Analysis
-
max time kernel
121s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 00:26
Behavioral task
behavioral1
Sample
105e56a8f722fc60cb17281dc8a0d073.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
105e56a8f722fc60cb17281dc8a0d073.exe
Resource
win10v2004-20240508-en
General
-
Target
105e56a8f722fc60cb17281dc8a0d073.exe
-
Size
1.1MB
-
MD5
105e56a8f722fc60cb17281dc8a0d073
-
SHA1
85bcb8e6b6c83f2a64260ae3ad2386b7e4aa0434
-
SHA256
9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab
-
SHA512
6b4fd698cb80400d610629b0390314de0d06067d3648ba893a1fed5198bb6f0194e52685d95c7f0afc79eace95188668dcc05f4c6f19b89ee6ca05ca6d2b1172
-
SSDEEP
24576:U2G/nvxW3Ww0txUX597x0D6TmBqndcQ71Ee:UbA30GPWD6BNd
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 496 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 972 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 600 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 904 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2460 schtasks.exe -
Processes:
resource yara_rule \winDhcp\browserhostnet.exe dcrat behavioral1/memory/2584-13-0x0000000000150000-0x0000000000226000-memory.dmp dcrat behavioral1/memory/1632-56-0x0000000001180000-0x0000000001256000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
browserhostnet.exespoolsv.exepid process 2584 browserhostnet.exe 1632 spoolsv.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2660 cmd.exe 2660 cmd.exe -
Drops file in Program Files directory 4 IoCs
Processes:
browserhostnet.exedescription ioc process File created C:\Program Files (x86)\Windows Portable Devices\cmd.exe browserhostnet.exe File created C:\Program Files (x86)\Windows Portable Devices\ebf1f9fa8afd6d browserhostnet.exe File created C:\Program Files\Uninstall Information\lsass.exe browserhostnet.exe File created C:\Program Files\Uninstall Information\6203df4a6bafc7 browserhostnet.exe -
Drops file in Windows directory 10 IoCs
Processes:
browserhostnet.exedescription ioc process File created C:\Windows\Migration\WTR\lsm.exe browserhostnet.exe File created C:\Windows\Offline Web Pages\taskhost.exe browserhostnet.exe File created C:\Windows\Offline Web Pages\b75386f1303e64 browserhostnet.exe File created C:\Windows\security\templates\f3b6ecef712a24 browserhostnet.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\6203df4a6bafc7 browserhostnet.exe File created C:\Windows\Migration\WTR\101b941d020240 browserhostnet.exe File created C:\Windows\security\templates\spoolsv.exe browserhostnet.exe File created C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\lsm.exe browserhostnet.exe File created C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\101b941d020240 browserhostnet.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\lsass.exe browserhostnet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2936 schtasks.exe 1264 schtasks.exe 2956 schtasks.exe 3016 schtasks.exe 316 schtasks.exe 904 schtasks.exe 2692 schtasks.exe 2404 schtasks.exe 1904 schtasks.exe 2124 schtasks.exe 2740 schtasks.exe 1204 schtasks.exe 2960 schtasks.exe 572 schtasks.exe 1512 schtasks.exe 2180 schtasks.exe 2768 schtasks.exe 2216 schtasks.exe 1620 schtasks.exe 1456 schtasks.exe 880 schtasks.exe 1788 schtasks.exe 2800 schtasks.exe 536 schtasks.exe 972 schtasks.exe 948 schtasks.exe 2120 schtasks.exe 376 schtasks.exe 1548 schtasks.exe 1736 schtasks.exe 2856 schtasks.exe 2716 schtasks.exe 2212 schtasks.exe 2880 schtasks.exe 1916 schtasks.exe 2464 schtasks.exe 1360 schtasks.exe 2304 schtasks.exe 1476 schtasks.exe 1252 schtasks.exe 496 schtasks.exe 2744 schtasks.exe 1776 schtasks.exe 2060 schtasks.exe 2728 schtasks.exe 2036 schtasks.exe 600 schtasks.exe 884 schtasks.exe 2068 schtasks.exe 768 schtasks.exe 1664 schtasks.exe 2752 schtasks.exe 2356 schtasks.exe 1808 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
browserhostnet.exespoolsv.exepid process 2584 browserhostnet.exe 2584 browserhostnet.exe 2584 browserhostnet.exe 2584 browserhostnet.exe 2584 browserhostnet.exe 2584 browserhostnet.exe 2584 browserhostnet.exe 2584 browserhostnet.exe 2584 browserhostnet.exe 2584 browserhostnet.exe 2584 browserhostnet.exe 2584 browserhostnet.exe 2584 browserhostnet.exe 1632 spoolsv.exe 1632 spoolsv.exe 1632 spoolsv.exe 1632 spoolsv.exe 1632 spoolsv.exe 1632 spoolsv.exe 1632 spoolsv.exe 1632 spoolsv.exe 1632 spoolsv.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
