Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
07-11-2024 22:03
General
-
Target
GameHackBuild1.exe
-
Size
9.0MB
-
MD5
35a0fbec2fc6d2a550a569719406d58d
-
SHA1
bc73001a0600313803d3594dc51d3d0813dbdec1
-
SHA256
221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d
-
SHA512
2f4d71eaa62dded749f82660fd7ee90da422048459d63faa79f518c3c10b7343c482e95cf81cea6bfb4710ef07f53d2d7f835dd3f191029da38da2e9a7beb00f
-
SSDEEP
196608:uGk5oFaEPX2GgYCCUDQ4yA8/vWOCFidWo+QOovFFoJXz0Bt99OGvFLuyAjA9UCo:9k5/EP2Gac4yHndWo+bodFgXz29OGNps
Malware Config
Extracted
orcus
GameHack
31.44.184.52:25350
sudo_06kkh814g4vz7sfklrh1emcow75dz383
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\Windows\Defender\MpDefenderCoreProtion.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 26 IoCs
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcus main payload 1 IoCs
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 6 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Orcurs Rat Executable 11 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 28 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 14 IoCs
-
Loads dropped DLL 15 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 52 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 25 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 38 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe"C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe"1⤵
- DcRat
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor/runtimesvc.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o0la155j\o0la155j.cmdline"5⤵
- Drops file in Program Files directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E96.tmp" "c:\Program Files (x86)\Google\Update\CSCB294A08ECF1B454AA0A4EC7C5767AD9E.TMP"6⤵
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k4v3vsrs\k4v3vsrs.cmdline"5⤵
- Drops file in Program Files directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EF4.tmp" "c:\Program Files\Windows Journal\es-ES\CSCBCD9AEA27EAF42E9ACCB5BE916A50EC.TMP"6⤵
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ygc2l3uy\ygc2l3uy.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F51.tmp" "c:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\CSCDF4598FDA56A408FB8987B503084CAA6.TMP"6⤵
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bdbvphge\bdbvphge.cmdline"5⤵
- Drops file in Program Files directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FCE.tmp" "c:\Program Files\Windows Journal\es-ES\CSCECFBE14FCDC4435A8B936AF24849C8A7.TMP"6⤵
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w2lijukn\w2lijukn.cmdline"5⤵
- Drops file in System32 directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES401C.tmp" "c:\Windows\System32\CSCBED0F9ED82C54A17AD3DCC7519D1C35D.TMP"6⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Festival\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1FYVKmsW5L.bat"5⤵
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Program Files\Java\jdk1.7.0_80\spoolsv.exe"C:\Program Files\Java\jdk1.7.0_80\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat" "4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"5⤵
- DcRat
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\lsm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\es-ES\OSPPSVC.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\es-ES\Idle.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\ja-JP\taskhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\services.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dllhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\sppsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskeng.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\explorer.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Windows Journal\es-ES\Idle.exe"C:\Program Files\Windows Journal\es-ES\Idle.exe"6⤵
