Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 23:05
Behavioral task
behavioral1
Sample
77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exe
Resource
win10v2004-20240508-en
General
-
Target
77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exe
-
Size
1.1MB
-
MD5
ab175c425a64e74883b16ab9084d39c0
-
SHA1
347e1e8bcf7099ed2c4ffe0eebbc3d0f18e34683
-
SHA256
77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1
-
SHA512
f29c0ac1f10a85ec9ce73e3e262358fa7770de1176a75b44ecd198b221057e0d03527dacdddc2f666a33d47b1fe7d6aba238f1f82f669f2bcc05dfa285831707
-
SSDEEP
24576:d2G/nvxW3W+tZ1bmDMmrZGTQuUHXVO9nAJT4qxn:dbA3fZ1bmBZQQ5VVl
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 400 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2720 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 2720 schtasks.exe -
Processes:
resource yara_rule C:\MschainWinMonitor\bridgeComsession.exe dcrat behavioral1/memory/2532-13-0x0000000000390000-0x0000000000466000-memory.dmp dcrat behavioral1/memory/956-43-0x0000000001180000-0x0000000001256000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
bridgeComsession.exesmss.exepid process 2532 bridgeComsession.exe 956 smss.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2040 cmd.exe 2040 cmd.exe -
Drops file in Program Files directory 3 IoCs
Processes:
bridgeComsession.exedescription ioc process File created C:\Program Files (x86)\Reference Assemblies\Microsoft\5940a34987c991 bridgeComsession.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe bridgeComsession.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe bridgeComsession.exe -
Drops file in Windows directory 2 IoCs
Processes:
bridgeComsession.exedescription ioc process File created C:\Windows\debug\WIA\lsass.exe bridgeComsession.exe File created C:\Windows\debug\WIA\6203df4a6bafc7 bridgeComsession.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2768 schtasks.exe 2804 schtasks.exe 2680 schtasks.exe 1512 schtasks.exe 2712 schtasks.exe 2488 schtasks.exe 1684 schtasks.exe 1380 schtasks.exe 2968 schtasks.exe 2384 schtasks.exe 400 schtasks.exe 2728 schtasks.exe 2528 schtasks.exe 1732 schtasks.exe 1868 schtasks.exe 1916 schtasks.exe 3040 schtasks.exe 1560 schtasks.exe 840 schtasks.exe 3068 schtasks.exe 3008 schtasks.exe 776 schtasks.exe 1996 schtasks.exe 2588 schtasks.exe 2992 schtasks.exe 2656 schtasks.exe 1240 schtasks.exe 2916 schtasks.exe 2440 schtasks.exe 2500 schtasks.exe 2604 schtasks.exe 2828 schtasks.exe 1528 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
bridgeComsession.exesmss.exepid process 2532 bridgeComsession.exe 2532 bridgeComsession.exe 2532 bridgeComsession.exe 956 smss.exe 956 smss.exe 956 smss.exe 956 smss.exe 956 smss.exe 956 smss.exe 956 smss.exe 956 smss.exe 956 smss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
smss.exepid process 956 smss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bridgeComsession.exesmss.exedescription pid process Token: SeDebugPrivilege 2532 bridgeComsession.exe Token: SeDebugPrivilege 956 smss.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exeWScript.execmd.exebridgeComsession.execmd.exedescription pid process target process PID 1812 wrote to memory of 2508 1812 77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exe WScript.exe PID 1812 wrote to memory of 2508 1812 77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exe WScript.exe PID 1812 wrote to memory of 2508 1812 77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exe WScript.exe PID 1812 wrote to memory of 2508 1812 77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exe WScript.exe PID 2508 wrote to memory of 2040 2508 WScript.exe cmd.exe PID 2508 wrote to memory of 2040 2508 WScript.exe cmd.exe PID 2508 wrote to memory of 2040 2508 WScript.exe cmd.exe PID 2508 wrote to memory of 2040 2508 WScript.exe cmd.exe PID 2040 wrote to