Analysis
-
max time kernel
52s -
max time network
59s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
31/10/2022, 22:52
Behavioral task
behavioral1
Sample
0b398eb2c8396702fdac5f2e1b2bcd7fb71ad1b31ba7e79adf1e2642fffcac22.exe
Resource
win10-20220812-en
General
-
Target
0b398eb2c8396702fdac5f2e1b2bcd7fb71ad1b31ba7e79adf1e2642fffcac22.exe
-
Size
1.3MB
-
MD5
f5a475f08cd6d514696d0b85fc592b92
-
SHA1
35f08374ab34363caa849f8543f1f0bafda3e5d5
-
SHA256
0b398eb2c8396702fdac5f2e1b2bcd7fb71ad1b31ba7e79adf1e2642fffcac22
-
SHA512
e080a387f24d940472f6b2a68a3c620cd65d396a933d7b95fd35284e01ceeca3d6f5458168e81b09a7171a428e889466418c4b498506086d1e4bfb0458a37220
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4348 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4212 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5116 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3376 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4564 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3732 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3548 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3988 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4112 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4996 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4156 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5044 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5052 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 676 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4120 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4136 4892 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4936 4892 schtasks.exe 70 -
resource yara_rule behavioral1/files/0x000800000001ac26-284.dat dcrat behavioral1/files/0x000800000001ac26-285.dat dcrat behavioral1/memory/4568-286-0x00000000002D0000-0x00000000003E0000-memory.dmp dcrat behavioral1/files/0x000600000001ac57-319.dat dcrat behavioral1/files/0x000600000001ac57-321.dat dcrat -
Executes dropped EXE 2 IoCs
pid Process 4568 DllCommonsvc.exe 2380 winlogon.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Multimedia Platform\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\0a1fd5f707cd16 DllCommonsvc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\L2Schemas\Idle.exe DllCommonsvc.exe File created C:\Windows\L2Schemas\6ccacd8608530f DllCommonsvc.exe File created C:\Windows\es-ES\csrss.exe DllCommonsvc.exe File created C:\Windows\es-ES\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\L2Schemas\Idle.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4548 schtasks.exe 3548 schtasks.exe 4808 schtasks.exe 4996 schtasks.exe 5052 schtasks.exe 4348 schtasks.exe 3732 schtasks.exe 3988 schtasks.exe 5072 schtasks.exe 4156 schtasks.exe 4136 schtasks.exe 5104 schtasks.exe 4564 schtasks.exe 4112 schtasks.exe 5060 schtasks.exe 4952 schtasks.exe 2032 schtasks.exe 676 schtasks.exe 4120 schtasks.exe 4212 schtasks.exe 5116 schtasks.exe 3376 schtasks.exe 5044 schtasks.exe 4936 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings 0b398eb2c8396702fdac5f2e1b2bcd7fb71ad1b31ba7e79adf1e2642fffcac22.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 4568 DllCommonsvc.exe 4568 DllCommonsvc.exe 4568 DllCommonsvc.exe 4568 DllCommonsvc.exe 4568 DllCommonsvc.exe 4568 DllCommonsvc.exe 4568 DllCommonsvc.exe 4568 DllCommonsvc.exe 4568 DllCommonsvc.exe 4568 DllCommonsvc.exe 4568 DllCommonsvc.exe 4568 DllCommonsvc.exe 4568 DllCommonsvc.exe 384 powershell.exe 1004 powershell.exe 1420 powershell.exe 896 powershell.exe 404 powershell.exe 248 powershell.exe 4800 powershell.exe 340 powershell.exe 192 powershell.exe 1004 powershell.exe 340 powershell.exe 2380 winlogon.exe 248 powershell.exe 384 powershell.exe 1420 powershell.exe 340 powershell.exe 1004 powershell.exe 4800 powershell.exe 404 powershell.exe 192 powershell.exe 896 powershell.exe 248 powershell.exe 384 powershell.exe 1420 powershell.exe 4800 powershell.exe 404 powershell.exe 192 powershell.exe 896 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4568 DllCommonsvc.exe Token: SeDebugPrivilege 384 powershell.exe Token: SeDebugPrivilege 1004 powershell.