Overview

overview

10

Static

static

10

a2719b1149...56.exe

windows7-x64

10

a2719b1149...56.exe

windows10-2004-x64

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

e6b6a16d17...58.exe

windows7-x64

10

e6b6a16d17...58.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    65s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    16-01-2023 18:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    1.1MB

  • MD5

    1466f001f010dfed5838484c2fb25a56

  • SHA1

    489c707fd9d43574e536b4da4f15d3965d57c2fc

  • SHA256

    d3c18746bd2a2cb25e714a40be7a3e94d5bab0d924db7160ef8cc82a7f0848bc

  • SHA512

    35fb65a70892c86f3e8ae97e84648d089e7bad8ff567503d2322d24fbee953a7ccef49611c8e4ad98b29cd0b926699a48d11a10c189e7e903dcb529ed23a75e0

  • SSDEEP

    12288:4epPM2lx+HOqRo1lEBht1ylUyeewN3eJE3/oZ4DFWX4DBYFn9ducCSLEelT+wsHu:X0Vey/Olg5pwZesvCStZsbqSNz6

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Drops file in Drivers directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgA2AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1608
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1476
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      C:\Users\Admin\AppData\Local\Temp\tmp.exe
      2⤵
      • Drops file in Drivers directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:112
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\tmp.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2184
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\sppsvc.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2196
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Policies\taskhost.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2220
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\wininit.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2240
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\spoolsv.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2260
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\System.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2292
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\wininit.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2356
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\lsm.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2404
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2452
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2528
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhost.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2560
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\System.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2596
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Templates\winlogon.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2644
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsass.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2696
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\taskhost.exe'
        3⤵
          PID:2740
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1884
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1620
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1768
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Policies\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1448
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Policies\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1888
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Policies\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1512
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:820
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\fr-FR\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1484
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:784
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:920
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1064
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:620
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1376
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1992
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1280
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1440
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:276
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1236
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:924
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1816
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1232
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1884
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1916
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1448
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1652
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:908
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:880
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Templates\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1512
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\Templates\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:296
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:332
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Music\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1940
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Music\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:620
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Music\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1064
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "tmpt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Favorites\tmp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1376
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "tmp" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\tmp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1368
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "tmpt" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\tmp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1116
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:980
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1008
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1360
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:276
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1640
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:924
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2072
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\System\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2096
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2120
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2140
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2164

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      11745748c581814be1bd6e54c99240c0

      SHA1

      a6932005a793d779dff903ca7b2d4d2e6686f922

      SHA256

      f8285f4499ea9aafa8ec4170675b171027b85bc54a1655d654d7e0eb9278bb7a

      SHA512

      d95954c8f4a0d24c705275267d91a383608e35e349d8f8f0f954783b6f06f849519ebfd55106c995bec0421b8666ddb24de0efe1cc19aa61f675f1e68118ae49

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      11745748c581814be1bd6e54c99240c0

      SHA1

      a6932005a793d779dff903ca7b2d4d2e6686f922

      SHA256

      f8285f4499ea9aafa8ec4170675b171027b85bc54a1655d654d7e0eb9278bb7a

      SHA512

      d95954c8f4a0d24c705275267d91a383608e35e349d8f8f0f954783b6f06f849519ebfd55106c995bec0421b8666ddb24de0efe1cc19aa61f675f1e68118ae49

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      11745748c581814be1bd6e54c99240c0

      SHA1

      a6932005a793d779dff903ca7b2d4d2e6686f922

      SHA256

      f8285f4499ea9aafa8ec4170675b171027b85bc54a1655d654d7e0eb9278bb7a

      SHA512

      d95954c8f4a0d24c705275267d91a383608e35e349d8f8f0f954783b6f06f849519ebfd55106c995bec0421b8666ddb24de0efe1cc19aa61f675f1e68118ae49

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      b11a77aa7f25bb0f968e5efc1f7be34f

      SHA1

      4991ed1f2a6a7fa9dd3cbffd0681f02224bcb738

      SHA256

      08752f1376f3e3aff5343a571f44d2a5fce1eeb2dfe7d0f143db3504bd8a25bb

      SHA512

      1a06fc14f2856f8a98060e91c43e2af4734cffd0f739ded5656ff73c9408a697a5f6c3d13ccbb312fb8567391714ffe3545be685979307878207eff468ede550

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      11745748c581814be1bd6e54c99240c0