memory of 2532 2040 cmd.exe bridgeComsession.exe PID 2040 wrote to memory of 2532 2040 cmd.exe bridgeComsession.exe PID 2040 wrote to memory of 2532 2040 cmd.exe bridgeComsession.exe PID 2040 wrote to memory of 2532 2040 cmd.exe bridgeComsession.exe PID 2532 wrote to memory of 2080 2532 bridgeComsession.exe cmd.exe PID 2532 wrote to memory of 2080 2532 bridgeComsession.exe cmd.exe PID 2532 wrote to memory of 2080 2532 bridgeComsession.exe cmd.exe PID 2080 wrote to memory of 1084 2080 cmd.exe w32tm.exe PID 2080 wrote to memory of 1084 2080 cmd.exe w32tm.exe PID 2080 wrote to memory of 1084 2080 cmd.exe w32tm.exe PID 2080 wrote to memory of 956 2080 cmd.exe smss.exe PID 2080 wrote to memory of 956 2080 cmd.exe smss.exe PID 2080 wrote to memory of 956 2080 cmd.exe smss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exe"C:\Users\Admin\AppData\Local\Temp\77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MschainWinMonitor\wNtcXu4nRlXtRhLUT8BLaW.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\MschainWinMonitor\eJgYKVcrvPR70qXlHyqbm5zJ.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\MschainWinMonitor\bridgeComsession.exe"C:\MschainWinMonitor\bridgeComsession.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NPCLYSWDin.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1084
-
C:\MschainWinMonitor\smss.exe"C:\MschainWinMonitor\smss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MschainWinMonitor\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MschainWinMonitor\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MschainWinMonitor\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MschainWinMonitor\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MschainWinMonitor\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MschainWinMonitor\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Favorites\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Libraries\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Default\PrintHood\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Default\PrintHood\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\WIA\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\debug\WIA\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\WIA\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MschainWinMonitor\bridgeComsession.exeFilesize
827KB
MD5ff83ff5839ae20a389ef45e3be78efd4
SHA19259010c8bc32b34545476b7b8b5a67b4e9a4da4
SHA256186b894f3ae5d6c86ca5ac16b2c02485b25688bbac081e4a436cc9129a2e4f9f
SHA512eb487aaf5af2192726bbefdb91edf743b7b5c6df9a8f148ab89f743027d3232b7a8ea51b0b1c4fea5749140278e7256972e0944d3b88ad1bb50c7849a3d901b0
-
C:\MschainWinMonitor\eJgYKVcrvPR70qXlHyqbm5zJ.batFilesize
43B
MD5cb15e7204a07edb961ac68a2e13b008c
SHA1f59a6ce012c334ba811e594c5ba51185f5ff3d5a
SHA256f560bf9e927a6c5c143fb814f2aa00b57cbf64f2ce54e93a91e17e153da6d05a
SHA5126a2920f78fc28d40f5e0d968d72c95ffadc0b90f05457615ed99a989e163c312c0cf20116d2ffd3138f9810feb76eb0d4d0c00ce5c089707e40063f5e11bd6ea
-
C:\MschainWinMonitor\wNtcXu4nRlXtRhLUT8BLaW.vbeFilesize
218B
MD5591c2ae870b1bfdfa49c2e067da6e374
SHA142c56374c315095a7fc1259ba7794083f878310b
SHA2560801892b154f7f95d3ce33f3da165a0ba1e842ad669b5ea8db795b790ac0d069
SHA51285e364bf50e00e4faf09b2c3d202f1f244da5cec13d3664389eb8c6cf16048b5070e296ba57facdae24a3f075c85c790fd77ec9eeb5fddcc2d1e6a3f1198fab0
-
C:\Users\Admin\AppData\Local\Temp\NPCLYSWDin.batFilesize
194B
MD5fe28a1f9b4455572b95386899de10b4e
SHA1e3bc7f78a840b9c55833b338265dafe5941e39cc
SHA256a65e5542e967df82966f1d2ca067e7f665b7ff098ddd9f4b860743e358b19529
SHA5122bfd7c3264cc991889b39519e8ad08e6480e28dd2d553858a029f0a67bf6cb1e1c5edb0c941d5fed550be7623379b1bd880e724abb9ee12d561f62ac57a197b1
-
memory/956-43-0x0000000001180000-0x0000000001256000-memory.dmpFilesize
856KB
-
memory/2532-13-0x0000000000390000-0x0000000000466000-memory.dmpFilesize
856KB