Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
03/11/2022, 02:12
General
-
Target
ae7f38d1046b35971075b9f63352a21faee2f6ee0e77bebf83a5f4bac45779a4.exe
-
Size
1.3MB
-
MD5
e2c50503a3a3e38102f75f04197b73ef
-
SHA1
7b5fa694c801890f078ca509a7fb948c03f5bdf1
-
SHA256
ae7f38d1046b35971075b9f63352a21faee2f6ee0e77bebf83a5f4bac45779a4
-
SHA512
4ae8c38ca0a983e4be6ddba989c900ed9ec4197c5736bb5481dbd20e83a4396a64457318020e07bd0a5728d8f4e7a062be313aca4f71c29b98d6c3240a7c364d
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 16 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 13 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 14 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae7f38d1046b35971075b9f63352a21faee2f6ee0e77bebf83a5f4bac45779a4.exe"C:\Users\Admin\AppData\Local\Temp\ae7f38d1046b35971075b9f63352a21faee2f6ee0e77bebf83a5f4bac45779a4.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\taskhostw.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\System.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\SettingSync\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\System.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\winlogon.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ImmersiveControlPanel\images\Idle.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\csrss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\pris\services.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\taskhostw.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Kn3rQqKaK.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Users\Default\Desktop\taskhostw.exe"C:\Users\Default\Desktop\taskhostw.exe"6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8qIUyQJ4qD.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\Users\Default\Desktop\taskhostw.exe"C:\Users\Default\Desktop\taskhostw.exe"8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iRE9Vp3kbL.bat"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\Users\Default\Desktop\taskhostw.exe"C:\Users\Default\Desktop\taskhostw.exe"10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\Users\Default\Desktop\taskhostw.exe"C:\Users\Default\Desktop\taskhostw.exe"12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8zQYTmmGlF.bat"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵
-
-
C:\Users\Default\Desktop\taskhostw.exe"C:\Users\Default\Desktop\taskhostw.exe"14⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat"15⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵
-
-
C:\Users\Default\Desktop\taskhostw.exe"C:\Users\Default\Desktop\taskhostw.exe"16⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat"17⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵
-
-
C:\Users\Default\Desktop\taskhostw.exe"C:\Users\Default\Desktop\taskhostw.exe"18⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat"19⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵
-
-
C:\Users\Default\Desktop\taskhostw.exe"C:\Users\Default\Desktop\taskhostw.exe"20⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"21⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵
-
-
C:\Users\Default\Desktop\taskhostw.exe"C:\Users\Default\Desktop\taskhostw.exe"22⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat"23⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵
-
-
C:\Users\Default\Desktop\taskhostw.exe"C:\Users\Default\Desktop\taskhostw.exe"24⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"25⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵
-
-
C:\Users\Default\Desktop\taskhostw.exe"C:\Users\Default\Desktop\taskhostw.exe"26⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat"27⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵
-
-
C:\Users\Default\Desktop\taskhostw.exe"C:\Users\Default\Desktop\taskhostw.exe"28⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat"29⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Desktop\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\PrintDialog\pris\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PrintDialog\pris\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\PrintDialog\pris\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\ja-JP\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\ja-JP\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\SettingSync\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Logs\SettingSync\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\SettingSync\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\odt\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\ImmersiveControlPanel\images\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\images\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\ImmersiveControlPanel\images\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD5d63ff49d7c92016feb39812e4db10419
SHA12307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA51200f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a
-
Filesize
1KB
MD5011a68c81a8413738a9cb643c954882d
SHA17c998455690afa31abd29243e9c05967179b6848
SHA25637b75f2dcfd1dc2f8fc2bdbc8b8e46aee962bea58b9ac0a4911dc59b48fbeee1
SHA512d81fe38cbc00be0e9a6904d291ec740914d749ccade5824026ec872fba6e42887452be6569e0fa1bb6dd00c7bd76ed997e1921aad4fcf9f59f55d303f5385476
-
Filesize
1KB
MD531dfead5bd703cfa7b315e662fff0162
SHA19c801c5218c577e3cfd3319ca935dceff3e11c11
SHA2561d1d9a979ee421fe4593e56d4a89e0e1d8f8a2f78cab49656bd2da0ab62f0a55
SHA5128f00702acf341b6072309cef897ffc4bc66916a55a2badfbb801f41da60bc644f527708aecca4df8e23762c313f36a7d994fa5658ccae85ed51ca36f33552857
-
Filesize
1KB
MD5001ef6334fc913dd993786f2021560dd
SHA1b0d08cdb43a9d255f6a9334a781a615060e32c75
SHA256362505637cd29ca54d4401f8c8d6861db6b07e90238357ca4fe05f5c31a112ed
SHA512eb6595a7dd644052edc949b61629eacd0e3472a7a09857acdc8a6a6624c9435ecddcab1df320fcb6ddaf2151660f3dbe72179090cf40ba42ce39c08254376bec
-
Filesize
1KB
MD5001ef6334fc913dd993786f2021560dd
SHA1b0d08cdb43a9d255f6a9334a781a615060e32c75
SHA256362505637cd29ca54d4401f8c8d6861db6b07e90238357ca4fe05f5c31a112ed
SHA512eb6595a7dd644052edc949b61629eacd0e3472a7a09857acdc8a6a6624c9435ecddcab1df320fcb6ddaf2151660f3dbe72179090cf40ba42ce39c08254376bec
-
Filesize
1KB
MD53cb0ebe0333fa0c079c2b84934ce83ac
