Analysis
-
max time kernel
31s -
max time network
82s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
01/11/2022, 10:37
Behavioral task
behavioral1
Sample
490e9d222562cedc6eb9414a448c93e52c01d47c7510f932281d76e2a9c1193d.exe
Resource
win10-20220812-en
General
-
Target
490e9d222562cedc6eb9414a448c93e52c01d47c7510f932281d76e2a9c1193d.exe
-
Size
1.3MB
-
MD5
552432ee6013aae630e86b53a356586d
-
SHA1
db163ad3014748e6dd82593ee6c257509b6f1b52
-
SHA256
490e9d222562cedc6eb9414a448c93e52c01d47c7510f932281d76e2a9c1193d
-
SHA512
2747fdd4795146b466d9a2fe969c8da87cab1c8454c40c78d12487b53ed1b57968d831e10f08a0c5f3bcef7e3d3d4317e902fa7d70bf1bf6b0dd174288744425
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4320 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4348 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4568 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4148 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5040 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4636 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3716 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4316 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3116 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4368 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4528 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4472 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4656 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4428 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4492 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4476 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 416 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 924 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 4488 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 4488 schtasks.exe 70 -
resource yara_rule behavioral1/files/0x000800000001abec-279.dat dcrat behavioral1/files/0x000800000001abec-280.dat dcrat behavioral1/memory/1356-281-0x0000000000ED0000-0x0000000000FE0000-memory.dmp dcrat behavioral1/files/0x000600000001abf1-594.dat dcrat behavioral1/files/0x000600000001abf1-593.dat dcrat behavioral1/files/0x000600000001abf1-649.dat dcrat behavioral1/files/0x000600000001abf1-655.dat dcrat behavioral1/files/0x000600000001abf1-660.dat dcrat -
Executes dropped EXE 2 IoCs
pid Process 1356 DllCommonsvc.exe 4660 csrss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe DllCommonsvc.exe File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\ebf1f9fa8afd6d DllCommonsvc.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\servicing\ja-JP\ShellExperienceHost.exe DllCommonsvc.exe File created C:\Windows\Help\fr-FR\dwm.exe DllCommonsvc.exe File created C:\Windows\Help\fr-FR\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Windows\debug\sihost.exe DllCommonsvc.exe File created C:\Windows\debug\66fc9ff0ee96c2 DllCommonsvc.exe File created C:\Windows\SystemApps\CortanaListenUIApp_cw5n1h2txyewy\microsoft.system.package.metadata\OfficeClickToRun.exe DllCommonsvc.exe File created C:\Windows\SystemApps\CortanaListenUIApp_cw5n1h2txyewy\microsoft.system.package.metadata\e6c9b481da804f DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4368 schtasks.exe 3940 schtasks.exe 4620 schtasks.exe 3116 schtasks.exe 4476 schtasks.exe 4648 schtasks.exe 628 schtasks.exe 5040 schtasks.exe 4528 schtasks.exe 5060 schtasks.exe 4472 schtasks.exe 1880 schtasks.exe 4568 schtasks.exe 4148 schtasks.exe 4316 schtasks.exe 4428 schtasks.exe 3716 schtasks.exe 924 schtasks.exe 4320 schtasks.exe 4636 schtasks.exe 4552 schtasks.exe 1732 schtasks.exe 4964 schtasks.exe 4656 schtasks.exe 4492 schtasks.exe 416 schtasks.exe 4348 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings 490e9d222562cedc6eb9414a448c93e52c01d47c7510f932281d76e2a9c1193d.exe -
