Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17-07-2024 22:33
Behavioral task
behavioral1
Sample
1e55e82940a34f0347e2ec84674cb6c0N.exe
Resource
win7-20240704-en
General
-
Target
1e55e82940a34f0347e2ec84674cb6c0N.exe
-
Size
2.4MB
-
MD5
1e55e82940a34f0347e2ec84674cb6c0
-
SHA1
49a82cd8c8a3f020b6dbe9f9a4c409e16b0bbe33
-
SHA256
8695345472b86220ef4154c2c8f86e301569b082238c84aeff34dea0c5c204e3
-
SHA512
ce004fa9917044abf01664806301fe84c090e7ebd2e5378b95ecc92b8de37587d411384c54598c515046b93d0f6547c2030d0946b62213ad59e8c2986cb63634
-
SSDEEP
49152:+bA3xoX3ciWYFZGNtz4QG+evJ692QNMkY/ZXZqqhRfgAlWzRA:+b6CFczzmDv892QNBYRXZqqhxg5RA
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 2124 schtasks.exe -
Processes:
chainInto.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chainInto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" chainInto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" chainInto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe -
Processes:
resource yara_rule \containerreviewCrtMonitordll\chainInto.exe dcrat behavioral1/memory/1956-13-0x0000000000290000-0x00000000004AA000-memory.dmp dcrat behavioral1/memory/1668-62-0x0000000000CF0000-0x0000000000F0A000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
chainInto.execsrss.exepid process 1956 chainInto.exe 1668 csrss.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2840 cmd.exe 2840 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
csrss.exechainInto.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA chainInto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chainInto.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in Program Files directory 6 IoCs
Processes:
chainInto.exedescription ioc process File created C:\Program Files\Windows Portable Devices\101b941d020240 chainInto.exe File created C:\Program Files (x86)\Adobe\csrss.exe chainInto.exe File created C:\Program Files (x86)\Adobe\886983d96e3d3e chainInto.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\csrss.exe chainInto.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\886983d96e3d3e chainInto.exe File created C:\Program Files\Windows Portable Devices\lsm.exe chainInto.exe -
Drops file in Windows directory 4 IoCs
Processes:
chainInto.exedescription ioc process File created C:\Windows\Performance\WinSAT\DataStore\csrss.exe chainInto.exe File created C:\Windows\Performance\WinSAT\DataStore\886983d96e3d3e chainInto.exe File created C:\Windows\Performance\WinSAT\DataStore\WmiPrvSE.exe chainInto.exe File created C:\Windows\Performance\WinSAT\DataStore\24dbde2999530e chainInto.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1748 schtasks.exe 2384 schtasks.exe 2064 schtasks.exe 2180 schtasks.exe 2308 schtasks.exe 2492 schtasks.exe 324 schtasks.exe 1892 schtasks.exe 2528 schtasks.exe 2036 schtasks.exe 2892 schtasks.exe 3020 schtasks.exe 1624 schtasks.exe 960 schtasks.exe 860 schtasks.exe 2664 schtasks.exe 1840 schtasks.exe 2828 schtasks.exe 1244 schtasks.exe 2756 schtasks.exe 2140 schtasks.exe 1844 schtasks.exe 2948 schtasks.exe 2232 schtasks.exe 1160 schtasks.exe 2392 schtasks.exe 2044 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chainInto.execsrss.exepid process 1956 chainInto.exe 1956 chainInto.exe 1956 chainInto.exe 1956 chainInto.exe 1956 chainInto.exe 1956 chainInto.exe 1956 chainInto.exe 1956 chainInto.exe 1956 chainInto.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe 1668 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
chainInto.execsrss.exedescription pid process Token: SeDebugPrivilege 1956 chainInto.exe Token: SeDebugPrivilege 1668 csrss.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
1e55e82940a34f0347e2ec84674cb6c0N.exeWScript.execmd.exechainInto.execmd.execsrss.exedescription pid process target process PID 2924 wrote to memory of 2684 2924 1e55e82940a34f0347e2ec84674cb6c0N.exe WScript.exe PID 2924 wrote to memory of 2684 2924 1e55e82940a34f0347e2ec84674cb6c0N.exe WScript.exe PID 2924 wrote to memory of 2684 2924 1e55e82940a34f0347e2ec84674cb6c0N.exe WScript.exe PID 2924 wrote to memory of 2684 2924 1e55e82940a34f0347e2ec84674cb6c0N.exe WScript.exe PID 2684 wrote to memory of 2840 2684 WScript.exe cmd.exe PID 2684 wrote to memory of 2840 2684 WScript.exe cmd.exe PID 2684 wrote to memory of 2840 2684 WScript.exe cmd.exe PID 2684 wrote to memory of 2840 2684 WScript.exe cmd.exe PID 2840 wrote to memory of 1956 2840 cmd.exe chainInto.exe PID 2840 wrote to memory of 1956 2840 cmd.exe chainInto.exe PID 2840 wrote to memory of 1956 2840 cmd.exe chainInto.exe PID 2840 wrote to memory of 1956 2840 cmd.exe chainInto.exe PID 1956 wrote to memory of 2440 1956 chainInto.exe cmd.exe PID 1956 wrote to memory of 2440 1956 chainInto.exe cmd.exe PID 1956 wrote to memory