- Executes dropped EXE
-
C:\Program Files\Windows Journal\es-ES\Idle.exe.exe"C:\Program Files\Windows Journal\es-ES\Idle.exe.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\es-ES\Idle.exe.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\MSBuild.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\spoolsv.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\dwm.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\MSBuild.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FyH7TMVdIN.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Program Files (x86)\Windows NT\MSBuild.exe"C:\Program Files (x86)\Windows NT\MSBuild.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Default User\conhost.exe"C:\Users\Default User\conhost.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E63858D4-64A9-49A5-BA71-E2364322E8B5} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeC:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeC:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeC:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\es-ES\OSPPSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\es-ES\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\es-ES\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\ja-JP\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\ja-JP\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Fonts\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskengt" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskeng.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskeng" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskeng.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskengt" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskeng.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\system\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\system\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\system\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk1.7.0_80\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Festival\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Media\Festival\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MSBuildM" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\MSBuild.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MSBuild" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\MSBuild.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MSBuildM" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\MSBuild.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Festival\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\es-ES\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\dwm.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MSBuildM" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\MSBuild.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MSBuild" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\MSBuild.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MSBuildM" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\MSBuild.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD58d5404934f97c6e2b8a071d45323404b
SHA16b3ab2a96c462fd97f106ae6c8b26dddfd17388c