Suspicious behavior: EnumeratesProcesses 57 IoCs
pid Process 1356 DllCommonsvc.exe 1356 DllCommonsvc.exe 1356 DllCommonsvc.exe 1356 DllCommonsvc.exe 1356 DllCommonsvc.exe 1356 DllCommonsvc.exe 1356 DllCommonsvc.exe 1356 DllCommonsvc.exe 1356 DllCommonsvc.exe 1356 DllCommonsvc.exe 1356 DllCommonsvc.exe 1356 DllCommonsvc.exe 1356 DllCommonsvc.exe 1356 DllCommonsvc.exe 1356 DllCommonsvc.exe 1404 powershell.exe 1320 powershell.exe 1472 powershell.exe 360 powershell.exe 508 powershell.exe 4352 powershell.exe 3308 powershell.exe 2100 powershell.exe 2332 powershell.exe 1320 powershell.exe 1320 powershell.exe 688 powershell.exe 688 powershell.exe 360 powershell.exe 360 powershell.exe 4352 powershell.exe 4352 powershell.exe 2100 powershell.exe 2100 powershell.exe 1404 powershell.exe 1404 powershell.exe 1472 powershell.exe 1472 powershell.exe 508 powershell.exe 508 powershell.exe 2332 powershell.exe 2332 powershell.exe 3308 powershell.exe 3308 powershell.exe 688 powershell.exe 360 powershell.exe 1320 powershell.exe 4352 powershell.exe 2100 powershell.exe 508 powershell.exe 1404 powershell.exe 1472 powershell.exe 3308 powershell.exe 2332 powershell.exe 688 powershell.exe 4660 csrss.exe 4660 csrss.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1356 DllCommonsvc.exe Token: SeDebugPrivilege 1404 powershell.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeDebugPrivilege 1472 powershell.exe Token: SeDebugPrivilege 360 powershell.exe Token: SeDebugPrivilege 508 powershell.exe Token: SeDebugPrivilege 4352 powershell.exe Token: SeDebugPrivilege 3308 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeDebugPrivilege 688 powershell.exe Token: SeIncreaseQuotaPrivilege 360 powershell.exe Token: SeSecurityPrivilege 360 powershell.exe Token: SeTakeOwnershipPrivilege 360 powershell.exe Token: SeLoadDriverPrivilege 360 powershell.exe Token: SeSystemProfilePrivilege 360 powershell.exe Token: SeSystemtimePrivilege 360 powershell.exe Token: SeProfSingleProcessPrivilege 360 powershell.exe Token: SeIncBasePriorityPrivilege 360 powershell.exe Token: SeCreatePagefilePrivilege 360 powershell.exe Token: SeBackupPrivilege 360 powershell.exe Token: SeRestorePrivilege 360 powershell.exe Token: SeShutdownPrivilege 360 powershell.exe Token: SeDebugPrivilege 360 powershell.exe Token: SeSystemEnvironmentPrivilege 360 powershell.exe Token: SeRemoteShutdownPrivilege 360 powershell.exe Token: SeUndockPrivilege 360 powershell.exe Token: SeManageVolumePrivilege 360 powershell.exe Token: 33 360 powershell.exe Token: 34 360 powershell.exe Token: 35 360 powershell.exe Token: 36 360 powershell.exe Token: SeIncreaseQuotaPrivilege 1320 powershell.exe Token: SeSecurityPrivilege 1320 powershell.exe Token: SeTakeOwnershipPrivilege 1320 powershell.exe Token: SeLoadDriverPrivilege 1320 powershell.exe Token: SeSystemProfilePrivilege 1320 powershell.exe Token: SeSystemtimePrivilege 1320 powershell.exe Token: SeProfSingleProcessPrivilege 1320 powershell.exe Token: SeIncBasePriorityPrivilege 1320 powershell.exe Token: SeCreatePagefilePrivilege 1320 powershell.exe Token: SeBackupPrivilege 1320 powershell.exe Token: SeRestorePrivilege 1320 powershell.exe Token: SeShutdownPrivilege 1320 powershell.