Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
31/10/2022, 22:55
Behavioral task
behavioral1
Sample
a98f5950aa31da12d12eb53a4566b095715c5b6899975066ea94b5794a0efe94.exe
Resource
win10-20220901-en
General
-
Target
a98f5950aa31da12d12eb53a4566b095715c5b6899975066ea94b5794a0efe94.exe
-
Size
1.3MB
-
MD5
dbd9581d35045af89295ce9dae09667a
-
SHA1
5cd0f7e8660299a5c4de79af7552637d13d3151d
-
SHA256
a98f5950aa31da12d12eb53a4566b095715c5b6899975066ea94b5794a0efe94
-
SHA512
bc18de55ed94b61c38697bd5bd309f55308c0c22e985244a5cde89ee952e4a638e14845298e91cf70891e4e49cf1dcdbc1f8a9864b7c6320359bdaee72eaa7dd
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4780 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3220 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4128 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4060 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4112 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5088 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4120 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4152 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4460 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 64 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 384 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 456 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 856 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4192 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 904 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4316 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1392 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 240 4828 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 96 4828 schtasks.exe 70 -
resource yara_rule behavioral1/files/0x000a00000001abfb-284.dat dcrat behavioral1/files/0x000a00000001abfb-285.dat dcrat behavioral1/memory/3600-286-0x0000000000BD0000-0x0000000000CE0000-memory.dmp dcrat behavioral1/files/0x000600000001ac36-334.dat dcrat behavioral1/files/0x000600000001ac36-335.dat dcrat -
Executes dropped EXE 2 IoCs
pid Process 3600 DllCommonsvc.exe 4904 wininit.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\InfusedApps\Applications\conhost.exe DllCommonsvc.exe File created C:\Windows\schemas\Provisioning\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\AppPatch\ja-JP\6ccacd8608530f DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\e6c9b481da804f DllCommonsvc.exe File created C:\Windows\Tasks\sihost.exe DllCommonsvc.exe File created C:\Windows\Tasks\66fc9ff0ee96c2 DllCommonsvc.exe File created C:\Windows\AppPatch\ja-JP\Idle.exe DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe DllCommonsvc.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe DllCommonsvc.exe File created C:\Windows\schemas\Provisioning\a76d7bf15d8370 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4144 schtasks.exe 1156 schtasks.exe 2848 schtasks.exe 2728 schtasks.exe 2856 schtasks.exe 5088 schtasks.exe 64 schtasks.exe 2140 schtasks.exe 4128 schtasks.exe 240 schtasks.exe 1480 schtasks.exe 4120 schtasks.exe 4460 schtasks.exe 692 schtasks.exe 904 schtasks.exe 1220 schtasks.exe 1856 schtasks.exe 4060 schtasks.exe 468 schtasks.exe 4192 schtasks.exe 4316 schtasks.exe 384 schtasks.exe 1852 schtasks.exe 856 schtasks.exe 3220 schtasks.exe 456 schtasks.exe 1392 schtasks.exe 96 schtasks.exe 4780 schtasks.exe 4152 schtasks.exe 1092 schtasks.exe 1412 schtasks.exe 2216 schtasks.exe 2148 schtasks.exe 2144 schtasks.exe 4112 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings a98f5950aa31da12d12eb53a4566b095715c5b6899975066ea94b5794a0efe94.