Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 23:21
Behavioral task
behavioral1
Sample
7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe
Resource
win10v2004-20240709-en
General
-
Target
7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe
-
Size
1.4MB
-
MD5
1d2b1f463a1d6b10f9610337e95d5c0e
-
SHA1
59b08e6488e6380d4958534b3273396e34a14d9e
-
SHA256
7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77
-
SHA512
74671170b1e066024240e6c5226b75727e604a8ac9ce41e69b7fe5cec581ef52c69a7b238d61c614d30a311c7c74e63d3b82e5a5815a51ef38dac71bd6d548bd
-
SSDEEP
24576:u2G/nvxW3WieCrUKCU7IPEHnEKGfLymG8jY5Acrcdwkvpfq:ubA3jrGU1HnSfLymG8cSzm
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 344 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 644 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2904 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2904 schtasks.exe -
Processes:
csrss.exebridgeContainerRef.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bridgeContainerRef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bridgeContainerRef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bridgeContainerRef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Processes:
resource yara_rule C:\componentinto\bridgeContainerRef.exe dcrat behavioral1/memory/604-13-0x0000000001090000-0x00000000011A6000-memory.dmp dcrat behavioral1/memory/1928-50-0x0000000000320000-0x0000000000436000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
bridgeContainerRef.execsrss.exepid process 604 bridgeContainerRef.exe 1928 csrss.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2980 cmd.exe 2980 cmd.exe -
Processes:
bridgeContainerRef.execsrss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bridgeContainerRef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bridgeContainerRef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops file in Program Files directory 12 IoCs
Processes:
bridgeContainerRef.exedescription ioc process File created C:\Program Files\Windows Sidebar\System.exe bridgeContainerRef.exe File created C:\Program Files\Windows Sidebar\27d1bcfc3c54e0 bridgeContainerRef.exe File created C:\Program Files\Microsoft Office\Office14\1033\System.exe bridgeContainerRef.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\886983d96e3d3e bridgeContainerRef.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\explorer.exe bridgeContainerRef.exe File created C:\Program Files\Microsoft Office\Office14\1033\27d1bcfc3c54e0 bridgeContainerRef.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe bridgeContainerRef.exe File created C:\Program Files\Windows Journal\it-IT\wininit.exe bridgeContainerRef.exe File created C:\Program Files\Windows Journal\it-IT\56085415360792 bridgeContainerRef.exe File created C:\Program Files\7-Zip\Lang\Idle.exe bridgeContainerRef.exe File created C:\Program Files\7-Zip\Lang\6ccacd8608530f bridgeContainerRef.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\7a0fd90576e088 bridgeContainerRef.exe -
Drops file in Windows directory 6 IoCs
Processes:
bridgeContainerRef.exedescription ioc process File created C:\Windows\BitLockerDiscoveryVolumeContents\6cb0b6c459d5d3 bridgeContainerRef.exe File created C:\Windows\ServiceProfiles\NetworkService\Downloads\Idle.exe bridgeContainerRef.exe File created C:\Windows\ServiceProfiles\NetworkService\Downloads\6ccacd8608530f bridgeContainerRef.exe File created C:\Windows\Resources\Ease of Access Themes\bridgeContainerRef.exe bridgeContainerRef.exe File created C:\Windows\Resources\Ease of Access Themes\f2fdbaba385e06 bridgeContainerRef.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe bridgeContainerRef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2884 schtasks.exe 2792 schtasks.exe 644 schtasks.exe 2668 schtasks.exe 1768 schtasks.exe 948 schtasks.exe 1908 schtasks.exe 2600 schtasks.exe 2348 schtasks.exe 2664 schtasks.exe 2224 schtasks.exe 3020 schtasks.exe 344 schtasks.exe 2952 schtasks.exe 1320 schtasks.exe 2584 schtasks.exe 864 schtasks.exe 2564 schtasks.exe 1972 schtasks.exe 2820 schtasks.exe 2008 schtasks.exe 3068 schtasks.exe 1624 schtasks.exe 448 schtasks.exe 1876 schtasks.exe 2672 schtasks.exe 2912 schtasks.exe 2128 schtasks.exe 1032 schtasks.exe 2036 schtasks.exe 1376 schtasks.exe 1152 schtasks.exe 1724 schtasks.exe 2152 schtasks.exe 2528 schtasks.exe 2192 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