of 2440 1956 chainInto.exe cmd.exe PID 2440 wrote to memory of 2268 2440 cmd.exe w32tm.exe PID 2440 wrote to memory of 2268 2440 cmd.exe w32tm.exe PID 2440 wrote to memory of 2268 2440 cmd.exe w32tm.exe PID 2840 wrote to memory of 2216 2840 cmd.exe reg.exe PID 2840 wrote to memory of 2216 2840 cmd.exe reg.exe PID 2840 wrote to memory of 2216 2840 cmd.exe reg.exe PID 2840 wrote to memory of 2216 2840 cmd.exe reg.exe PID 2440 wrote to memory of 1668 2440 cmd.exe csrss.exe PID 2440 wrote to memory of 1668 2440 cmd.exe csrss.exe PID 2440 wrote to memory of 1668 2440 cmd.exe csrss.exe PID 1668 wrote to memory of 1004 1668 csrss.exe WScript.exe PID 1668 wrote to memory of 1004 1668 csrss.exe WScript.exe PID 1668 wrote to memory of 1004 1668 csrss.exe WScript.exe PID 1668 wrote to memory of 1436 1668 csrss.exe WScript.exe PID 1668 wrote to memory of 1436 1668 csrss.exe WScript.exe PID 1668 wrote to memory of 1436 1668 csrss.exe WScript.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
csrss.exechainInto.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chainInto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" chainInto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" chainInto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e55e82940a34f0347e2ec84674cb6c0N.exe"C:\Users\Admin\AppData\Local\Temp\1e55e82940a34f0347e2ec84674cb6c0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\containerreviewCrtMonitordll\QvTRwOydF6PvsPSbsHoz.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\containerreviewCrtMonitordll\1Tl2sJLOUZoaFKUtUGyztdW5bQFfO.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\containerreviewCrtMonitordll\chainInto.exe"C:\containerreviewCrtMonitordll\chainInto.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5NT8uJA6yK.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2268
-
C:\Windows\Performance\WinSAT\DataStore\csrss.exe"C:\Windows\Performance\WinSAT\DataStore\csrss.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1668 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2841f8e0-f4ea-4e42-9733-b6c9f8206f15.vbs"7⤵PID:1004
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16df5f87-6d2e-40bd-b991-aded0b5b7ff1.vbs"7⤵PID:1436
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\Search\Data\Applications\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Search\Data\Applications\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\Search\Data\Applications\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\containerreviewCrtMonitordll\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\containerreviewCrtMonitordll\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\containerreviewCrtMonitordll\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Sample Pictures\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\DataStore\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2848
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
501B
MD59aaaad7372c564ff352faff5b6da619f
SHA10c6d02130703e3ef7bd84c2d5877cea0ddd47f94
SHA256dd6377131710bbafa5d8535e97d85983a9babb3875a7b49fc03813400e1b4d59
SHA512b8eccbaf34b1eb316f6856866e581c513bb9da63c24a012989d556f581b3f21871aadc13067ebac594b63d5fc2294245acdcbf1b60ca930e00d2dd0333ccece2
-
Filesize
725B
MD52cf5c15983203b822390f53b99fc5d37
SHA1f4b207ace7ed0abaf6134f1b1b493eadfeb76700
SHA256f9c5d9b52326026143529a075b207c0c67c21e4cf14c7d36c00e5a2d1222e537
SHA512b8807f92f50345697b761eff6c43d80171420b741627ef8d2c7c019089b3e611f77bf7d7fcecd9142bc52ce515916fa362ce3721617efcfcf629c11a01ddf65a
-
Filesize
214B
MD57b458011a79649006674262299579150
SHA162e8e1a9555e570f3d3f5342ace96b7ef6a3f114
SHA256aa44b3ae6636c2423eff620f1830e82102cc98a1e7f9a00f38ad7f195de4e095
SHA512e90073cafc5b8a566b2a258f85258ef6046e7093120e048d7bfd7f68f3a12fbb9001182f51c7ae5bb3651e41190997cd1573ea6b389e74568152157835909f2f
-
Filesize
170B
MD57039783955d4e215e90cdb16e30d51a8
SHA1a3ed136fd2a8e57e760d7f1f4412a4c6d96219d4
SHA256df9a53758d5c34e9422b418b8c28e3f7441dcf2fb48fb81d620e684e50384e84
SHA5127a7b75ea177c4a46a19ebbae5fb7f0fb18dcec0ea617bb377beace17bf3b34098527153ba58852cc4764083c5bfc86e6602340c81a61366d0da5dea3d3bcfb15
-
Filesize
245B
MD5c9cb24932937faaa045133e6803ba799
SHA12b0a00bbb55b5f13a782b4881445a6acf1658d6c
SHA2560d74b56311e7161e43106e63e697b61e5ea268a86d771d9758a181fbf9a071d4
SHA512c0607bd0c567b392e74bbdef99c3f5dfdd7e7217ac8aa5d3a9559f94096ee75e01ff686264d5508e84e3dc9a9b4bd0a159e0f4c86dc175c349563c2af3f83838
-
Filesize
2.1MB
MD553426df99660bf62cab83572cc516da2
SHA1e638b51282a10a04d60803920f6ed95b9f9db670
SHA256390711a4056290cd6dbdc327d81178f7c38ab1850aeb9bde35c1307dd8132481
SHA51258a3a3a3da60cb8e7132f444136630a1f6f2f9072b65cc24482799b8e69a872ee2d8aedef879b7c1bb248878aee0ef42d2e454a794331318b08020e2457e78f9