SHA25638c53cb21fab1eb59d0081d3dc56ff7543713d730a089ab708155de78680ee15
SHA512a1a8fea68dfbba08460b828851984a5433ffe7e16558c345faf9d52037318b81391fa564ea678524cb751fc3ffee6bf437530359e39f60f8ef3d2d7b52e198aa
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
92KB
MD5882ec2bb4bf46a0ee80134f7b7b5d2d7
SHA14f76f5db450eb1a57199f5e0bb4bb6a61b4a5d7a
SHA256a101a238346d9df0fe89b33f45436042d92878d75c5528ad0b8e201b91db0402
SHA512eed22fb4d714d6c438760378912286d41f4f1e1ad27d62240fd9fc3c304831567e552e2ffe2524a0869d57a0fd7c6494a1fbf1e0d8eb78f58a052be3a3c4caaf
-
Filesize
1KB
MD5cc27ae0ad2b3738cbd48762abc153210
SHA1de66e30013e4179d56bde1a6b59faf637e0db7dd
SHA2569ad7662757fb6fb75a55479cbb40ec532cc73ff639b3985272fe9f16a5684947
SHA51226c064065b52fd0d69f3322d7ef9cba6c0decaddb32ede357189a05368474173f327572c45fe0465a00e7bfee2b5e23a36180ad4ee4e9af3f5e684b462636052
-
Filesize
1KB
MD54870be4b8badaed4b07c4ff2b9b1e87c
SHA165c09a55f227d9ea29574de0d69f02ee46634daf
SHA25645d227aa0f232bac2f6ac975a4aa4572c77025f88d55d768e7e11a13ff2cd7b2
SHA512ac58a4fd93f9025335a6d6918c270a1a22f321165bd09fd156073842d8d3cc171df2deec6e02f802cb606fdeb4435307b243cb99d9bd6a3f1286845124e1c3ac
-
Filesize
1KB
MD5cb35ac7626e8fc5575a0a5800c684e36
SHA13e4e413abc0ec625fcd5ab2aa920d5c92d27f590
SHA256516183f604cae2d1564dcedcbc4cf8e8fe703416d55b20b39221de0c1d05c5ed
SHA5121e06496f853cf08f163c1a350769473e338748de65591999e3991877ca1bfe6b372d1c2b316bbd4cad7936641ba549a3f32138cc5e323ff9ecc9151f63caafe7
-
Filesize
1KB
MD5fe869d828d68f3f479b3e081b2dd277a
SHA1dfce4f17435d54e5fecc8d189bcd17c23d52501b
SHA25687c734762820980cce528f3be6d41ef26f29b617df6ba51e36d5376974ca9c45
SHA51249971a84f909db641aa1aaf62a1eaec2faaad63057d7d90216e9704d37df0d500d483e447144e89e548542e20ee4119c3d5b983a9ddfd930cc95b4b2d6fe0cd9
-
Filesize
1KB
MD511c6addf90c508a66e712983564fb57f
SHA11aff296e9891bde148cc260d0a7f17a361e7e894
SHA256f0e80a2c40ea813135a723ea7a9394a3924dbeda2478d3aebf5dc821f119288d
SHA51296eee45e79fcda2a3288601309b77ff83ba1686aa26ef14b92ec32f13bb99f68a3715b1e6a2046018092c6eccb2c543d8fa5f01b418e721aa7994acb03628151
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
7KB
MD509c2e72ee60f0bd002c50c198214611a
SHA1659d2a308ab8078c9ec3e888d0ba47027aa1fcbb
SHA25630168b7264fa8da2fcf659828929bbc6da221f2cf85f6722ec23f916f118fe13
SHA5121f7e44fe6dbff8244c0ab4e11b66f5606aa89dddae7b5520debd5849a5e16e595673a72052623c004af08a3be32c537d79079dc156f324f83cefd8f965958079
-
Filesize
104B
MD5fbef3b76368e503dca520965bb79565f
SHA19a1a27526b8b9bdaae81c5301cd23eb613ea62ba
SHA256bcb2af67a4ea1e6aa341cf3141941dbe7b17f1911e7f20aba46552571f99c9f3
SHA5122b99bc9a945b6d9a2c0d3206dce9221eb7f4a2040c5096909d60c3278254c52b39a28dd18dd4e005eff0ebd7e7cba6dd3a6a94ea8a7d7598da3001da174db3f5
-
Filesize
1.6MB
MD5bc7804fca6dd09b4f16e86d80b8d28fa
SHA1a04800b90db1f435dd1ac723c054b14d6dd16c8a
SHA2561628864ab0bafe8afea2ad70956b653550dab3db7c4cdf6f405e93a6c2441dce
SHA5127534ac0a215f02af85bdf2b414e23face0570943f8820e7bfe97ea274ccd1a01618556e93b7465c2d9fbb0bcde5e97fab9e9b6bddd366554277ef308cde3a83c
-
Filesize
4.6MB
MD5e8c32cc88db9fef57fd9e2bb6d20f70b
SHA1e732b91cd8ac16fa4ce8ad9e639bf21d69f6bb45
SHA256f787ce198538b1c0b2bfce8ce5297e34152cf6deebe559df6887f65c72a081a4
SHA512077307d42438f2b72d62ce9e35c67c09e1375c2e203e6d6d455c6c8861c6442b3d82f1345b6c76940f5e8015fe93491158a59b102fabd139c742d75c2c42ba7a
-
Filesize
263B
MD5a05e26d89c5be7e2c6408b09cd05cf74
SHA1c24231c6301f499b35441615b63db6969a1762fd
SHA25605628dfff22e15b219a711cf52a2c87521170853979f00fcd014cf164656418e