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeDebugPrivilege 2380 winlogon.exe Token: SeDebugPrivilege 896 powershell.exe Token: SeDebugPrivilege 404 powershell.exe Token: SeDebugPrivilege 248 powershell.exe Token: SeDebugPrivilege 4800 powershell.exe Token: SeDebugPrivilege 340 powershell.exe Token: SeDebugPrivilege 192 powershell.exe Token: SeIncreaseQuotaPrivilege 340 powershell.exe Token: SeSecurityPrivilege 340 powershell.exe Token: SeTakeOwnershipPrivilege 340 powershell.exe Token: SeLoadDriverPrivilege 340 powershell.exe Token: SeSystemProfilePrivilege 340 powershell.exe Token: SeSystemtimePrivilege 340 powershell.exe Token: SeProfSingleProcessPrivilege 340 powershell.exe Token: SeIncBasePriorityPrivilege 340 powershell.exe Token: SeCreatePagefilePrivilege 340 powershell.exe Token: SeBackupPrivilege 340 powershell.exe Token: SeRestorePrivilege 340 powershell.exe Token: SeShutdownPrivilege 340 powershell.exe Token: SeDebugPrivilege 340 powershell.exe Token: SeSystemEnvironmentPrivilege 340 powershell.exe Token: SeRemoteShutdownPrivilege 340 powershell.exe Token: SeUndockPrivilege 340 powershell.exe Token: SeManageVolumePrivilege 340 powershell.exe Token: 33 340 powershell.exe Token: 34 340 powershell.exe Token: 35 340 powershell.exe Token: 36 340 powershell.exe Token: SeIncreaseQuotaPrivilege 1004 powershell.exe Token: SeSecurityPrivilege 1004 powershell.exe Token: SeTakeOwnershipPrivilege 1004 powershell.exe Token: SeLoadDriverPrivilege 1004 powershell.exe Token: SeSystemProfilePrivilege 1004 powershell.exe Token: SeSystemtimePrivilege 1004 powershell.exe Token: SeProfSingleProcessPrivilege 1004 powershell.exe Token: SeIncBasePriorityPrivilege 1004 powershell.exe Token: SeCreatePagefilePrivilege 1004 powershell.exe Token: SeBackupPrivilege 1004 powershell.exe Token: SeRestorePrivilege 1004 powershell.exe Token: SeShutdownPrivilege 1004 powershell.exe Token: SeDebugPrivilege 1004 powershell.exe Token: SeSystemEnvironmentPrivilege 1004 powershell.exe Token: SeRemoteShutdownPrivilege 1004 powershell.exe Token: SeUndockPrivilege 1004 powershell.exe Token: SeManageVolumePrivilege 1004 powershell.exe Token: 33 1004 powershell.exe Token: 34 1004 powershell.exe Token: 35 1004 powershell.exe Token: 36 1004 powershell.exe Token: SeIncreaseQuotaPrivilege 248 powershell.exe Token: SeSecurityPrivilege 248 powershell.exe Token: SeTakeOwnershipPrivilege 248 powershell.exe Token: SeLoadDriverPrivilege 248 powershell.exe Token: SeSystemProfilePrivilege 248 powershell.exe Token: SeSystemtimePrivilege 248 powershell.exe Token: SeProfSingleProcessPrivilege 248 powershell.exe Token: SeIncBasePriorityPrivilege 248 powershell.exe Token: SeCreatePagefilePrivilege 248 powershell.exe Token: SeBackupPrivilege 248 powershell.exe Token: SeRestorePrivilege 248 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2580 wrote to memory of 536 2580 0b398eb2c8396702fdac5f2e1b2bcd7fb71ad1b31ba7e79adf1e2642fffcac22.exe 66 PID 2580 wrote to memory of 536 2580 0b398eb2c8396702fdac5f2e1b2bcd7fb71ad1b31ba7e79adf1e2642fffcac22.exe 66 PID 2580 wrote to memory of 536 2580 0b398eb2c8396702fdac5f2e1b2bcd7fb71ad1b31ba7e79adf1e2642fffcac22.exe 66 PID 536 wrote to memory of 4352 536 WScript.exe 67 PID 536 wrote to memory of 4352 536 WScript.exe 67 PID 536 wrote to memory of 4352 536 WScript.exe 67 PID 4352 wrote to memory of 4568 4352 cmd.exe 69 PID 4352 wrote to memory of 4568 4352 cmd.exe 69 PID 4568 wrote to memory of 1004 4568 DllCommonsvc.exe 95 PID 4568 wrote to memory of 1004 4568 DllCommonsvc.exe 95 PID 4568 wrote to memory of 384 4568 DllCommonsvc.exe 104 PID 4568 wrote to memory of 384 4568 DllCommonsvc.exe 104 PID 4568 wrote to memory of 1420 4568 DllCommonsvc.exe 103 PID 4568 wrote to memory of 1420 4568 DllCommonsvc.exe 103 PID 4568 wrote to memory of 896 4568 DllCommonsvc.exe 98 PID 4568 wrote