Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-02-2024 16:44
Behavioral task
behavioral1
Sample
6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe
Resource
win10v2004-20240226-en
General
-
Target
6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe
-
Size
3.1MB
-
MD5
2c03d2d911694cd33c23b0edafd33ff0
-
SHA1
c16efb40930aec5b7f894b78f9b6f04bfc03fa0f
-
SHA256
6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6
-
SHA512
b02b123bfb5d5ef55820315887ceecbdb4ecdc50f7af241a9b6b722baedcce0b6441e1553d1ccbc85b091ac84c1c4801d8cdcc291575d8a4dc1afa974fc76dee
-
SSDEEP
49152:xp70LTonM7JrVV+t8Z6e8hyF9kdrq8ChhGpg2U/KQ7d5tQX:gfonMdBVZYyjACh0DUB71
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 500 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 596 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 904 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 428 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2944 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2944 schtasks.exe 28 -
resource yara_rule behavioral1/memory/360-0-0x0000000000370000-0x0000000000694000-memory.dmp dcrat behavioral1/files/0x0006000000015ca6-11.dat dcrat -
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\56085415360792 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe File created C:\Program Files (x86)\Uninstall Information\6cb0b6c459d5d3 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe File created C:\Program Files (x86)\Windows NT\Accessories\de-DE\56085415360792 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe File created C:\Program Files (x86)\Google\Temp\spoolsv.exe 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe File created C:\Program Files\MSBuild\Microsoft\winlogon.exe 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe File created C:\Program Files (x86)\Uninstall Information\dwm.exe 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe File created C:\Program Files (x86)\Google\Temp\f3b6ecef712a24 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe File created C:\Program Files (x86)\Microsoft Sync Framework\42af1c969fbb7b 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe File created C:\Program Files\Windows Portable Devices\Idle.exe 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe File created C:\Program Files\MSBuild\Microsoft\cc11b995f2a76d 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe File created C:\Program Files (x86)\Windows NT\Accessories\de-DE\wininit.exe 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe File created C:\Program Files\Windows Portable Devices\6ccacd8608530f 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe File created C:\Program Files (x86)\Microsoft Sync Framework\audiodg.exe 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\es-ES\winlogon.exe 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe File created C:\Windows\es-ES\cc11b995f2a76d 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe File created C:\Windows\Registration\CRMLog\services.exe 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe File created C:\Windows\Registration\CRMLog\c5b4cb5e9653cc 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe File created C:\Windows\rescache\rc0007\6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2868 schtasks.exe 2932 schtasks.exe 2188 schtasks.exe 2308 schtasks.exe 3020 schtasks.exe 2724 schtasks.exe 2608 schtasks.exe 2616 schtasks.exe 2312 schtasks.exe 1316 schtasks.exe 1624 schtasks.exe 1100 schtasks.exe 2144 schtasks.exe 2432 schtasks.exe 2440 schtasks.exe 1240 schtasks.exe 884 schtasks.exe 500 schtasks.exe 1536 schtasks.exe 904 schtasks.exe 1504 schtasks.exe 2572 schtasks.exe 2500 schtasks.exe 1324 schtasks.exe 1976 schtasks.exe 2356 schtasks.exe 2336 schtasks.exe 1740 schtasks.exe 2640 schtasks.exe 1336 schtasks.exe 2716 schtasks.exe 1648 schtasks.exe 2180 schtasks.exe 2760 schtasks.exe 1960 schtasks.exe 1320 schtasks.exe 2552 schtasks.exe 596 schtasks.exe 2208 schtasks.exe 2896 schtasks.exe 2412 schtasks.exe 2816 schtasks.exe 780 schtasks.exe 428 schtasks.exe 2132 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 360 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe 360 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe 360 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe 360 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe 360 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 360 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 360 wrote to memory of 1768 360 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe 74 PID 360 wrote to memory of 1768 360 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe 74 PID 360 wrote to memory of 1768 360 6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe 74 PID 1768 wrote to memory of 1388 1768 cmd.exe 76 PID 1768 wrote to memory of 1388 1768 cmd.exe 76 PID 1768 wrote to memory of 1388 1768 cmd.exe 76 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe"C:\Users\Admin\AppData\Local\Temp\6ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9mkz8fEAPs.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1388
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Recent\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Recent\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Recent\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\CRMLog\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Pictures\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD52c03d2d911694cd33c23b0edafd33ff0
SHA1c16efb40930aec5b7f894b78f9b6f04bfc03fa0f
SHA2566ab0890a2aedb8d21048be3cb8fcaf6ba8fe22d418fec483bdba53e68ab430f6
SHA512b02b123bfb5d5ef55820315887ceecbdb4ecdc50f7af241a9b6b722baedcce0b6441e1553d1ccbc85b091ac84c1c4801d8cdcc291575d8a4dc1afa974fc76dee
-
Filesize
208B
MD5ee3ae74af8b83a7526517f02c9ee0a0e
SHA1afe1aa964b20968bf604d3ef9e3313d03ac18679
SHA25696ae90e247d726fb51420f6b0c7857057439295cb75b35a83d7a953a3abcaf3e
SHA512946d592bf86c92a5af708ac0f2546a26caf5e4d60180680a892c473ee7c88dd0176afbb948f0ac2373b0078984c988551f24c1bfefc436cf8277f15faaeeb843