SHA5128c8733f12dd71cfafd2edbfad487279d6ed971eb119b1cde92a905f4658a9b090f831f42ef2228a4f6c64071a1f54fb74708438b4361e317e36016897577913d
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
48B
MD52fa8decc3dafe6f196f6c28769192e7c
SHA169f4e0cf41b927634a38b77a8816ca58c0bfb2de
SHA2567e40eb542d164397c0bf17a47c8f0db79e7028299e9f180d38505220fd2cfb30
SHA512c9fb6c2ac2441ff14673ccaa3f1d5e703356c093353992d302d34df6c9e26a85aba6760c3b98f0cd0ada45183c55b2e5cabc09978ca084077dd71743ca9fdbc1
-
Filesize
1.3MB
MD552c95032ff8b8c3d4dfd98e51d8f6f58
SHA1e841a32cb07adaad4db35b1f87b5df6e019eb9af
SHA25639b35293e7efaa4cb94028e59872013bef4065788fef9fe3cd3206a8aee711e4
SHA512a1177740ffbb476fb11f8112d98cabe3012ee3d54f2f848bb22ea99b53bd3526bf59065951fb6ef29f29408ab2fd90c942de65fe16d66a098abce8ba5d7d4e00
-
Filesize
227B
MD5d47062c8738a534fc931c0f341a61773
SHA1c1175037a0e96363da56bc9d8abdb726cddc74fc
SHA256484cc22b88e1eaae619f948e96812ebf70275f9e6408e2e3dbd8af827ac5199a
SHA5129de6dcf7944ec9f2ff44c8fdbe562a6755c2af9800028b01fb0969921e6ef969c1ecc6e2ab129f191ac5feeaa9aa30cf436489dfee8e94433d6678a9942ffe39
-
Filesize
1KB
MD51cf17d8bbf1e200a8d469fd7779f7097
SHA1741dbad3dc6eb4ccfdaf62faf10616427c5218da
SHA256647962db738296ecce417131202e30cfee0e8e9a41667924150b9467189059df
SHA512d682c0f25c1db957189422a49040d10a95f23b955ae35730926c8ab8460a9fb6ab45d05629a5236758f29b91f6802893a60a64f23e908ecd629acdff735b354d
-
Filesize
1KB
MD529c413bfed38632cc7933f8dc2680f4e
SHA1942dd6a35e1f38c3079b99dd36197595ca851cd5
SHA256e78aed29e0e6933c89b204db39e4f680d6ba2efa05df1b285e3daa6b258b737b
SHA512e6b7b85fdd4141d993cf4ad7f63adc6cefb4100673f5ddabeb0b7668c19b3cf9d36c392fd42d50ccbd7204b2cbf455c6775e8b1cfcff19c525ba73004ea00434
-
Filesize
1KB
MD5c4f2ef9fd36b6a1052f5786bfa6dce81
SHA1b29de5f454f7e07981bd8fe21bbe79e782c3fbbc
SHA256caac8c5ccbcefbacff668e563dd5a415529d1c026d8c9395eaaec6cbd60159e3
SHA5129fe6e9919a7e04e267d3d184e1c37cbc1c4c0a976442fd2dcb64b85d0838649bc022f06864ce1a916654aa606533e6d84f204888d8682f003264a4a6b6afaacf
-
Filesize
1KB
MD5169bc6dc73ba66baacdb4d2a953f6ba6
SHA1539f14f124f21548bff9e0c4af763cd54fa1527d
SHA256bfc43c31534d80937c6af4f8db9a5e05c2982a7db57460cda32d95493f83d5e3
SHA51212b3a50df4d7bd16325af7d1e8cf2d4ed29cb6426538550168806b8bb73755f93f1622e60157efb3873ecc70bb1d9dc2e6ad276e7eed4a794af46f50089c969d
-
Filesize
382B
MD5ebf10330845c44b3c177d8b668837738
SHA1e66d6de8cb3af3d29e91fe4fd48a6169a1391ee2
SHA25633efbef8a65009903d725451603562c689d588bf6f1ad46f4cd58c03209032be
SHA512b8f45164e5343ba931ffb5c5d25717c95934df328186390af1b082de17538259ef28ef5fc9124cbf829f096af1760e99418da613d590df04662d35123b2bf790
-
Filesize
252B
MD50d404766005467bc8773b1ccf0859538
SHA1d66a36cff5c2f5332781d352cafe007d7ff54311
SHA2567cfd34c7e0b39388c7a182adcb409df637e846d14f15dbd17db94a93dd14e041
SHA512ade993887bfd2e9a7864453698daa1366d577e2eeca248356022bf0dad3670e67cdc557313fc6f7954be06526422776d31282b487a7bfead2d3ecb6008b600b2
-
Filesize
385B
MD53722810c87af2b34ba28425be33c9d5d
SHA1b83568ddf9d4220e8bd6143ee60a06b4279dbd20
SHA256ef8834817ab570e1852f2890dc21c8132febe3185dce272a07d478877ce9ab68
SHA512817baaf85623ec170692e1f23ae8bba236888e1e83231529a73c89d7a054b428e4c510a345e1a986940b363b6411cb9fb1ad0630d1a03b2253ab3d478427753e
-
Filesize
255B
MD57cb6fc1429f1e5150ce850b6dc5b6218
SHA19ac2be42f118cac935475637ae098fe30447dc30
SHA256f249d0afe556f37fa81d7ae6073d3ff77eed9c93b0746195424eff5f59a56084
SHA512852bc2398dfc7fc193f7dff53cde7b909ec1eee777c452162d4d30fbd6933f986330c9e1a9078f94846543793809b6f6bf147b7a3d891f0c6cf531962cb5c495
