Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 00:06
Behavioral task
behavioral1
Sample
LegacyPhasmo/LegacyPhasmo.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
LegacyPhasmo/LegacyPhasmo.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
LegacyPhasmo/start.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
LegacyPhasmo/start.exe
Resource
win10v2004-20240426-en
General
-
Target
LegacyPhasmo/start.exe
-
Size
1.1MB
-
MD5
7002fdc4d02a4ed4a5a6f56bc40efcef
-
SHA1
cef5ea6d5507392e4fd5cb9511160f4882b4d8b8
-
SHA256
6fddd93899ba0f1de262aa86d1e7f4ed3df8b29e9d2b9679d42b5a81addea6f4
-
SHA512
d5859012071a604563d96c8cffb9a5f12ae5a085b0160d3e90de140bd50c752d97287c1810140d72bf2404880fecd8332a458005e5e8052f5ad74cf11f12a538
-
SSDEEP
24576:U2G/nvxW3Ww0t6eSgFX3x5aC6FRMzpC6nHZW/n:UbA306e9FTtYeP0P
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1400 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3224 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3344 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3976 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3140 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4636 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4440 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4420 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5116 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1268 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 616 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 512 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4908 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4108 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4224 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3716 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3240 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3408 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4560 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3616 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3396 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4152 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4288 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3380 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4492 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4220 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4344 4544 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4324 4544 schtasks.exe 91 -
resource yara_rule behavioral4/files/0x00070000000233fa-10.dat dcrat behavioral4/memory/1652-13-0x0000000000AC0000-0x0000000000B96000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation start.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation reviewMonitor.exe -
Executes dropped EXE 2 IoCs
pid Process 1652 reviewMonitor.exe 396 services.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe reviewMonitor.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\66fc9ff0ee96c2 reviewMonitor.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\AppReadiness\csrss.exe reviewMonitor.exe File created C:\Windows\AppReadiness\886983d96e3d3e reviewMonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4144 schtasks.exe 4344 schtasks.exe 4152 schtasks.exe 1856 schtasks.exe 3224 schtasks.exe 3616 schtasks.exe 4440 schtasks.exe 2856 schtasks.exe 4324 schtasks.exe 3344 schtasks.exe 3408 schtasks.exe 3976 schtasks.exe 1268 schtasks.exe 2340 schtasks.exe 3060 schtasks.exe 3716 schtasks.exe 3380 schtasks.exe 2956 schtasks.exe 5116 schtasks.exe 1636 schtasks.exe 4420 schtasks.exe 1400 schtasks.exe 3240 schtasks.exe 3140 schtasks.exe 512 schtasks.exe 2024 schtasks.exe 4224 schtasks.exe 2652 schtasks.exe 468 schtasks.exe 4220 schtasks.exe 2020 schtasks.exe 4108 schtasks.exe 1980 schtasks.exe 4492 schtasks.exe 4636 schtasks.exe 2808 schtasks.exe 2380 schtasks.exe 4288 schtasks.exe 1440 schtasks.exe 1108 schtasks.exe 5060 schtasks.exe 616 schtasks.exe 4908 schtasks.exe 1968 schtasks.exe 2168 schtasks.exe 1976 schtasks.exe 2484 schtasks.exe 880 schtasks.exe 4560 schtasks.exe 3396 schtasks.exe 2572 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings start.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1652 reviewMonitor.exe 1652 reviewMonitor.exe 1652 reviewMonitor.exe 1652 reviewMonitor.exe 1652 reviewMonitor.exe 1652 reviewMonitor.exe 1652 reviewMonitor.exe 1652 reviewMonitor.exe 1652 reviewMonitor.exe 396 services.exe 396 services.exe 396 services.exe 396 services.exe 396 services.exe 396 services.exe 396 services.exe 396 services.exe 396 services.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 396 services.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1652 reviewMonitor.exe Token: SeDebugPrivilege 396 services.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 5052 wrote to memory of 940 5052 start.exe 82 PID 5052 wrote to memory of 940 5052 start.exe 82 PID 5052 wrote to memory of 940 5052 start.exe 82 PID 940 wrote to memory of 2160 940 WScript.exe 86 PID 940 wrote to memory of 2160 940 WScript.exe 86 PID 940 wrote to memory of 2160 940 WScript.exe 86 PID 2160 wrote to memory of 1652 2160 cmd.exe 88 PID 2160 wrote to memory of 1652 2160 cmd.exe 88 PID 1652 wrote to memory of 396 1652 reviewMonitor.exe 144 PID 1652 wrote to memory of 396 1652 reviewMonitor.exe 144 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\LegacyPhasmo\start.exe"C:\Users\Admin\AppData\Local\Temp\LegacyPhasmo\start.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MshyperHostmonitordhcp\0DcM5JqD9S9f9.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\MshyperHostmonitordhcp\MgkA4hhn0q04GXYwCcIaXFzSS.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\MshyperHostmonitordhcp\reviewMonitor.exe"C:\MshyperHostmonitordhcp\reviewMonitor.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\MshyperHostmonitordhcp\services.exe"C:\MshyperHostmonitordhcp\services.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\SendTo\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\MshyperHostmonitordhcp\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\MshyperHostmonitordhcp\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\MshyperHostmonitordhcp\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\MshyperHostmonitordhcp\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\MshyperHostmonitordhcp\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\MshyperHostmonitordhcp\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\AppReadiness\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppReadiness\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\AppReadiness\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MshyperHostmonitordhcp\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MshyperHostmonitordhcp\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MshyperHostmonitordhcp\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Links\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\Links\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Links\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\MshyperHostmonitordhcp\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\MshyperHostmonitordhcp\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\MshyperHostmonitordhcp\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Cookies\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Cookies\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\MshyperHostmonitordhcp\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\MshyperHostmonitordhcp\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\MshyperHostmonitordhcp\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\Desktop\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Templates\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\Templates\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Templates\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD5d2b97d2aae9482940374f468a574d6a0
SHA1db0b075661a48ce48889d72331bf6f8dc2678156
SHA2567a33058c1663d4917294bc87987b53f98fe9dd03ba8be69f288cafa74ece40bf
SHA5124c17782d77ec02197c012668baaf297df10f8003f512d994343fefff5f9b86be1ecbd6ae8d652a14fb7ae0ccec53d0f5e9ecf40fa0ffa629b190967160502bfa
-
Filesize
45B
MD550ac67118e356521f6739fb631a1bbbe
SHA168671a07d7a39463726b43c2d53ef535989cccaf
SHA2569373ac51e6c5e168c642e48912b314dd69b2b6a47b401e1741ba992ebc06c4df
SHA51240728b08c37095b39cd4bf67048de5c71f5400433321e37dc4fbc98d77435a960b80734347c25e136b1251324bf7b2b71df7cddb4abc3f213a7113d006996883
-
Filesize
827KB
MD5452f976724291ddcd7fc0d12ff1dc544
SHA1add1cdb2396b67fa42961ee07d91d7a45bad915a
SHA2560285686187df5c5ddfda90a068b02a00eb2ce4fea21ea7adef2e07021707ae7d
SHA5122b637ec0bf44fe2dbd3fe7801413e81cb102eff09fa51c20258fec72c13de8e966ea11db8e0603f54747c18142a0a9a2ccd258cefe25cc32a33931d9da5a6ed3