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeSystemEnvironmentPrivilege 1320 powershell.exe Token: SeRemoteShutdownPrivilege 1320 powershell.exe Token: SeUndockPrivilege 1320 powershell.exe Token: SeManageVolumePrivilege 1320 powershell.exe Token: 33 1320 powershell.exe Token: 34 1320 powershell.exe Token: 35 1320 powershell.exe Token: 36 1320 powershell.exe Token: SeIncreaseQuotaPrivilege 4352 powershell.exe Token: SeSecurityPrivilege 4352 powershell.exe Token: SeTakeOwnershipPrivilege 4352 powershell.exe Token: SeLoadDriverPrivilege 4352 powershell.exe Token: SeSystemProfilePrivilege 4352 powershell.exe Token: SeSystemtimePrivilege 4352 powershell.exe Token: SeProfSingleProcessPrivilege 4352 powershell.exe Token: SeIncBasePriorityPrivilege 4352 powershell.exe Token: SeCreatePagefilePrivilege 4352 powershell.exe Token: SeBackupPrivilege 4352 powershell.exe Token: SeRestorePrivilege 4352 powershell.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2576 wrote to memory of 4784 2576 490e9d222562cedc6eb9414a448c93e52c01d47c7510f932281d76e2a9c1193d.exe 66 PID 2576 wrote to memory of 4784 2576 490e9d222562cedc6eb9414a448c93e52c01d47c7510f932281d76e2a9c1193d.exe 66 PID 2576 wrote to memory of 4784 2576 490e9d222562cedc6eb9414a448c93e52c01d47c7510f932281d76e2a9c1193d.exe 66 PID 4784 wrote to memory of 3340 4784 WScript.exe 67 PID 4784 wrote to memory of 3340 4784 WScript.exe 67 PID 4784 wrote to memory of 3340 4784 WScript.exe 67 PID 3340 wrote to memory of 1356 3340 cmd.exe 69 PID 3340 wrote to memory of 1356 3340 cmd.exe 69 PID 1356 wrote to memory of 1404 1356 DllCommonsvc.exe 98 PID 1356 wrote to memory of 1404 1356 DllCommonsvc.exe 98 PID 1356 wrote to memory of 1320 1356 DllCommonsvc.exe 117 PID 1356 wrote to memory of 1320 1356 DllCommonsvc.exe 117 PID 1356 wrote to memory of 1472 1356 DllCommonsvc.exe 99 PID 1356 wrote to memory of 1472 1356 DllCommonsvc.exe 99 PID 1356 wrote to memory of 360 1356 DllCommonsvc.exe 100 PID 1356 wrote to memory of 360 1356 DllCommonsvc.exe 100 PID 1356 wrote to memory of 508 1356 DllCommonsvc.exe 101 PID 1356 wrote to memory of 508 1356 DllCommonsvc.exe 101 PID 1356 wrote to memory of 4352 1356 DllCommonsvc.exe 103 PID 1356 wrote to memory of 4352 1356 DllCommonsvc.exe 103 PID 1356 wrote to memory of 3308 1356 DllCommonsvc.exe 113 PID 1356 wrote to memory of 3308 1356 DllCommonsvc.exe 113 PID 1356 wrote to memory of 2332 1356 DllCommonsvc.exe 106 PID 1356 wrote to memory of 2332 1356 DllCommonsvc.exe 106 PID 1356 wrote to memory of 2100 1356 DllCommonsvc.exe 107 PID 1356 wrote to memory of 2100 1356 DllCommonsvc.exe 107 PID 1356 wrote to memory of 688 1356 DllCommonsvc.exe 108 PID 1356 wrote to memory of 688 1356 DllCommonsvc.exe 108 PID 1356 wrote to memory of 4736 1356 DllCommonsvc.exe 118 PID 1356 wrote to memory of 4736 1356 DllCommonsvc.exe 118 PID 4736 wrote to memory of 4840 4736 cmd.exe 120 PID 4736 wrote to memory of 4840 4736 cmd.exe 120 PID 4736 wrote to memory of 4660 4736 cmd.exe 122 PID 4736 wrote to memory of 4660 4736 cmd.