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3600 DllCommonsvc.exe 3600 DllCommonsvc.exe 3600 DllCommonsvc.exe 216 powershell.exe 200 powershell.exe 200 powershell.exe 232 powershell.exe 232 powershell.exe 2292 powershell.exe 2292 powershell.exe 2260 powershell.exe 2260 powershell.exe 440 powershell.exe 440 powershell.exe 1548 powershell.exe 1548 powershell.exe 3796 powershell.exe 3796 powershell.exe 2432 powershell.exe 2432 powershell.exe 4524 powershell.exe 4524 powershell.exe 232 powershell.exe 4164 powershell.exe 4164 powershell.exe 4748 powershell.exe 4748 powershell.exe 2432 powershell.exe 4944 powershell.exe 4944 powershell.exe 4904 wininit.exe 4904 wininit.exe 4524 powershell.exe 216 powershell.exe 216 powershell.exe 2432 powershell.exe 200 powershell.exe 232 powershell.exe 1548 powershell.exe 4164 powershell.exe 2292 powershell.exe 440 powershell.exe 2260 powershell.exe 3796 powershell.exe 4944 powershell.exe 4748 powershell.exe 4524 powershell.exe 216 powershell.exe 200 powershell.exe 1548 powershell.exe 4904 wininit.exe 4904 wininit.exe 4904 wininit.exe 4904 wininit.exe 4904 wininit.exe 4904 wininit.exe 4904 wininit.exe 4904 wininit.exe 440 powershell.exe 2292 powershell.exe 4164 powershell.exe 3796 powershell.exe 2260 powershell.exe 4748 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4904 wininit.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3600 DllCommonsvc.exe Token: SeDebugPrivilege 216 powershell.exe Token: SeDebugPrivilege 200 powershell.exe Token: SeDebugPrivilege 232 powershell.exe Token: SeDebugPrivilege 2292 powershell.exe Token: SeDebugPrivilege 2260 powershell.exe Token: SeDebugPrivilege 440 powershell.exe Token: SeDebugPrivilege 4904 wininit.exe Token: SeDebugPrivilege 1548 powershell.exe Token: SeDebugPrivilege 3796 powershell.exe Token: SeDebugPrivilege 2432 powershell.exe Token: SeDebugPrivilege 4524 powershell.exe Token: SeDebugPrivilege 4164 powershell.exe Token: SeDebugPrivilege 4748 powershell.exe Token: SeDebugPrivilege 4944 powershell.exe Token: SeIncreaseQuotaPrivilege 232 powershell.exe Token: SeSecurityPrivilege 232 powershell.exe Token: SeTakeOwnershipPrivilege 232 powershell.exe Token: SeLoadDriverPrivilege 232 powershell.exe Token: SeSystemProfilePrivilege 232 powershell.exe Token: SeSystemtimePrivilege 232 powershell.exe Token: SeProfSingleProcessPrivilege 232 powershell.exe Token: SeIncBasePriorityPrivilege 232 powershell.exe Token: SeCreatePagefilePrivilege 232 powershell.exe Token: SeBackupPrivilege 232 powershell.exe Token: SeRestorePrivilege 232 powershell.exe Token: SeShutdownPrivilege 232 powershell.exe Token: SeDebugPrivilege 232 powershell.exe Token: SeSystemEnvironmentPrivilege 232 powershell.exe Token: SeRemoteShutdownPrivilege 232 powershell.exe Token: SeUndockPrivilege 232 powershell.exe Token: SeManageVolumePrivilege 232 powershell.exe Token: 33 232 powershell.exe Token: 34 232 powershell.exe Token: 35 232 powershell.exe Token: 36 232 powershell.exe Token: SeIncreaseQuotaPrivilege 2432 powershell.exe Token: SeSecurityPrivilege 2432 powershell.exe Token: SeTakeOwnershipPrivilege 2432 powershell.exe Token: SeLoadDriverPrivilege 2432 powershell.exe Token: SeSystemProfilePrivilege 2432 powershell.exe Token: SeSystemtimePrivilege 2432 powershell.exe Token: SeProfSingleProcessPrivilege 2432 powershell.exe Token: SeIncBasePriorityPrivilege 2432 powershell.exe Token: SeCreatePagefilePrivilege 2432 powershell.exe Token: SeBackupPrivilege 2432 powershell.exe Token: SeRestorePrivilege 2432 powershell.exe Token: SeShutdownPrivilege 2432 powershell.exe Token: SeDebugPrivilege 2432 powershell.exe Token: SeSystemEnvironmentPrivilege 2432 powershell.exe Token: SeRemoteShutdownPrivilege 2432 powershell.exe Token: SeUndockPrivilege 2432 powershell.exe Token: SeManageVolumePrivilege 2432 powershell.exe Token: 33 2432 powershell.exe Token: 34 2432 powershell.exe Token: 35 2432 powershell.exe Token: 36 2432 powershell.exe Token: SeIncreaseQuotaPrivilege 4524 powershell.exe Token: SeSecurityPrivilege 4524 powershell.exe Token: SeTakeOwnershipPrivilege 4524 powershell.exe Token: SeLoadDriverPrivilege 4524 powershell.exe Token: SeSystemProfilePrivilege 4524 powershell.exe Token: SeSystemtimePrivilege 4524 powershell.exe Token: SeProfSingleProcessPrivilege 4524 powershell.