schtasks.exe 572 schtasks.exe 2228 schtasks.exe 2432 schtasks.exe 1004 schtasks.exe 2420 schtasks.exe 2856 schtasks.exe 1588 schtasks.exe 1352 schtasks.exe 2004 schtasks.exe 1512 schtasks.exe 756 schtasks.exe 1680 schtasks.exe 2960 schtasks.exe 1596 schtasks.exe 1156 schtasks.exe 2212 schtasks.exe 1700 schtasks.exe 1508 schtasks.exe 2364 schtasks.exe 2200 schtasks.exe 1152 schtasks.exe 1972 schtasks.exe 1548 schtasks.exe 2036 schtasks.exe 860 schtasks.exe 876 schtasks.exe 1368 schtasks.exe 2948 schtasks.exe 2996 schtasks.exe 2680 schtasks.exe 2876 schtasks.exe 748 schtasks.exe 2352 schtasks.exe 2340 schtasks.exe 1900 schtasks.exe 2252 schtasks.exe 1204 schtasks.exe 2700 schtasks.exe 2536 schtasks.exe 2652 schtasks.exe 1304 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
refCrt.exelsm.exepid process 2596 refCrt.exe 2596 refCrt.exe 2596 refCrt.exe 2596 refCrt.exe 2596 refCrt.exe 2596 refCrt.exe 2316 lsm.exe 2316 lsm.exe 2316 lsm.exe 2316 lsm.exe 2316 lsm.exe 2316 lsm.exe 2316 lsm.exe 2316 lsm.exe 2316 lsm.exe 2316 lsm.exe 2316 lsm.exe 2316 lsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
lsm.exepid process 2316 lsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
refCrt.exelsm.exedescription pid process Token: SeDebugPrivilege 2596 refCrt.exe Token: SeDebugPrivilege 2316 lsm.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
4b501fa87e3f05f21f0e85ed63f0deb4.exeWScript.execmd.exerefCrt.execmd.exedescription pid process target process PID 2296 wrote to memory of 2608 2296 4b501fa87e3f05f21f0e85ed63f0deb4.exe WScript.exe PID 2296 wrote to memory of 2608 2296 4b501fa87e3f05f21f0e85ed63f0deb4.exe WScript.exe PID 2296 wrote to memory of 2608 2296 4b501fa87e3f05f21f0e85ed63f0deb4.exe WScript.exe PID 2296 wrote to memory of 2608 2296 4b501fa87e3f05f21f0e85ed63f0deb4.exe WScript.exe PID 2608 wrote to memory of 2724 2608 WScript.exe cmd.exe PID 2608 wrote to memory of 2724 2608 WScript.exe cmd.exe PID 2608 wrote to memory of 2724 2608 WScript.exe cmd.exe PID 2608 wrote to memory of 2724 2608 WScript.exe cmd.exe PID 2724 wrote to memory of 2596 2724 cmd.exe refCrt.exe PID 2724 wrote to memory of 2596 2724 cmd.exe refCrt.exe PID 2724 wrote to memory of 2596 2724 cmd.exe refCrt.exe PID 2724 wrote to memory of 2596 2724 cmd.exe refCrt.exe PID 2596 wrote to memory of 1592 2596 refCrt.exe cmd.exe PID 2596 wrote to memory of 1592 2596 refCrt.exe cmd.exe PID 2596 wrote to memory of 1592 2596 refCrt.exe cmd.exe PID 1592 wrote to memory of 2008 1592 cmd.exe w32tm.exe PID 1592 wrote to memory of 2008 1592 cmd.exe w32tm.exe PID 1592 wrote to memory of 2008 1592 cmd.exe w32tm.exe PID 1592 wrote to memory of 2316 1592 cmd.exe lsm.exe PID 1592 wrote to memory of 2316 1592 cmd.exe lsm.exe PID 1592 wrote to memory of 2316 1592 cmd.exe lsm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b501fa87e3f05f21f0e85ed63f0deb4.exe"C:\Users\Admin\AppData\Local\Temp\4b501fa87e3f05f21f0e85ed63f0deb4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\blockBroker\dCDa6ALGfvXR9eU7o.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\blockBroker\oXLzHTz.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\blockBroker\refCrt.exe"C:\Users\Admin\AppData\Local\Temp\blockBroker\refCrt.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u1EJnjMs4F.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2008
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\it-IT\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\en-US\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\DigitalLocker\fr-FR\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\fr-FR\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\fr-FR\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "refCrtr" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\refCrt.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "refCrt" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\refCrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "refCrtr" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\refCrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199B
MD5d82ab8a29099adb65e97dd5eb7bb9acc
SHA1bff5f9f5d5793ca27e0f2f26fa437317209da5c9
SHA2567df61b5dc400e66c13e84a0fe0d0af679ed73cacc1e80877224f5dbf52594cc0
SHA512d953272aab88a6ef226b3316a8da7e145cc7bea23ca0f16e0f44dc41e6b5875ba19275234690c079572da89eb2524dbae0a87330ce33c1bd6966161e5ec5e7d1
-
Filesize
31B
MD5f2a70d75ba065b27796739df5ed59503
SHA16761a00a1b4dfc1bdc8b38ebdc1031d4878d0863
SHA2565d8b9079a09b672d42794c2948e409ee1a8a182e7cd591b3697af4ca51c73f16
SHA512931994e6ecbd19d2e804d8b9bc6015ef7d031e99497b6a585c5aed967a07894fc615981bb504dd270711e71eae9a61eb6aed0faf914c18e569adc48e847f6d84
-
Filesize
243B
MD5d88554321ca3fec29ba22de63202066c
SHA160a5e210ad450310e2c1ba3fb9ff0da2b3630273
SHA256ad12110319d7eff461c2414d284b12e6452865633c0d52f21b4bdb02009a6f4d
SHA5124bd06c6b135314714faecd1d773545cae11f627df290f0b432996bca389fc0bf43decb2363617d6a7a86c5f11bb216ff4ee949c1aec44e395871d7cf41100c89
-
Filesize
901KB
MD54a8fd7bb970c86e0650a3e110fb5e6d0
SHA1514e8249d87435de3b34bfd06e3dea9a6fb0fc96
SHA25686e9ac84264ae29059d78e2a3ebedea8d3b6c1083d03b82bdab8e32d306fd8a9
SHA512390a7e834dec74cbcc49efeee1adddb05bbe2e972e08a0ec5e6cfbecc92e4a864f6c33ce1a1d293acd42cc4f8f6ca89a8226820819170f8d86ff5e5d301e5910