bridgeContainerRef.execsrss.exepid process 604 bridgeContainerRef.exe 604 bridgeContainerRef.exe 604 bridgeContainerRef.exe 604 bridgeContainerRef.exe 604 bridgeContainerRef.exe 604 bridgeContainerRef.exe 604 bridgeContainerRef.exe 1928 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bridgeContainerRef.execsrss.exedescription pid process Token: SeDebugPrivilege 604 bridgeContainerRef.exe Token: SeDebugPrivilege 1928 csrss.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exeWScript.execmd.exebridgeContainerRef.execmd.exedescription pid process target process PID 2400 wrote to memory of 3056 2400 7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe WScript.exe PID 2400 wrote to memory of 3056 2400 7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe WScript.exe PID 2400 wrote to memory of 3056 2400 7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe WScript.exe PID 2400 wrote to memory of 3056 2400 7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe WScript.exe PID 3056 wrote to memory of 2980 3056 WScript.exe cmd.exe PID 3056 wrote to memory of 2980 3056 WScript.exe cmd.exe PID 3056 wrote to memory of 2980 3056 WScript.exe cmd.exe PID 3056 wrote to memory of 2980 3056 WScript.exe cmd.exe PID 2980 wrote to memory of 604 2980 cmd.exe bridgeContainerRef.exe PID 2980 wrote to memory of 604 2980 cmd.exe bridgeContainerRef.exe PID 2980 wrote to memory of 604 2980 cmd.exe bridgeContainerRef.exe PID 2980 wrote to memory of 604 2980 cmd.exe bridgeContainerRef.exe PID 604 wrote to memory of 2968 604 bridgeContainerRef.exe cmd.exe PID 604 wrote to memory of 2968 604 bridgeContainerRef.exe cmd.exe PID 604 wrote to memory of 2968 604 bridgeContainerRef.exe cmd.exe PID 2968 wrote to memory of 1000 2968 cmd.exe w32tm.exe PID 2968 wrote to memory of 1000 2968 cmd.exe w32tm.exe PID 2968 wrote to memory of 1000 2968 cmd.exe w32tm.exe PID 2968 wrote to memory of 1928 2968 cmd.exe csrss.exe PID 2968 wrote to memory of 1928 2968 cmd.exe csrss.exe PID 2968 wrote to memory of 1928 2968 cmd.exe csrss.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
csrss.exebridgeContainerRef.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bridgeContainerRef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bridgeContainerRef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bridgeContainerRef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe"C:\Users\Admin\AppData\Local\Temp\7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\componentinto\TyJbcivSrBus9A7UqBxYQLYLifv.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\componentinto\3EQ4MYmSGwKCrTIrueD0pw.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\componentinto\bridgeContainerRef.exe"C:\componentinto\bridgeContainerRef.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yZZz7yfIfQ.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1000
-
-
C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe"C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1928
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\componentinto\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\componentinto\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\componentinto\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\it-IT\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\it-IT\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\NetworkService\Downloads\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Downloads\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\NetworkService\Downloads\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeContainerRefb" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Ease of Access Themes\bridgeContainerRef.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeContainerRef" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\bridgeContainerRef.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeContainerRefb" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Ease of Access Themes\bridgeContainerRef.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\componentinto\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\componentinto\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\componentinto\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
246B
MD5de06afdf2e2113b72b07525553e6ced0
SHA1a043eee970b93f786c698187354c6ce25668fad8
SHA2568df1f796e16df8ba74070d1e6e8cf3d4cb8c951e390c43b11c91147fc9a26f72
SHA512686d89c249594e6b89d487aadb358527ab9de997eae1a4e7bedadac29e689f44d7e847e957d4eae810fed032f93718d9016c5e3f54c566402850a1bb249de988
-
Filesize
41B
MD586d8de8f837ab632770008d846268bb8
SHA1050a887f38d930985d90b52726ae698806a93776
SHA2566f53cccfc1f99c8b3014c04b87e3cf51ad677042a47fd1a313b93571b1fc14cc
SHA512d67f2bec91551abcf918d1ab1af634e06e7a23f9668fd6e7162ca445748a4b805215cef2c8590c2aea4769605e884225e481f79a082297f304ff0feedd7353e2
-
Filesize
212B
MD58ee36dbedf71844b819755a69aef93ce
SHA13225ed789aec1beb07f3dbcb93101f67cc29412e
SHA256c9edb1555caa1589010af0e3b6e3296daca37407359c12af2f54e4d04818f810
SHA512a1cc0cad26a3cfcb52311855384b835c1537f034d86f307d2d716b41bf7825fa860e12f7a61ff0a1e50d8a43eb7d159538c4abaca24a8dbb47604fff949455f6
-
Filesize
1.1MB
MD5d2284b3bcac27076acbce384ae1f90b9
SHA1cd4f86b839e07d8df5ae1acce0db9a4438494a3e
SHA256e402b9d1e4218a83aa63143d75c6b2e52fd53ad046d04de79f6817409e03977b
SHA512218e20534c9789a87e75662f79f3c856c759b8df71bf770fa91cdb8c5dd5d2cc4e4abf968ae412365655bb38e151554f914117edec19f80ff5d8927d5c8a2f88