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\490e9d222562cedc6eb9414a448c93e52c01d47c7510f932281d76e2a9c1193d.exe"C:\Users\Admin\AppData\Local\Temp\490e9d222562cedc6eb9414a448c93e52c01d47c7510f932281d76e2a9c1193d.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\fr-FR\dwm.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cmd.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\CortanaListenUIApp_cw5n1h2txyewy\microsoft.system.package.metadata\OfficeClickToRun.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\sihost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4NbXwSAyXq.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4840
-
-
C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe"C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat"7⤵PID:4072
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3584
-
-
C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe"C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe"8⤵PID:3200
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"9⤵PID:4904
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:5084
-
-
C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe"C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe"10⤵PID:5076
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0WHmS6dpJ0.bat"11⤵PID:4436
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:364
-
-
C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe"C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe"12⤵PID:1700
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat"13⤵PID:2444
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:4080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\odt\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Help\fr-FR\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Help\fr-FR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\fr-FR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\debug\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemApps\CortanaListenUIApp_cw5n1h2txyewy\microsoft.system.package.metadata\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\SystemApps\CortanaListenUIApp_cw5n1h2txyewy\microsoft.system.package.metadata\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemApps\CortanaListenUIApp_cw5n1h2txyewy\microsoft.system.package.metadata\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1KB
MD5d63ff49d7c92016feb39812e4db10419
SHA12307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA51200f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD5736d1356ca893b1b9a91a3a583bb993e
SHA133e11792346f27377b314361bf7c9607f573ad08
SHA25676ccf1504533d4340aea0a2674e6397108a57bbade578bca68018529a7f8d98e
SHA512bee294d6db0718566e6184627cf6d9f53289d72e7872121a940a52ccd9b8e7944c255cbafa21bbb076b0583ee1d1f02be2156b83d62bb0078ccf698995ffbee6
-
Filesize
1KB
MD58f01ca0d95ea19e19929f3efaa52f6c1
SHA19a73d20198ab36bec846182ef8e66fe6b351ed9e
SHA256f7e1d7f3d27bb3f51324c92bd7618cb4bc37d4f1f84f3dde838cddb3cb764519
SHA512961d0693a4ecf3c95d9555b553ef6722df7f54de0f0ac6159193f1e207051a0ab386a1c7e408e393b6b022a8e4ba32019c90b44a5190c0e2d578dc922bef6273
-
Filesize
1KB
MD546c320488b813afd61c0e95b62f39434
SHA1fffce41d82622db8efaac66b433915a6fb813b92
SHA256cdfbc1a6deeec9bf1fda50ef3d1dd6716963b9e00421a1b613cc493f50aa3018
SHA5125fc54265ffd04019cb536943e69410feab8af919aa77d46c2c564f47ed4ee33345e87d13f300a52074f16f8bc668011abe580ecf582e41e87b233e23bc596590
-
Filesize
1KB