-
Filesize
379B
MD5208247e9682acc7bda97b01f497bfeaf
SHA1d7e22e7bf51cdb4b4d1b0da784f4997edebdb99c
SHA256cc63091727fa4ac20588a68441f694614d820b55e726ea74f695509f32afeb03
SHA5120714d22c4a7826028bc320850717139d4cf608b7eac482a9a128055b9698597387f3449ebcecdf76c5420ac94eb0a4babeb928742790438007a6a62e5f5c0127
-
Filesize
249B
MD5e614d07c56b473bd80c3b37efd62c37b
SHA1c626c058f10462131fbb847ca2ecb36e669880df
SHA256fe54e21a98ed0eed140c0b804a841e6fb60bee2770e3789e55824761dcaf9b01
SHA51209b3282b701212e5ae86ef7eb9d51286db9807915db2ab3c980e2c135ff5bb4ea0772a4ebbc31b30c7cb3dd5df7a0948c156dd03f605750f572f868ee5561d2a
-
Filesize
365B
MD5d3c6b415608c71e76aacf5609a152885
SHA1e8dfd0bc24129b78eeef5ae84a5ea10228c163ae
SHA256c3f8e24c35f3930a45e27eab3f4f5fccb010cb0a2e0210896b7b5b90393dec4d
SHA5128d0a81f826b7b6d798ef09b453a0e8c6e5a6bfe411b378e2a68e6c6250d54adad998878c4901fa1dfa6ca9d47c8998ca9501992b38611dff4d63708f79b5b5b7
-
Filesize
235B
MD59fb9d5cadc8c84ddef72a8c383ced1d8
SHA18c51c46a7e3376d42852971ac0a9c9cd1edfb705
SHA2562bb89cd8293c6d00440d955b65366185388cffa206447128f57b59e1623c9716
SHA512753fcb24215e3354300f3af2b92cc977d88f7877104c8b553065619d9e64740f668d94fb255b956e902df985ec6c125f96c46dbf4e0518f183508739f5077437
-
Filesize
395B
MD54d72a19b75610bb3cd347e3a7f20b05b
SHA11fc3e39e5f006dfc429ed5de6a6551792bfccf61
SHA256c5394f5c65eda58064be34be057e9cd2b4df13cc9fa4fe8ca48a8cfe3c54d283
SHA51248443e8d89a017c586b0beddafee33a484e2d2310411fd56d398f105fd76faa3b652715fc29e69b061290576fa4c433111c42a19e802de2f18389ced41971956
-
Filesize
265B
MD58791a662203468ab6ca46f5c62796633
SHA1b7b043a6604487f806f93258cf589f121fe2c5d1
SHA256c6e97d67289a3eb5eac699076583f03a0684b621ce68140a4a8fcba6afb69ae5
SHA5120c99adf6e7bc01c3b98848ced079cb48bf05a6a0286a04b8e9262a74505161523c89634d1ea6d7bf772020a102ac03ac32b1f2c67327eed864981a302e3b01e2
-
Filesize
1KB
MD5332eb1c3dc41d312a6495d9ea0a81166
SHA11d5c1b68be781b14620d9e98183506f8651f4afd
SHA256bab20fa8251fcee3c944e76bdc082850ae4a32fd2eff761fec3bc445f58d11f2
SHA5122c5ae1de2d4cb7f1e1540b455f7876eb1f494cda57bfb8e78a81aa01f3f453c5488b986cd170d6dc96bf684874c54257bfd0335a78764cc3fa43fe310a0cf440
-
Filesize
3.0MB
MD510e817a4d5e216279a8de8ed71c91044
SHA197c6fb42791be24d12bd74819ef67fa8f3d21724
SHA256c60f74f6e164049e683a5f01b8cfea24aa85cbf6c7b31b765cbad16d8ab0d7b2
SHA51234421a517f5f1909afd694d24e22cafad9930725df964ba9c80666e9f0f2dcfdd2a254dcf6699e5797296ec3ae611593563779df05e3a617c7f8679a154dfd37
-
Filesize
556KB
MD500c4245522082b7f87721f9a26e96ba4
SHA1993a8aa88436b6c62b74bb399c09b8d45d9fb85b
SHA256a728f531427d89c5b7691f989e886df57d46f90d934448e6dabf29d64d0662bf
SHA512fdd8d2444b28883face793f6ea77913c2096a425e6101202536ea001c3df5e76a60a01673ee7a52eae827a12299b2727002895395315db190ec82ae11a68559f
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
3.0MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
1.4MB
-
Filesize
32KB
-
Filesize
1.4MB
-
Filesize
88KB
-
Filesize
1.4MB
-
Filesize
112KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
1.0MB
-
Filesize
3.0MB
-
Filesize
72KB
-
Filesize
312KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
10.0MB
-
Filesize
3.0MB
-
Filesize
10.0MB
-
Filesize
10.0MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
3.0MB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
3.0MB
-
Filesize
368KB
-
Filesize
3.0MB
-
Filesize
96KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
56KB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
3.0MB
-
Filesize
32KB