Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
29-05-2024 19:00
General
-
Target
DCRatBuild.exe
-
Size
1.1MB
-
MD5
ed28cd72bd062691757acefb381dd6c8
-
SHA1
7fe7902e560b476b7e23d9ebcadde3ba8a7e0ec0
-
SHA256
f90400299ddff091af50c2a7c46454e35e6a4b01a876096a0e180d1aabb68e9c
-
SHA512
19912e8f60538c0d2e8b7e5a7c77c6efc38b1bf0f7e250cfc2e5062306f4d9c7942f6e0d627ab0c63a5f632915775bf81ec22a2a433fffe9c385671d742f578d
-
SSDEEP
24576:U2G/nvxW3Ww0ts/KUfphyGlQWsNzEdH41SGZd:UbA30s/fLsNOPGD
Score
10/10
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Drops file in Program Files directory 18 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 18 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Fontruntime\2jb5ajJYZ.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Fontruntime\fVpW1lRUqKPT.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Fontruntime\Crtnet.exe"C:\Fontruntime\Crtnet.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f3KKfBNtYX.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Program Files\Microsoft Office 15\ClientX64\services.exe"C:\Program Files\Microsoft Office 15\ClientX64\services.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
C:\Windows\system32\notepad.exenotepad.exe8⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat" "7⤵
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\es-ES\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrtnetC" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\Crtnet.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Crtnet" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\Crtnet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrtnetC" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\Crtnet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Saved Games\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\SendTo\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\SendTo\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\swidtag\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\swidtag\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\tracing\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\tracing\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Fontruntime\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Fontruntime\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Fontruntime\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Fontruntime\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Fontruntime\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Fontruntime\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:81⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200B
MD59f72085017745dc0e4b7799bf68149a6
SHA1144541f9e5341cf6d0b7034492da4e88d6dbc363
SHA2563fa8aea9660e3ed943a99d20896369103d170f244b677ea8577a46037b4b521f
SHA5124244a440b7db7c428aff7ebb981230c5d0804e5041d3118c14c82ede46de586044c55d8e62f36301a3ab5d9b0b7f6f44161c65228bb1379bf1b5db953dd4a76a
-
Filesize
827KB
MD57b7d704746ebad06306fe3fa4a6d4fe4
SHA16e21be73576e7cffd63aba4a25b53f46882eefbd
SHA25656b0e396b61f74cac0df6acefcb1fc45dd351721b898d40f380df9ed314936b4
SHA512b2c45b6dbffaee08c00c9dbce176ceb202a46f970fb704f709719240c6d9061253119b40c46dcc8ebd3a1a4a7dbf6d9decb9246e878a1949f3371c15d323736c
-
Filesize
27B
MD5170f23775572f186ec6b4e5e0effdc5d
SHA1e1cb46607ce0bfcc171c0a27ad74cf9683c471e5
SHA256b17166ef224a9821a58fa0cd6d6bed784eaea19c6b7b4aabe987cf5ba3c31cf4
SHA5123e98b03545fa0c8b384fe850bc6da2c624bb007add43a36b9bad82e8954d662c841e5b26e80806e37098159ac48e2f823f205c84312318265c4d2a553270d1e7
-
Filesize
19B
MD52020ae7235e4ca2d098b2a6acfd6a923
SHA1b390363f25cf5539bbaefffe4805893a3fd4f016
SHA256caec56565830252605e355886227771736c3d40808a423e97f93a2dcb632a34e
SHA51213a3b1ebec1f09d0eee9866e8c403c66a29fb530b0c9056246d623e495fac915b5868471b51d95c869636eded94b6115d234a645971d27e7b14eeeda5ecbf9fa
-
Filesize
224B
MD51e39fbeeef9d5ffba86ab053acfc973e
SHA17a1f397b94cc2f70c2eef9efabc4af73419038c1
SHA256dc2ecaa5db53b43cfa35f3b7787f1dd894b505eec110b5b347bb0bddf904aad7
SHA512c48d3c265d95d14d710dfe5366b3de70302237aa940d1f0f44c2bb22e65a48949a6068d0b59e2134c8ebcb77ac9530211de09902e37db909700efcc400e0ba13
-
Filesize
676KB
-
Filesize
8KB
-
Filesize
856KB