Analysis
-
max time kernel
101s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2024 17:42
Behavioral task
behavioral1
Sample
f4211bfb02fddddf810c3cc71b249020N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
f4211bfb02fddddf810c3cc71b249020N.exe
Resource
win10v2004-20240709-en
General
-
Target
f4211bfb02fddddf810c3cc71b249020N.exe
-
Size
1.2MB
-
MD5
f4211bfb02fddddf810c3cc71b249020
-
SHA1
02bc37e80ad498cd51a4321053d0feb788918aac
-
SHA256
877d472af519397f8e8be5dcf8c756aed03e5ce022e6eba821f107336154ef81
-
SHA512
6ccfb122f9ecb5e945e780d95d0cc0b721e624ac2390df2b36314c0e75d6b37ac71e184003405d898e84c9be462e6714555efb8396b91a617cf51740fb717630
-
SSDEEP
24576:U2G/nvxW3Ww0tXbOZdy5HL0g3tQ9xWqJE73BS5eR3lS:UbA30XQngo30E
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4052 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5080 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3888 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4564 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3192 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3288 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3624 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3848 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4252 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4104 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4172 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3320 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 856 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3392 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3960 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3080 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3112 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4916 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3176 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 5064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 5064 schtasks.exe -
Processes:
sessionbrokerHost.exedwm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sessionbrokerHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sessionbrokerHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sessionbrokerHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe -
Processes:
resource yara_rule C:\Chainserverhostnetcommon\sessionbrokerHost.exe dcrat behavioral2/memory/2448-13-0x00000000007F0000-0x00000000008DE000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f4211bfb02fddddf810c3cc71b249020N.exeWScript.exesessionbrokerHost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation f4211bfb02fddddf810c3cc71b249020N.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation sessionbrokerHost.exe -
Executes dropped EXE 2 IoCs
Processes:
sessionbrokerHost.exedwm.exepid process 2448 sessionbrokerHost.exe 4336 dwm.exe -
Processes:
sessionbrokerHost.exedwm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sessionbrokerHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sessionbrokerHost.exe -
Drops file in Program Files directory 15 IoCs
Processes:
sessionbrokerHost.exedescription ioc process File created C:\Program Files\Common Files\DESIGNER\taskhostw.exe sessionbrokerHost.exe File created C:\Program Files (x86)\Windows Portable Devices\121e5b5079f7c0 sessionbrokerHost.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\f3b6ecef712a24 sessionbrokerHost.exe File opened for modification C:\Program Files\Common Files\DESIGNER\taskhostw.exe sessionbrokerHost.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe sessionbrokerHost.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\6cb0b6c459d5d3 sessionbrokerHost.exe File created C:\Program Files\Common Files\DESIGNER\ea9f0e6c9e2dcd sessionbrokerHost.exe File created C:\Program Files\Windows Portable Devices\56085415360792 sessionbrokerHost.exe File created C:\Program Files (x86)\Google\Temp\SppExtComObj.exe sessionbrokerHost.exe File created C:\Program Files (x86)\Google\Temp\e1ef82546f0b02 sessionbrokerHost.exe File created C:\Program Files\Windows Portable Devices\wininit.exe sessionbrokerHost.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\TrustedInstaller.exe sessionbrokerHost.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\04c1e7795967e4 sessionbrokerHost.exe File created C:\Program Files (x86)\Windows Portable Devices\sysmon.exe sessionbrokerHost.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\spoolsv.exe sessionbrokerHost.exe -
Drops file in Windows directory 2 IoCs
Processes:
sessionbrokerHost.exedescription ioc process File created C:\Windows\RemotePackages\conhost.exe sessionbrokerHost.exe File created C:\Windows\RemotePackages\088424020bedd6 sessionbrokerHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