SHA1c84101288b1726eea83ddb2154085cbc3044d9c5
SHA25671fe6430842ce9af66c43522b8157cece1279e1e531cb9b601cd763ce43dca6e
SHA5129c135e3658ba194f03faf3cbbbff690bcc549249272cce25d2319c7959366200a20ac81ed3bd81331b413058eb1eb5235b3c2629407bcc4f1f72b034861a8a66
-
Filesize
1KB
MD5fecea6656d6146aae58591418ffe7cca
SHA1b5a9c53f326c638215752147e26de7342a6e503f
SHA25694058b3aec08abfa51f0adf5cd30b536ad2825ad1ea0243c55b21bb2545d6e12
SHA512341bbb0a77d348be41f01eacd94ec94206feb3e6fe7d6b1015863b5c2816bb9c6be15c95e2e30487ec0979b9876993cb1cc219adaef9cd2c76acdaca72c01c4e
-
Filesize
1KB
MD5fecea6656d6146aae58591418ffe7cca
SHA1b5a9c53f326c638215752147e26de7342a6e503f
SHA25694058b3aec08abfa51f0adf5cd30b536ad2825ad1ea0243c55b21bb2545d6e12
SHA512341bbb0a77d348be41f01eacd94ec94206feb3e6fe7d6b1015863b5c2816bb9c6be15c95e2e30487ec0979b9876993cb1cc219adaef9cd2c76acdaca72c01c4e
-
Filesize
1KB
MD57cec5eefd7aed925f30f94521047c7ae
SHA111c4c9e919fb2e2d93cc4cc9f004c6192ef60b00
SHA2562809336dd03e6180bf1756c6e10b202ecd7ed726ea1d1f3f5aeca0762a763bf1
SHA512bf5643dc647e7137c9ba6fb02dddf4d3ee8c32e391c1f703b7ea34a78a8503e54bc61f4f73bd17a968d5d7afa70f06934efc741792e2322b40e51b4d513a89cb
-
Filesize
1KB
MD507e9ebd1768bbfac14eff60234aebfa0
SHA187bc35c711c7dab29a040f8a571d602ce0ad0978
SHA256f391766501b84dcadd915caf3232ba362316aa6fe7f16f9370ca13e181074ef9
SHA51202e6fbae4b35ffe252da7509b4509a9c846b54aa720ad6b85e2dd67d3e84da7be451365b84267ad653d2a1f5ebd083458e4f06fe0a780022cc55b47b58a39f7f
-
Filesize
1KB
MD507e9ebd1768bbfac14eff60234aebfa0
SHA187bc35c711c7dab29a040f8a571d602ce0ad0978
SHA256f391766501b84dcadd915caf3232ba362316aa6fe7f16f9370ca13e181074ef9
SHA51202e6fbae4b35ffe252da7509b4509a9c846b54aa720ad6b85e2dd67d3e84da7be451365b84267ad653d2a1f5ebd083458e4f06fe0a780022cc55b47b58a39f7f
-
Filesize
1KB
MD522a8f9e14876d820370ae4039abd3cfd
SHA11c17b5c1638b66b10a623b5f90f7fd95866bb9cf
SHA256182a28b54959f68559e34c48a8aee731ee47b2581a5e21e09ba66b4749a7f9ef
SHA512074c14993aa1b686f9061aff6246f4046e9a194d6f6857acb80b5f9fa4ff487154387112a5de7fb2043331b5275ab38211e9b1994942ebbae73bfcf3144719e0
-
Filesize
203B
MD55765d0a729540974b651d427779c5385
SHA121903b897e39ea2077fc9b5be24cd2355a2a884b
SHA256623d44d8f7fa4b054326889d51b2995dacc8ab37d88e6751f447d58910e6d618
SHA51238bf175f9c3c71ef8b7fe0d3bd9688566355e04a7a45997d5be39adecd043124faada07fd902305f30fc0bc9fab744baef07232de6b5a3c838931cebc604c0f2
-
Filesize
203B
MD5931e803ef3965a03495f4283b755f5f8
SHA185e30b6dae6de0b540e4a743c4a0814fa3d744ac
SHA256fab6d0c3da80e288b74ae2eaa18334d492be0ac5d49900b514542c4f7b8f3764
SHA51281bd5ca5950ca759dadec62f6a6e8ec2165f4d7167b7783cb752ac1308080c6c9702d1bd54a3d52b05d1fc13c9ecc8a51b00a911877620ebb47d3c218de76aef
-
Filesize
203B
MD562066dda6034eed8c29559e45ea2efba
SHA1767c10269ffa24bc934bb4ca84908afcb692d0f3
SHA256c391991b63c558c34769a5140d6151ef3be305cb81b35a11fc97b309d4e36b42
SHA512c4a456aa6c82e4ee4eb9a709319b9b80630bc71eff67cdd082d07113536617771e51233a67a022af704519d33e5a0ce8933b3104247ddf112fb7775f430ef093
-
Filesize
203B
MD50f8270743bbc29a687f6d50aee57dcb6
SHA183ece53e698d847492ce3ae91ba74a77946594cf