to memory of 896 4568 DllCommonsvc.exe 98 PID 4568 wrote to memory of 404 4568 DllCommonsvc.exe 99 PID 4568 wrote to memory of 404 4568 DllCommonsvc.exe 99 PID 4568 wrote to memory of 4800 4568 DllCommonsvc.exe 100 PID 4568 wrote to memory of 4800 4568 DllCommonsvc.exe 100 PID 4568 wrote to memory of 248 4568 DllCommonsvc.exe 105 PID 4568 wrote to memory of 248 4568 DllCommonsvc.exe 105 PID 4568 wrote to memory of 192 4568 DllCommonsvc.exe 107 PID 4568 wrote to memory of 192 4568 DllCommonsvc.exe 107 PID 4568 wrote to memory of 340 4568 DllCommonsvc.exe 108 PID 4568 wrote to memory of 340 4568 DllCommonsvc.exe 108 PID 4568 wrote to memory of 2380 4568 DllCommonsvc.exe 113 PID 4568 wrote to memory of 2380 4568 DllCommonsvc.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b398eb2c8396702fdac5f2e1b2bcd7fb71ad1b31ba7e79adf1e2642fffcac22.exe"C:\Users\Admin\AppData\Local\Temp\0b398eb2c8396702fdac5f2e1b2bcd7fb71ad1b31ba7e79adf1e2642fffcac22.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\csrss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\Idle.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sihost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\winlogon.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:340
-
-
C:\Users\Default\winlogon.exe"C:\Users\Default\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\L2Schemas\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\odt\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\odt\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD5a9d521aba1dd058d3085d4052bfb462d
SHA17a5f8545db3a2a09a20248cd0fd199a94bd852b8
SHA25657795f161516064cb9717b0933b0318b729ef4180e632091cb69f9f9e3c5f2df
SHA5120c4ec0e9d9fb265f2d0e02923ebb84bd1a1b7aa94222725a4c23848ebea5a16390de59473224b0eaa35d0869136c2c5fd6007b3b2fcaeff5c85a4d4d62cde0ad
-
Filesize
1KB
MD5a9d521aba1dd058d3085d4052bfb462d
SHA17a5f8545db3a2a09a20248cd0fd199a94bd852b8
SHA25657795f161516064cb9717b0933b0318b729ef4180e632091cb69f9f9e3c5f2df
SHA5120c4ec0e9d9fb265f2d0e02923ebb84bd1a1b7aa94222725a4c23848ebea5a16390de59473224b0eaa35d0869136c2c5fd6007b3b2fcaeff5c85a4d4d62cde0ad
-
Filesize
1KB
MD5196eea4df32c133aa99821468b15cf04
SHA104032d6bfd6a6ba0a5572b66dc247767fe9b6596
SHA256c4bac1458d162445d5353ff1bf1bcb06fc4ef60cdbb034d688a71a2f3fff8d09
SHA5125ae0ac47a58e579a87f5bf11c9a4b846e155fac8641ed5fd278952ce6be8df134a99eada16b119c383b90ca8c84f1312f8b937306a9b7b95b745d19313490837
-
Filesize
1KB
MD5196eea4df32c133aa99821468b15cf04
SHA104032d6bfd6a6ba0a5572b66dc247767fe9b6596
SHA256c4bac1458d162445d5353ff1bf1bcb06fc4ef60cdbb034d688a71a2f3fff8d09
SHA5125ae0ac47a58e579a87f5bf11c9a4b846e155fac8641ed5fd278952ce6be8df134a99eada16b119c383b90ca8c84f1312f8b937306a9b7b95b745d19313490837
-
Filesize
1KB
MD5196eea4df32c133aa99821468b15cf04
SHA104032d6bfd6a6ba0a5572b66dc247767fe9b6596
SHA256c4bac1458d162445d5353ff1bf1bcb06fc4ef60cdbb034d688a71a2f3fff8d09
SHA5125ae0ac47a58e579a87f5bf11c9a4b846e155fac8641ed5fd278952ce6be8df134a99eada16b119c383b90ca8c84f1312f8b937306a9b7b95b745d19313490837
-
Filesize
1KB
MD5575584a25286cf2cb11fbbacedaf1528
SHA1665ec6e6dd6724a0465ad6952a16a5e5bd20a947
SHA256600aee57a180d7dbf8bfd01f96da44d0daea9c7bcc0ab4ce4efdc6e6a52a350f
SHA5123e5dd5d9fdda6a73b049244906a64470ec7a81ed6ed13dfb9b8237838f5d7f8216f58c976ec32652166ae64246ae4f307ad856585dbbebfb289c41b9ac0321f9
-
Filesize
1KB
MD5575584a25286cf2cb11fbbacedaf1528
SHA1665ec6e6dd6724a0465ad6952a16a5e5bd20a947
SHA256600aee57a180d7dbf8bfd01f96da44d0daea9c7bcc0ab4ce4efdc6e6a52a350f
SHA5123e5dd5d9fdda6a73b049244906a64470ec7a81ed6ed13dfb9b8237838f5d7f8216f58c976ec32652166ae64246ae4f307ad856585dbbebfb289c41b9ac0321f9
-
Filesize
911B
MD5dbbb19837c9f37003b52383b5d0dba2a
SHA1468833c7b381dfbeb868ef1e16b4d119131983e8
SHA256e892dd2148e640b53929f68b5e75ed5610a4c1120fc43f52dcf9ae25803efdd9
SHA5127811a024ce941a3021e958e42e15915d7c9379bb73a073543e412c7d98847d6af79c47a657fa49dc578584f9463a08cd31775169f83711f27531799076927e89
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478