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4760 wrote to memory of 4620 4760 a98f5950aa31da12d12eb53a4566b095715c5b6899975066ea94b5794a0efe94.exe 66 PID 4760 wrote to memory of 4620 4760 a98f5950aa31da12d12eb53a4566b095715c5b6899975066ea94b5794a0efe94.exe 66 PID 4760 wrote to memory of 4620 4760 a98f5950aa31da12d12eb53a4566b095715c5b6899975066ea94b5794a0efe94.exe 66 PID 4620 wrote to memory of 4288 4620 WScript.exe 67 PID 4620 wrote to memory of 4288 4620 WScript.exe 67 PID 4620 wrote to memory of 4288 4620 WScript.exe 67 PID 4288 wrote to memory of 3600 4288 cmd.exe 69 PID 4288 wrote to memory of 3600 4288 cmd.exe 69 PID 3600 wrote to memory of 232 3600 DllCommonsvc.exe 107 PID 3600 wrote to memory of 232 3600 DllCommonsvc.exe 107 PID 3600 wrote to memory of 216 3600 DllCommonsvc.exe 116 PID 3600 wrote to memory of 216 3600 DllCommonsvc.exe 116 PID 3600 wrote to memory of 200 3600 DllCommonsvc.exe 109 PID 3600 wrote to memory of 200 3600 DllCommonsvc.exe 109 PID 3600 wrote to memory of 2292 3600 DllCommonsvc.exe 110 PID 3600 wrote to memory of 2292 3600 DllCommonsvc.exe 110 PID 3600 wrote to memory of 2260 3600 DllCommonsvc.exe 111 PID 3600 wrote to memory of 2260 3600 DllCommonsvc.exe 111 PID 3600 wrote to memory of 440 3600 DllCommonsvc.exe 113 PID 3600 wrote to memory of 440 3600 DllCommonsvc.exe 113 PID 3600 wrote to memory of 1548 3600 DllCommonsvc.exe 117 PID 3600 wrote to memory of 1548 3600 DllCommonsvc.exe 117 PID 3600 wrote to memory of 2432 3600 DllCommonsvc.exe 118 PID 3600 wrote to memory of 2432 3600 DllCommonsvc.exe 118 PID 3600 wrote to memory of 3796 3600 DllCommonsvc.exe 119 PID 3600 wrote to memory of 3796 3600 DllCommonsvc.exe 119 PID 3600 wrote to memory of 4524 3600 DllCommonsvc.exe 120 PID 3600 wrote to memory of 4524 3600 DllCommonsvc.exe 120 PID 3600 wrote to memory of 4164 3600 DllCommonsvc.exe 121 PID 3600 wrote to memory of 4164 3600 DllCommonsvc.exe 121 PID 3600 wrote to memory of 4748 3600 DllCommonsvc.exe 122 PID 3600 wrote to memory of 4748 3600 DllCommonsvc.exe 122 PID 3600 wrote to memory of 4944 3600 DllCommonsvc.exe 123 PID 3600 wrote to memory of 4944 3600 DllCommonsvc.exe 123 PID 3600 wrote to memory of 4904 3600 DllCommonsvc.exe 127 PID 3600 wrote to memory of 4904 3600 DllCommonsvc.exe 127
Processes
-
C:\Users\Admin\AppData\Local\Temp\a98f5950aa31da12d12eb53a4566b095715c5b6899975066ea94b5794a0efe94.exe"C:\Users\Admin\AppData\Local\Temp\a98f5950aa31da12d12eb53a4566b095715c5b6899975066ea94b5794a0efe94.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\sihost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\Provisioning\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sihost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\ja-JP\Idle.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\sppsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944
-
-
C:\Recovery\WindowsRE\wininit.exe"C:\Recovery\WindowsRE\wininit.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Tasks\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\schemas\Provisioning\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\schemas\Provisioning\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\schemas\Provisioning\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:64
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\odt\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\ja-JP\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\AppPatch\ja-JP\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\ja-JP\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Start Menu\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\odt\SearchUI.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:96