f4211bfb02fddddf810c3cc71b249020N.exesessionbrokerHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings f4211bfb02fddddf810c3cc71b249020N.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings sessionbrokerHost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1608 schtasks.exe 2420 schtasks.exe 3624 schtasks.exe 1428 schtasks.exe 3080 schtasks.exe 1644 schtasks.exe 3192 schtasks.exe 3848 schtasks.exe 4916 schtasks.exe 4496 schtasks.exe 264 schtasks.exe 964 schtasks.exe 3288 schtasks.exe 1600 schtasks.exe 1540 schtasks.exe 4328 schtasks.exe 2340 schtasks.exe 1496 schtasks.exe 4564 schtasks.exe 3112 schtasks.exe 2856 schtasks.exe 664 schtasks.exe 5080 schtasks.exe 3320 schtasks.exe 3392 schtasks.exe 2024 schtasks.exe 3960 schtasks.exe 3888 schtasks.exe 4172 schtasks.exe 2552 schtasks.exe 464 schtasks.exe 1068 schtasks.exe 404 schtasks.exe 856 schtasks.exe 2300 schtasks.exe 3176 schtasks.exe 884 schtasks.exe 1504 schtasks.exe 4052 schtasks.exe 4252 schtasks.exe 4104 schtasks.exe 1180 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
sessionbrokerHost.exedwm.exepid process 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 2448 sessionbrokerHost.exe 4336 dwm.exe 4336 dwm.exe 4336 dwm.exe 4336 dwm.exe 4336 dwm.exe 4336 dwm.exe 4336 dwm.exe 4336 dwm.exe 4336 dwm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
sessionbrokerHost.exedwm.exedescription pid process Token: SeDebugPrivilege 2448 sessionbrokerHost.exe Token: SeDebugPrivilege 4336 dwm.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
f4211bfb02fddddf810c3cc71b249020N.exeWScript.execmd.exesessionbrokerHost.execmd.exedescription pid process target process PID 4028 wrote to memory of 4860 4028 f4211bfb02fddddf810c3cc71b249020N.exe WScript.exe PID 4028 wrote to memory of 4860 4028 f4211bfb02fddddf810c3cc71b249020N.exe WScript.exe PID 4028 wrote to memory of 4860 4028 f4211bfb02fddddf810c3cc71b249020N.exe WScript.exe PID 4860 wrote to memory of 1296 4860 WScript.exe cmd.exe PID 4860 wrote to memory of 1296 4860 WScript.exe cmd.exe PID 4860 wrote to memory of 1296 4860 WScript.exe cmd.exe PID 1296 wrote to memory of 2448 1296 cmd.exe sessionbrokerHost.exe PID 1296 wrote to memory of 2448 1296 cmd.exe sessionbrokerHost.exe PID 2448 wrote to memory of 3516 2448 sessionbrokerHost.exe cmd.exe PID 2448 wrote to memory of 3516 2448 sessionbrokerHost.exe cmd.exe PID 3516 wrote to memory of 1220 3516 cmd.exe w32tm.exe PID 3516 wrote to memory of 1220 3516 cmd.exe w32tm.exe PID 3516 wrote to memory of 4336 3516 cmd.exe dwm.exe PID 3516 wrote to memory of 4336 3516 cmd.exe dwm.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
sessionbrokerHost.exedwm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sessionbrokerHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sessionbrokerHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sessionbrokerHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4211bfb02fddddf810c3cc71b249020N.exe"C:\Users\Admin\AppData\Local\Temp\f4211bfb02fddddf810c3cc71b249020N.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Chainserverhostnetcommon\YJTOmpNsmC9R7eL.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Chainserverhostnetcommon\xvJlHi5CymWgg0Dp0wux5lJOn26p.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Chainserverhostnetcommon\sessionbrokerHost.exe"C:\Chainserverhostnetcommon\sessionbrokerHost.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VI0zTzLboc.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1220
-
C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe"C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\DESIGNER\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\DESIGNER\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Package Cache\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\TrustedInstaller.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Chainserverhostnetcommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Chainserverhostnetcommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Chainserverhostnetcommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Chainserverhostnetcommon\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Chainserverhostnetcommon\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Chainserverhostnetcommon\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230B
MD5d47f398bcb4d7af45368ac7e2b7956e4
SHA18acbdd4ae19bcad76b7ed2dfd94fa102df2914a6
SHA25697dba9f4d3e8ba6fa8f6f4534f4ed92bb85849d2da045abc84ef54d8777208db
SHA512e63133d63e32081267d71220d54f3277559cf0f74883c6dd34bac8c73a41ef905ff4d66f2d9961af37cf07384f2f383e005d8b1bda8740807f1c295a581f5ee0
-
Filesize
922KB
MD5f889fcff1de0857b351474a2e794b7ca
SHA1c5c9be94d9bf74a382d01374a869b2c34f7179ac
SHA25648b84c11bf2ccfe73802565024f5abc589b9bef4c0aece8439baee4f260112e0
SHA5121d2bad15de6c57f699a81a13288be968bc0638b7629d741b795b07f608a0d8928d92da5f76d121ea0ed95fbc13c5ece7403fe8accb1aa870acda6414e7b6a561
-
Filesize
51B
MD5e9cd2d5648ebb737cc9be7dbdf969056
SHA13e34a5cd97ed60e282301025ddca974614d74c5a
SHA256a154e1f761b72ef3fa982881229ac2ee7d9d358285ee241c911fde570f376bbe
SHA512e61b01bc01ffea738d9e4c7afd400fe815c46ee16223fdb9971b843d55e509b6529cbc0f0d36906b3d12ffc8124ad940499ab318573309bb624544e7bd17ad17
-
Filesize
234B
MD5938578a8973f8bdee79eee6be7561d4b
SHA19ff2e9392ded332565383450e2804075bf3dd708
SHA2562822d6a4208cd45f7b6d7f1a6b6f5161a63762631060a8c29deaecd56075aeef
SHA512391d043b1be59c4ae4be4d9ea760673970d69833ca0783b98dff6b6729d0c6bc8491b3089a96575224a61da974d883ff3d01ad92ebaabb2546e7fde01fbd539d