Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
24-08-2024 01:00
General
-
Target
07e897a59a6fe31ad946a6e91cb9a616a5480268a09d22e455dcf39c0c272a3a.exe
-
Size
1.1MB
-
MD5
56685241b6f88ad113277edbff88b433
-
SHA1
de8678759ed96a3727550583530e2af5def62c47
-
SHA256
07e897a59a6fe31ad946a6e91cb9a616a5480268a09d22e455dcf39c0c272a3a
-
SHA512
e56084d0d6bca3900eb19cbce4536251acc1daf4bd8ce50bdaa054fe0d974fc85ee28d2df04ac4d113e2cc9ca0eeae53fc9cfcfb98f9ee417d70709699c99124
-
SSDEEP
12288:2RZ+IoG/n9IQxW3OBseo9UJOMb92TSnuKGEFv6C9xUSpvAwn/CrvslD5TxutzquF:w2G/nvxW3WWt29FuKGEMGUSplr1yRF
Score
10/10
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 22 IoCs
-
Drops file in Windows directory 13 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\07e897a59a6fe31ad946a6e91cb9a616a5480268a09d22e455dcf39c0c272a3a.exe"C:\Users\Admin\AppData\Local\Temp\07e897a59a6fe31ad946a6e91cb9a616a5480268a09d22e455dcf39c0c272a3a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portFontsessionperfcommon\Su03e.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\portFontsessionperfcommon\GR6iqGlokzvFi7BP2kOSNw5dv.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\portFontsessionperfcommon\containerAgentcomponent.exe"C:\portFontsessionperfcommon\containerAgentcomponent.exe"4⤵
- DcRat
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jGvjssLjcR.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\portFontsessionperfcommon\containerAgentcomponent.exe"C:\portFontsessionperfcommon\containerAgentcomponent.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\portFontsessionperfcommon\containerAgentcomponent.exe"C:\portFontsessionperfcommon\containerAgentcomponent.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\schtasks.exe"C:\Users\Admin\schtasks.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerAgentcomponentc" /sc MINUTE /mo 11 /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\containerAgentcomponent.exe'" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerAgentcomponent" /sc ONLOGON /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\containerAgentcomponent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerAgentcomponentc" /sc MINUTE /mo 9 /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\containerAgentcomponent.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\it-IT\smss.exe'" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\it-IT\smss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\it-IT\smss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerAgentcomponentc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\containerAgentcomponent.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerAgentcomponent" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\containerAgentcomponent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerAgentcomponentc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\containerAgentcomponent.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\taskhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Templates\taskhost.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Templates\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\es-ES\services.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\es-ES\services.exe'" /rl HIGHEST /f1⤵
- DcRat
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\es-ES\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\cmd.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\System\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\System\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\portFontsessionperfcommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\portFontsessionperfcommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\portFontsessionperfcommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerAgentcomponentc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\containerAgentcomponent.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerAgentcomponent" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\containerAgentcomponent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerAgentcomponentc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\containerAgentcomponent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\DataStore\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerAgentcomponentc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\containerAgentcomponent.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerAgentcomponent" /sc ONLOGON /tr "'C:\Users\Default User\containerAgentcomponent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerAgentcomponentc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\containerAgentcomponent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Cursors\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\explorer.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\IMESC5\DICTS\lsm.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\IME\IMESC5\DICTS\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\IMESC5\DICTS\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\lua\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\portFontsessionperfcommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\portFontsessionperfcommon\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\portFontsessionperfcommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\portFontsessionperfcommon\explorer.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\portFontsessionperfcommon\explorer.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\portFontsessionperfcommon\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\portFontsessionperfcommon\System.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\portFontsessionperfcommon\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\portFontsessionperfcommon\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\smss.exe'" /f1⤵
- DcRat
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\smss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\portFontsessionperfcommon\taskhost.exe'" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\portFontsessionperfcommon\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\portFontsessionperfcommon\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\en-US\csrss.exe'" /f1⤵
- DcRat
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\csrss.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\csrss.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\schtasks.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Users\Admin\schtasks.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\schtasks.exe'" /rl HIGHEST /f1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
829KB
MD507e58ab4b906ff2e6d90952db37fc5ac
SHA15b8dff342e23ea5d237e607f080e094fe6278745
SHA2566c047ec9e5cc5a97f5d51f75bfda8e1a6457b943fb05c2faf7dfacfb4a77d7c5
SHA5123530211b27e99955a15b33fa7491f4c72e4fefcc851590315dcb2d5e76c15352ffef3bd23755571ef10ccc20af914fd99029144287445bf9b29d82765fd0a2f5
-
Filesize
221B
MD5bf12fc82f9133f8666ff5201e27bacfd
SHA1561c0c8f8d1d2853c6235b0b80485a7fa117f85d
SHA25620932080815457db75ab13a734d723bc089448ebb089f0b2eca238c73d932cc5
SHA512f9c4c9fc0b4e78213bd3d041a91b53f2a5cdc6b16da04d1ff74243b9a20844c8728355c17f24da69e94bc8d0ba32bba7ff549960b011e63fd55b8424cc4bb504
-
Filesize
58B
MD5d530ac5b03b07df1e0e82acc0284b0c1
SHA16ace0b5b91c64ac4ebe4572dada1dde9d1b7d92d
SHA256a012318d589ab924a732f9ccd5e080e577edf0adec248c5b2e81f26080934a9d
SHA51230153ce44fa19ae4fbe0498e0558d7634d6e85e5e2eb3c2ba00b63ee867294f6ebe2d754addeadc2df080c05d4c64f15d8f0c06d10556cd5b0338a27ac30e229
-
Filesize
227B
MD55a236288e55960cb8231f0ff4ebcc99a
SHA138ddb8f7a45e3a6f375a6200ff352f228f01d2de
SHA256755ba1d5b0e05f2aa67c832283f3e5f4bdd54a3038708d980c74a861067e249e
SHA5126bef5a4b7e886dc9a1aa05292e920bf5aa9e032e7d0b25ddeb2293a860c2fdf0f0aa6438696faebf43a26f422a9fd6da738f554f762bf8b8d9aef5f19cbe7206
-
Filesize
748B
MD52a6580436c5ac9f611be6c72f7e4bdd7
SHA148f2b691f1349e94389ae0d12a21fdc9fbe9e2e1
SHA25689864d7445b51c3543108bc866d9919d7f438d77d352cfa608f9a04ab967e46c
SHA512210989c3767cb0cba5d196efe8c53484c221ebc60280337bfdcfda278fe02c25b05d1a157a950a4a71db60c0bc653b04f259c6488dbf5ab4730ae81c5a164f26
-
Filesize
856KB
-
Filesize
856KB