SHA256e1592c188e96fedadf239a0655e622659166faf1c8e1038813035ac5b80c77a0
SHA5125f21f299e7650315fb5bf836e982f5af2d2b0e076355e3b0025d9540decc0584a0f2a6780914c14c4ef050ab40eeb6a27fd66e15cdd7923c6b2bc92da5b540ea
-
Filesize
203B
MD54ccb3eb2da2fa85cd12d42286326a208
SHA1a4630536dcbdacf34824711dd6397d2f2cde24c5
SHA256c598c5ff62c8431b8d44c1bce49e495d8b9e291aa8bd2d16f6dc3c6095c68c60
SHA512ae288b374d74fb4f1488ec8f4a6ba6e17af39ecbe81c4a5a729fd50ad41d87461677c95d979670b573556ddcb473abd4d169064fda0d8cb7228224d3ab6b9662
-
Filesize
203B
MD59c501adfdb2a59edc0d091ba0781af49
SHA1d826f38f98a9a886f74194a1efa6dbf8ec2b8455
SHA256a269e685cfe0f7d2b26d1ccc6d906274bf98f7532275a8fc0898a607251ab4b3
SHA5124806896ab49e32d2882caaa773cdb106d3e22958dffb9d1a8da15514450c5183b492d204b0b7f146ad69f932284b34ba9013025c171054f82ff96a45380e93e3
-
Filesize
203B
MD50f135208bc150fc59114dcc6fc48c3be
SHA1993ab151e00d824bac667cdf15c3c26698380e0b
SHA25608a10766b82f8c5f2d1751182798b6332f6db23cca8326d74ee9b8f597ca9a6d
SHA512e5e125a13490b3b0229cc0fc735c90a0cb3a0979b3076a8dace1183916b9961590a216fa75ccef61000f9afe66709fdde2fa8469522065f9482359f8e9ac2c68
-
Filesize
203B
MD5b19540c4f34a25b4db42f8a93355d96d
SHA1fbe5a85006199e948734a82d778bf4454d02f4e1
SHA256058c5da0b1c8516ec823c2e960d967fafc96e434247a9ac1ff858a73d2c35610
SHA5129beb50f442feb85f7a0da5dd32916d66a84c747e8a0ca362bd0f6992ab88985f1c7d6ac8b5cc2c2cfc57a7d521dfc70581203f32778af70e252ac17dfa4d0a14
-
Filesize
203B
MD595447c14a2f023a85d9e6e4adb2e8247
SHA1a8788c547cbb3db55cfd27c3362274d21f203261
SHA256514e6c19518dd655529f9d41924d2028fd8c9fd1f9f20ff206b52ed3f6ade952
SHA51221d614ba197d2d38198dd9f287407af0e04ed7f5f45dc9f9c0b45ea32210b8ee3eba459493a1c344a02d754fda7aa0ebc6fbe5c33d4d166bfbeea76de7128543
-
Filesize
203B
MD565b43cf4381233f128174b222dcf6ebd
SHA1faa5c31ff68511a8ec70e2d08b8a84eb7fd94fba
SHA25608c052773a5b6c104663cc05e7194742ea965f20cafc250e905823bfdf13ba1e
SHA51286c1d43cd3b93f189b30ad3955f2e13a6efc7ac3bbb59a49bd0e4d49480410608cb71b8e986361858f1f4ef45245a3bbfb44ae472e8e449f7c18ce0d79d67f33
-
Filesize
203B
MD550bcab65102214fc8f9d1a741ebf6833
SHA100ca61ffdeb273d88e75cafb7bd02b5d01351df6
SHA256cd9ef1836bb1a18fcccdc4447ebc90bb542adeecb23ab80908328f42c5ada84c
SHA512d705308a3a12b7a0c3b47252a7e9464931e57573fb004b9770f8b2d725f91116b248854856dfbeded167b30648854ebb53419631768be91c29dbbef6cb1dabc3
-
Filesize
203B
MD541deb81eb0cf5516e5c9fd8c76989cfb
SHA1e5644463e31ffaea63e0d177f90d8d970d21894c
SHA256fd779494c20f7030c14c1622a8acdca3185dd97590629f930e4eea8e647ab0ca
SHA51251cad318743a079e3ced247e0823c5be76bcf2f2584876168d14b46b96b4893e9a6f2c70621d4eb65da8b598a70b0d8a245cc00fa5dd8d5fcd4622d0a8601d23
-
Filesize
203B
MD569a022226f139f26e5876a98e767c947
SHA10ba91307988f65ce5fd04b7e8c20c108c66c3064
SHA256b217c105a8ab5f28ff3a75e8dc42e51c04186905ba9eeb94c800d3aea42ea7a4
SHA512db7685b920c732ba21a68d2586391bc412c125e3526ed76447ddff9eb073c692f294c40a7103f538480ec06df044b67399c10aaf12197f5d181a38f1b150394d
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
472KB
-
Filesize
136KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
72KB
-
Filesize
1.6MB
-
Filesize
1.6MB