      SHA1

      a6932005a793d779dff903ca7b2d4d2e6686f922

      SHA256

      f8285f4499ea9aafa8ec4170675b171027b85bc54a1655d654d7e0eb9278bb7a

      SHA512

      d95954c8f4a0d24c705275267d91a383608e35e349d8f8f0f954783b6f06f849519ebfd55106c995bec0421b8666ddb24de0efe1cc19aa61f675f1e68118ae49

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      11745748c581814be1bd6e54c99240c0

      SHA1

      a6932005a793d779dff903ca7b2d4d2e6686f922

      SHA256

      f8285f4499ea9aafa8ec4170675b171027b85bc54a1655d654d7e0eb9278bb7a

      SHA512

      d95954c8f4a0d24c705275267d91a383608e35e349d8f8f0f954783b6f06f849519ebfd55106c995bec0421b8666ddb24de0efe1cc19aa61f675f1e68118ae49

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      11745748c581814be1bd6e54c99240c0

      SHA1

      a6932005a793d779dff903ca7b2d4d2e6686f922

      SHA256

      f8285f4499ea9aafa8ec4170675b171027b85bc54a1655d654d7e0eb9278bb7a

      SHA512

      d95954c8f4a0d24c705275267d91a383608e35e349d8f8f0f954783b6f06f849519ebfd55106c995bec0421b8666ddb24de0efe1cc19aa61f675f1e68118ae49

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      b11a77aa7f25bb0f968e5efc1f7be34f

      SHA1

      4991ed1f2a6a7fa9dd3cbffd0681f02224bcb738

      SHA256

      08752f1376f3e3aff5343a571f44d2a5fce1eeb2dfe7d0f143db3504bd8a25bb

      SHA512

      1a06fc14f2856f8a98060e91c43e2af4734cffd0f739ded5656ff73c9408a697a5f6c3d13ccbb312fb8567391714ffe3545be685979307878207eff468ede550

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      11745748c581814be1bd6e54c99240c0

      SHA1

      a6932005a793d779dff903ca7b2d4d2e6686f922

      SHA256

      f8285f4499ea9aafa8ec4170675b171027b85bc54a1655d654d7e0eb9278bb7a

      SHA512

      d95954c8f4a0d24c705275267d91a383608e35e349d8f8f0f954783b6f06f849519ebfd55106c995bec0421b8666ddb24de0efe1cc19aa61f675f1e68118ae49

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      11745748c581814be1bd6e54c99240c0

      SHA1

      a6932005a793d779dff903ca7b2d4d2e6686f922

      SHA256

      f8285f4499ea9aafa8ec4170675b171027b85bc54a1655d654d7e0eb9278bb7a

      SHA512

      d95954c8f4a0d24c705275267d91a383608e35e349d8f8f0f954783b6f06f849519ebfd55106c995bec0421b8666ddb24de0efe1cc19aa61f675f1e68118ae49

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      11745748c581814be1bd6e54c99240c0

      SHA1

      a6932005a793d779dff903ca7b2d4d2e6686f922

      SHA256

      f8285f4499ea9aafa8ec4170675b171027b85bc54a1655d654d7e0eb9278bb7a

      SHA512

      d95954c8f4a0d24c705275267d91a383608e35e349d8f8f0f954783b6f06f849519ebfd55106c995bec0421b8666ddb24de0efe1cc19aa61f675f1e68118ae49

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      11745748c581814be1bd6e54c99240c0

      SHA1

      a6932005a793d779dff903ca7b2d4d2e6686f922

      SHA256

      f8285f4499ea9aafa8ec4170675b171027b85bc54a1655d654d7e0eb9278bb7a

      SHA512

      d95954c8f4a0d24c705275267d91a383608e35e349d8f8f0f954783b6f06f849519ebfd55106c995bec0421b8666ddb24de0efe1cc19aa61f675f1e68118ae49

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      11745748c581814be1bd6e54c99240c0

      SHA1

      a6932005a793d779dff903ca7b2d4d2e6686f922

      SHA256

      f8285f4499ea9aafa8ec4170675b171027b85bc54a1655d654d7e0eb9278bb7a

      SHA512

      d95954c8f4a0d24c705275267d91a383608e35e349d8f8f0f954783b6f06f849519ebfd55106c995bec0421b8666ddb24de0efe1cc19aa61f675f1e68118ae49

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      11745748c581814be1bd6e54c99240c0