spoolsv.exepid process 1632 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
browserhostnet.exespoolsv.exedescription pid process Token: SeDebugPrivilege 2584 browserhostnet.exe Token: SeDebugPrivilege 1632 spoolsv.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
105e56a8f722fc60cb17281dc8a0d073.exeWScript.execmd.exebrowserhostnet.exedescription pid process target process PID 1636 wrote to memory of 2764 1636 105e56a8f722fc60cb17281dc8a0d073.exe WScript.exe PID 1636 wrote to memory of 2764 1636 105e56a8f722fc60cb17281dc8a0d073.exe WScript.exe PID 1636 wrote to memory of 2764 1636 105e56a8f722fc60cb17281dc8a0d073.exe WScript.exe PID 1636 wrote to memory of 2764 1636 105e56a8f722fc60cb17281dc8a0d073.exe WScript.exe PID 2764 wrote to memory of 2660 2764 WScript.exe cmd.exe PID 2764 wrote to memory of 2660 2764 WScript.exe cmd.exe PID 2764 wrote to memory of 2660 2764 WScript.exe cmd.exe PID 2764 wrote to memory of 2660 2764 WScript.exe cmd.exe PID 2660 wrote to memory of 2584 2660 cmd.exe browserhostnet.exe PID 2660 wrote to memory of 2584 2660 cmd.exe browserhostnet.exe PID 2660 wrote to memory of 2584 2660 cmd.exe browserhostnet.exe PID 2660 wrote to memory of 2584 2660 cmd.exe browserhostnet.exe PID 2584 wrote to memory of 1632 2584 browserhostnet.exe spoolsv.exe PID 2584 wrote to memory of 1632 2584 browserhostnet.exe spoolsv.exe PID 2584 wrote to memory of 1632 2584 browserhostnet.exe spoolsv.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\105e56a8f722fc60cb17281dc8a0d073.exe"C:\Users\Admin\AppData\Local\Temp\105e56a8f722fc60cb17281dc8a0d073.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\winDhcp\DyOE67CiXFDK4.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\winDhcp\QlWrCKPitO3EBDJkoooUbfBub6XAu.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\winDhcp\browserhostnet.exe"C:\winDhcp\browserhostnet.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\security\templates\spoolsv.exe"C:\Windows\security\templates\spoolsv.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\winDhcp\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\winDhcp\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\winDhcp\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\security\templates\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\security\templates\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\security\templates\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\winDhcp\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\winDhcp\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\winDhcp\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\winDhcp\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\winDhcp\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\winDhcp\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\winDhcp\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\winDhcp\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\winDhcp\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\winDhcp\DyOE67CiXFDK4.vbeFilesize
213B
MD5a6895e1baccdda4b4f131a5d6b29884a
SHA15e53063494d49c65bb3f940edf030462a9646b0b
SHA2567218700f0f012caf18a92e2f012d56b3f1241414d11bb38d69e0633a33d80ff9
SHA512439eff2b5e330a534d582501053290dcf7a44f4de685cacb8b7a6b91bd76a59f044208f1e7eca52f857fe18a8c93441c0d4a62495a30b308035c6edce1b7e8a1
-
C:\winDhcp\QlWrCKPitO3EBDJkoooUbfBub6XAu.batFilesize
31B
MD50783953e91c834463a8af6965b8a6e82
SHA166d1c6db94b36f6112e393e33ae94f4b963f1b31
SHA256f1abb9924b1d91414efe342d4b3a2b7e9e49aaaeef4300f5f3a0cda9e7ad853d
SHA5120054fc1f4dbdc09ba5137d5b581d9da43878c23efb1ae888b71fbde8e28c09f9c39728423697dd5479063050fd5819c251856bb6b58155e9e8de99d8ee67165a
-
\winDhcp\browserhostnet.exeFilesize
827KB
MD568491d301f2370e9484c90a4ca8c458a
SHA157a7952959c07c419a2204939c1da301f6a47030
SHA256b92fd00e3af0abf5d62269056cf1a43e7da0efbf70467070ad2923bf41554c97
SHA5123e1f8e620ce892d222a624fe5a3d791e58ae5a3ac5048639854a5021099844feda6a32109ca78666690113014eea3c29821b955d462db73cd9c1807e2e815558
-
memory/1632-56-0x0000000001180000-0x0000000001256000-memory.dmpFilesize
856KB
-
memory/2584-13-0x0000000000150000-0x0000000000226000-memory.dmpFilesize
856KB