MD5fc0fc79be6552eeb5019dcdcb54d2e47
SHA15175c9e3bd726ff9358fb22077b220163b5469fb
SHA25643d69e20f5c01b01d16d18f0c7384e0fe98902e6a7010dfae9e6abf954f702f6
SHA5127141afbf67526875fb0bd8e55300da80977afa072d1e74feb3c3115bd33c8bcc7bc6d9b5aa53166ad647895e76d9ad085caf41dd0c75e01b980dda6cea126d6a
-
Filesize
1KB
MD5fc0fc79be6552eeb5019dcdcb54d2e47
SHA15175c9e3bd726ff9358fb22077b220163b5469fb
SHA25643d69e20f5c01b01d16d18f0c7384e0fe98902e6a7010dfae9e6abf954f702f6
SHA5127141afbf67526875fb0bd8e55300da80977afa072d1e74feb3c3115bd33c8bcc7bc6d9b5aa53166ad647895e76d9ad085caf41dd0c75e01b980dda6cea126d6a
-
Filesize
1KB
MD5b5edd2b4210b3b789325c21d089f7203
SHA15e6616a0c16f9d7844a7203f1dc16323f33c2302
SHA25659424b5a7db4f8f326d44e6b362d79a069119286244be26cd40d0d4e57d0edf8
SHA5121bf632b838cfe722f30f86be9558648c56331ea70e46be1a6c021ad2b6d53632efa7f93e74f0057d87e92d4905558e4a5da20b1559874bd0674ae7f1e4d4e7f9
-
Filesize
1KB
MD5c2e75ae62d491e34cb4ce8a01fcf3c13
SHA17921cfb6520a9b29b5884b0426a8e8272d037c4e
SHA25636fc891bdb5e99f28a7547f2b6343cc70af433e886375a0255a29f37ccda25c7
SHA512a91e04d7956b31ca2100c0b9491ff3ecaa5946800c7fc7a26944e1d23d992479855eaf4162d90c436dfac64a493f942085ae4fe4e491eb351c94b227ca4be675
-
Filesize
1KB
MD534a2daea7c465cb8c993532892989928
SHA1d51cb342644344c5102bcd7a03523c9077a6cc74
SHA2560a9756940e78577974604ccf4cff47f4d6ed50d1bb21b3ab5a8220011dc48a35
SHA512ec6610287cb02d218f88d21bacd9f1b820c6ee5fd19043bc76b874e5c0ff3977d6cb070c447eabe0995df0408c83690d4fde8ef76002100db54dd87c73e8cf1f
-
Filesize
1KB
MD534a2daea7c465cb8c993532892989928
SHA1d51cb342644344c5102bcd7a03523c9077a6cc74
SHA2560a9756940e78577974604ccf4cff47f4d6ed50d1bb21b3ab5a8220011dc48a35
SHA512ec6610287cb02d218f88d21bacd9f1b820c6ee5fd19043bc76b874e5c0ff3977d6cb070c447eabe0995df0408c83690d4fde8ef76002100db54dd87c73e8cf1f
-
Filesize
222B
MD53918e04cdaa684046241e355ff45cf3d
SHA1f7a0d54901a433ba905aed51d82f4990c848a439
SHA25693dad48f06b0499a9ac6a76fec73b07a3809a27a6a3e436dc5230a5dfd18368f
SHA512f93ce9771e776c932943035383bd35f45055c9637abc8c22479bdd7edffd8f5304a0b36c5a4ddc211f4ac5caea490efe227c429e9461b16d28f562975a25c0f8
-
Filesize
222B
MD5425bc34a6861288302e84a733ec6f18b
SHA1e375cdfd4f952bba6d85465d824934e224e0dd5a
SHA256174a5591c2356c746e64c8cc9ecc381dc7b55f80430b098bffcd5116705794a5
SHA51252a0180e4a814befa2dc3391a1ce84f604214b6340d768df875fecd18e539bcda80ec7abab6dcfc3b9344ed0efebd5e0e98c8535e7b8cae6fa555e557421a6b6
-
Filesize
222B
MD543a1a9e1fe92857152921c1ba5d805f9
SHA1b3537d069f17ee3682cad93a34cc24ed39838445
SHA256bbe56d5b9d8cf255aab2fbda4716a01bce9caa70ca97dc2eb304e6edea5caa00
SHA512d4e667a693093d47e6292148ad7027f668e92946280ec72c2a1ccfaf817c0f717a7dffb861241208983376a3079d5df16df0313db755bd5243dbbca3f08604ef
-
Filesize
222B
MD5764324d74a2730d3664d3547263a6aa0
SHA1a4ff10af10d0fd3122733be48a2cb6d1520b7540
SHA256083dcfe4a606d2d8c5990ef93ee7bf37b146b46d9bced12c888d5db39a47f75c
SHA512c5b893f7598d205455006c86f423e6b0a3c860cfa4c713b8a2d904c12682f0030a8ac7dc37048e67352a831fab747128405c8b91d6456d104051bfc7d65e0873
-
Filesize
222B
MD5bcf905bd2264d23ed4f05a988c985fa5
SHA14d6d35311b19dd82c3ffcc39bb9ee3399d6530dd
SHA256e5a5a0230eb758a8a9e1285a00bddcad5e039541c8f6abed290d2ca5b6faa3ab
SHA512e878cd7efe587313f2a80db58e11527b4ba017d5b2f88ecbe5481bc646dce9c95d152dad83c52e34bb1a57db199ec993bd69d8c74f43b91f263b8dc48ad35fc2
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478