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD5d9a92071ee8e16ba32f49545661a090b
SHA19f1ba6428e66d97dce423667df2580c6797201b5
SHA256a4c6a97044c8d1c97666ee3fd78128644b5c546b477dfec62f397a6749e46c41
SHA512f9f0338b335901e2254fe81ee17b67e52b8c1e51983f87a412d038f16b72369669b11e7f7a77d91501791fd472f62b59ab52f58211cb90ad80a5e1282e1d8fe9
-
Filesize
1KB
MD5aae696ce6c31791237fa22c594646f65
SHA1eef7002b41a1ed05564bbe7e9fd7a60ba90e0666
SHA256478f4ab5c9147abb00d8b0575b9054f6a8dff87b54df680e58b8cd378d8d691d
SHA5129036687ce34498a7bbf031a1c45e5c0675b163a9cd3c9523af8f7cdf22b96ba9af2c8364dcdfc2a5e94516992a6505b4798b2b3a7488ad542f70b623408eca6b
-
Filesize
1KB
MD5babe7ea520de6bfe6d112a59f17bde51
SHA178b877415d6765bf71d8d031a6f38e6ba4706719
SHA256f333afddaee95408c154efb4ea8ebe9a18e7f5096f8046180169823bc435e430
SHA51219b5d33e6593c3179dc4271963597d7c1aaa7468a9c88590618facc7bbee56aaced10ce4281d3f09138e167c10fcdfb877940924534a110e3ac88a0afc9baf56
-
Filesize
1KB
MD5babe7ea520de6bfe6d112a59f17bde51
SHA178b877415d6765bf71d8d031a6f38e6ba4706719
SHA256f333afddaee95408c154efb4ea8ebe9a18e7f5096f8046180169823bc435e430
SHA51219b5d33e6593c3179dc4271963597d7c1aaa7468a9c88590618facc7bbee56aaced10ce4281d3f09138e167c10fcdfb877940924534a110e3ac88a0afc9baf56
-
Filesize
1KB
MD5babe7ea520de6bfe6d112a59f17bde51
SHA178b877415d6765bf71d8d031a6f38e6ba4706719
SHA256f333afddaee95408c154efb4ea8ebe9a18e7f5096f8046180169823bc435e430
SHA51219b5d33e6593c3179dc4271963597d7c1aaa7468a9c88590618facc7bbee56aaced10ce4281d3f09138e167c10fcdfb877940924534a110e3ac88a0afc9baf56
-
Filesize
1KB
MD5babe7ea520de6bfe6d112a59f17bde51
SHA178b877415d6765bf71d8d031a6f38e6ba4706719
SHA256f333afddaee95408c154efb4ea8ebe9a18e7f5096f8046180169823bc435e430
SHA51219b5d33e6593c3179dc4271963597d7c1aaa7468a9c88590618facc7bbee56aaced10ce4281d3f09138e167c10fcdfb877940924534a110e3ac88a0afc9baf56
-
Filesize
1KB
MD5babe7ea520de6bfe6d112a59f17bde51
SHA178b877415d6765bf71d8d031a6f38e6ba4706719
SHA256f333afddaee95408c154efb4ea8ebe9a18e7f5096f8046180169823bc435e430
SHA51219b5d33e6593c3179dc4271963597d7c1aaa7468a9c88590618facc7bbee56aaced10ce4281d3f09138e167c10fcdfb877940924534a110e3ac88a0afc9baf56
-
Filesize
1KB
MD5eb06934d07bb30f0cad43b20cd5b049f
SHA197105b4b76383b4df19d187c1d03a7cac24d6f67
SHA2569358b95ba4cea353580046b15166a8a2382c2fa412447f79cb6028a3f981be90
SHA5125d5e29c73fbdb1015c7084810aaf44c9ba1b109e48c4eecd09af5ca87cb1d712086c48d0b0a0e51f9db02c2a958a2c897529bfa3027cb48c5eb6ffa45d86e7a8
-
Filesize
1KB
MD5a24f655579e5d9b972c4c1c86a01148b
SHA13414a9f11d0fab0ee9fa092e5eed083c12c53238
SHA256e0c61d5439ba40201dbb99af808aec3445316d303068444f53e2978975a726de
SHA512203b2c9a43252557cc8e916a582e8aa4e9b741d6ca70f5668f53e83cb4263264a70b4286a3182ce3bd5d93edfe68e0e335f193b3a59d1b7f33a9ef59a70efdef
-
Filesize
1KB
MD57eee2670ace4cd2947b199ec321cbdd7
SHA15acb9f2a8cd5da2d763a26fb83f1c0a60f935003
SHA25601a6ee4eecef50de52319ce7d552881e85365e161d3d56611651b22116e5851e
SHA512c66010aa3a61da22967cb2ccc647c2d858f021f38bce9f08080488429693cb87e3d919f0485815cfeb69ba150bd12cc0812ecd8e7dbf832bcfa5d5bc3088a810
-
Filesize
1KB
MD53106534414e456f97278a1c39ab23fe9
SHA145ef68082f1d28a072464e01decc91e75c9173a0
SHA256af8c5d686f6d1f31288411f365fb489f36b4b0bd8faedf1148a45dff91ea30b7
SHA5120feac598f9c4eff2b877c6317560e40e3cee2ccc8c5eccb6239bbd4abd77d060ec51a772d56ac034c3ae97143ea1ca52d9bab97e8d903d1538b0e06fbe0e9ad2
-
Filesize
1KB
MD5e0ba39a3355567578a65ef5dbc08519e
SHA1a24a8750ea5c45fc86c868b2e412bb72f6c3a42c
SHA256dda67873604ac32b6c40f7d110961b3bf1e7d9dcb756242ab32b653fc5fb0b6d
SHA512b0219ff4c87cd89c3bd2f11628bf463cb6ecefb4315888a960a2c58edc7f2c85eed8bf28338ef3830cea8d19d92cde25073b50bfef2e7970714fac41680b65b3
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478