      SHA1

      a6932005a793d779dff903ca7b2d4d2e6686f922

      SHA256

      f8285f4499ea9aafa8ec4170675b171027b85bc54a1655d654d7e0eb9278bb7a

      SHA512

      d95954c8f4a0d24c705275267d91a383608e35e349d8f8f0f954783b6f06f849519ebfd55106c995bec0421b8666ddb24de0efe1cc19aa61f675f1e68118ae49

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      11745748c581814be1bd6e54c99240c0

      SHA1

      a6932005a793d779dff903ca7b2d4d2e6686f922

      SHA256

      f8285f4499ea9aafa8ec4170675b171027b85bc54a1655d654d7e0eb9278bb7a

      SHA512

      d95954c8f4a0d24c705275267d91a383608e35e349d8f8f0f954783b6f06f849519ebfd55106c995bec0421b8666ddb24de0efe1cc19aa61f675f1e68118ae49

      Download Submit
    • memory/112-70-0x0000000000400000-0x000000000053A000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/112-90-0x0000000002260000-0x000000000226A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/112-75-0x0000000000400000-0x000000000053A000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/112-73-0x000000000053510E-mapping.dmp
      Download
    • memory/112-77-0x0000000000400000-0x000000000053A000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/112-80-0x0000000000640000-0x000000000064E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/112-81-0x0000000000840000-0x000000000085C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/112-82-0x0000000000870000-0x0000000000886000-memory.dmp
      Filesize

      88KB

      Download
    • memory/112-83-0x00000000008A0000-0x00000000008B2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/112-84-0x00000000008D0000-0x00000000008E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/112-85-0x00000000008B0000-0x00000000008B8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/112-86-0x00000000020A0000-0x00000000020AC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/112-87-0x00000000021F0000-0x00000000021F8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/112-88-0x0000000002200000-0x000000000220C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/112-89-0x0000000002250000-0x0000000002258000-memory.dmp
      Filesize

      32KB

      Download
    • memory/112-67-0x0000000000400000-0x000000000053A000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/112-91-0x00000000043A0000-0x00000000043AE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/112-92-0x00000000043B0000-0x00000000043BE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/112-93-0x00000000043E0000-0x00000000043EC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/112-68-0x0000000000400000-0x000000000053A000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/112-71-0x0000000000400000-0x000000000053A000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/112-72-0x0000000000400000-0x000000000053A000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1268-57-0x00000000757A1000-0x00000000757A3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1268-54-0x0000000000100000-0x0000000000224000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1268-56-0x0000000002210000-0x00000000022A2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1268-55-0x0000000004860000-0x0000000004982000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1476-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1476-78-0x000000006F440000-0x000000006F9EB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1608-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1608-60-0x000000006F460000-0x000000006FA0B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1608-61-0x000000006F460000-0x000000006FA0B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1608-62-0x000000006F460000-0x000000006FA0B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2000-63-0x0000000000000000-mapping.dmp
      Download
    • memory/2184-116-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2184-148-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2184-94-0x0000000000000000-mapping.dmp
      Download
    • memory/2196-151-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2196-117-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2196-95-0x0000000000000000-mapping.dmp
      Download
    • memory/2220-154-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2220-96-0x0000000000000000-mapping.dmp
      Download
    • memory/2220-121-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2240-141-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2240-155-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2240-97-0x0000000000000000-mapping.dmp
      Download
    • memory/2260-139-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2260-153-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2260-98-0x0000000000000000-mapping.dmp
      Download
    • memory/2292-100-0x0000000000000000-mapping.dmp
      Download
    • memory/2292-149-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2292-163-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2356-164-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2356-104-0x0000000000000000-mapping.dmp
      Download
    • memory/2356-150-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2404-156-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2404-108-0x0000000000000000-mapping.dmp
      Download
    • memory/2404-142-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2452-109-0x0000000000000000-mapping.dmp
      Download
    • memory/2452-145-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2452-161-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2528-114-0x0000000000000000-mapping.dmp
      Download
    • memory/2528-144-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2528-157-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2560-158-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2560-115-0x0000000000000000-mapping.dmp
      Download
    • memory/2560-143-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2596-118-0x0000000000000000-mapping.dmp
      Download
    • memory/2596-162-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2596-146-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2644-122-0x0000000000000000-mapping.dmp
      Download
    • memory/2644-159-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2644-147-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2696-125-0x0000000000000000-mapping.dmp
      Download
    • memory/2696-152-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2696-160-0x000000006F970000-0x000000006FF1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2740-128-0x0000000000000000-mapping.dmp
      Download