Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 09:25
Static task
static1
Behavioral task
behavioral1
Sample
ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe
Resource
win10v2004-20241007-en
General
-
Target
ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe
-
Size
885KB
-
MD5
eae6d4d5eae0cf85ff69eb89946e4185
-
SHA1
9107578b01297b583bf797575bea0d745d024260
-
SHA256
ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810
-
SHA512
14fbb35dc316eef0d11204280b8e152d54905f72e43f2f98d92cfca559f3d09dd7d849ea01ce1c57ab94d356b26d6146e6714a51d1f72af9d4d94fc0adba533f
-
SSDEEP
24576:9WUovLOqIJk8IjNJ/+z4F3osuiKoqsyol54bWYUK:9LoDP8IxF3osxKoqUK
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1284 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 588 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 800 2684 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2684 schtasks.exe 40 -
resource yara_rule behavioral1/files/0x0009000000016bf7-11.dat dcrat behavioral1/files/0x0007000000016cb2-29.dat dcrat behavioral1/memory/2008-33-0x00000000000D0000-0x00000000001A6000-memory.dmp dcrat behavioral1/memory/2704-69-0x0000000000E10000-0x0000000000EE6000-memory.dmp dcrat -
Executes dropped EXE 5 IoCs
pid Process 2692 Bootstrapper.exe 2068 kendalcp.exe 1212 Process not Found 2008 reviewDll.exe 2704 WmiPrvSE.exe -
Loads dropped DLL 9 IoCs
pid Process 1724 ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe 2796 Process not Found 2148 cmd.exe 2148 cmd.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Common Files\System\ja-JP\dllhost.exe reviewDll.exe File created C:\Program Files\Windows Journal\fr-FR\dwm.exe reviewDll.exe File created C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe reviewDll.exe File created C:\Program Files (x86)\Uninstall Information\24dbde2999530e reviewDll.exe File created C:\Program Files (x86)\Windows Portable Devices\smss.exe reviewDll.exe File created C:\Program Files (x86)\Windows Portable Devices\69ddcba757bf72 reviewDll.exe File created C:\Program Files\Common Files\System\ja-JP\5940a34987c991 reviewDll.exe File created C:\Program Files\Windows Journal\fr-FR\6cb0b6c459d5d3 reviewDll.exe File created C:\Program Files (x86)\Windows Sidebar\wininit.exe reviewDll.exe File created C:\Program Files (x86)\Windows Sidebar\56085415360792 reviewDll.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\fr-FR\lsm.exe reviewDll.exe File created C:\Windows\fr-FR\101b941d020240 reviewDll.exe File created C:\Windows\system\spoolsv.exe reviewDll.exe File created C:\Windows\system\f3b6ecef712a24 reviewDll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kendalcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2328 ipconfig.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1284 schtasks.exe 2712 schtasks.exe 264 schtasks.exe 1516 schtasks.exe 2056 schtasks.exe 2560 schtasks.exe 820 schtasks.exe 2492 schtasks.exe 1628 schtasks.exe 1740 schtasks.exe 2076 schtasks.exe 2960 schtasks.exe 2124 schtasks.exe 2292 schtasks.exe 1908 schtasks.exe 3000 schtasks.exe 800 schtasks.exe 1980 schtasks.exe 2876 schtasks.exe 2016 schtasks.exe 1496 schtasks.exe 1324 schtasks.exe 2000 schtasks.exe 588 schtasks.exe 2996 schtasks.exe 968 schtasks.exe 2792 schtasks.exe 2116 schtasks.exe 2108 schtasks.exe 1952 schtasks.exe 1660 schtasks.exe 1672 schtasks.exe 1032 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2008 reviewDll.exe 2704 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2612 WMIC.exe Token: SeSecurityPrivilege 2612 WMIC.exe Token: SeTakeOwnershipPrivilege 2612 WMIC.exe Token: SeLoadDriverPrivilege 2612 WMIC.exe Token: SeSystemProfilePrivilege 2612 WMIC.exe Token: SeSystemtimePrivilege 2612 WMIC.exe Token: SeProfSingleProcessPrivilege 2612 WMIC.exe Token: SeIncBasePriorityPrivilege 2612 WMIC.exe Token: SeCreatePagefilePrivilege 2612 WMIC.exe Token: SeBackupPrivilege 2612 WMIC.exe Token: SeRestorePrivilege 2612 WMIC.exe Token: SeShutdownPrivilege 2612 WMIC.exe Token: SeDebugPrivilege 2612 WMIC.exe Token: SeSystemEnvironmentPrivilege 2612 WMIC.exe Token: SeRemoteShutdownPrivilege 2612 WMIC.exe Token: SeUndockPrivilege 2612 WMIC.exe Token: SeManageVolumePrivilege 2612 WMIC.exe Token: 33 2612 WMIC.exe Token: 34 2612 WMIC.exe Token: 35 2612 WMIC.exe Token: SeIncreaseQuotaPrivilege 2612 WMIC.exe Token: SeSecurityPrivilege 2612 WMIC.exe Token: SeTakeOwnershipPrivilege 2612 WMIC.exe Token: SeLoadDriverPrivilege 2612 WMIC.exe Token: SeSystemProfilePrivilege 2612 WMIC.exe Token: SeSystemtimePrivilege 2612 WMIC.exe Token: SeProfSingleProcessPrivilege 2612 WMIC.exe Token: SeIncBasePriorityPrivilege 2612 WMIC.exe Token: SeCreatePagefilePrivilege 2612 WMIC.exe Token: SeBackupPrivilege 2612 WMIC.exe Token: SeRestorePrivilege 2612 WMIC.exe Token: SeShutdownPrivilege 2612 WMIC.exe Token: SeDebugPrivilege 2612 WMIC.exe Token: SeSystemEnvironmentPrivilege 2612 WMIC.exe Token: SeRemoteShutdownPrivilege 2612 WMIC.exe Token: SeUndockPrivilege 2612 WMIC.exe Token: SeManageVolumePrivilege 2612 WMIC.exe Token: 33 2612 WMIC.exe Token: 34 2612 WMIC.exe Token: 35 2612 WMIC.exe Token: SeDebugPrivilege 2692 Bootstrapper.exe Token: SeDebugPrivilege 2008 reviewDll.exe Token: SeDebugPrivilege 2704 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2692 1724 ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe 30 PID 1724 wrote to memory of 2692 1724 ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe 30 PID 1724 wrote to memory of 2692 1724 ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe 30 PID 1724 wrote to memory of 2068 1724 ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe 32 PID 1724 wrote to memory of 2068 1724 ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe 32 PID 1724 wrote to memory of 2068 1724 ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe 32 PID 1724 wrote to memory of 2068 1724 ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe 32 PID 2692 wrote to memory of 2984 2692 Bootstrapper.exe 33 PID 2692 wrote to memory of 2984 2692 Bootstrapper.exe 33 PID 2692 wrote to memory of 2984 2692 Bootstrapper.exe 33 PID 2984 wrote to memory of 2328 2984 cmd.exe 36 PID 2984 wrote to memory of 2328 2984 cmd.exe 36 PID 2984 wrote to memory of 2328 2984 cmd.exe 36 PID 2068 wrote to memory of 2620 2068 kendalcp.exe 35 PID 2068 wrote to memory of 2620 2068 kendalcp.exe 35 PID 2068 wrote to memory of 2620 2068 kendalcp.exe 35 PID 2068 wrote to memory of 2620 2068 kendalcp.exe 35 PID 2692 wrote to memory of 1684 2692 Bootstrapper.exe 37 PID 2692 wrote to memory of 1684 2692 Bootstrapper.exe 37 PID 2692 wrote to memory of 1684 2692 Bootstrapper.exe 37 PID 1684 wrote to memory of 2612 1684 cmd.exe 39 PID 1684 wrote to memory of 2612 1684 cmd.exe 39 PID 1684 wrote to memory of 2612 1684 cmd.exe 39 PID 2620 wrote to memory of 2148 2620 WScript.exe 41 PID 2620 wrote to memory of 2148 2620 WScript.exe 41 PID 2620 wrote to memory of 2148 2620 WScript.exe 41 PID 2620 wrote to memory of 2148 2620 WScript.exe 41 PID 2148 wrote to memory of 2008 2148 cmd.exe 43 PID 2148 wrote to memory of 2008 2148 cmd.exe 43 PID 2148 wrote to memory of 2008 2148 cmd.exe 43 PID 2148 wrote to memory of 2008 2148 cmd.exe 43 PID 2008 wrote to memory of 896 2008 reviewDll.exe 77 PID 2008 wrote to memory of 896 2008 reviewDll.exe 77 PID 2008 wrote to memory of 896 2008 reviewDll.exe 77 PID 896 wrote to memory of 1960 896 cmd.exe 79 PID 896 wrote to memory of 1960 896 cmd.exe 79 PID 896 wrote to memory of 1960 896 cmd.exe 79 PID 2692 wrote to memory of 2540 2692 Bootstrapper.exe 80 PID 2692 wrote to memory of 2540 2692 Bootstrapper.exe 80 PID 2692 wrote to memory of 2540 2692 Bootstrapper.exe 80 PID 896 wrote to memory of 2704 896 cmd.exe 81 PID 896 wrote to memory of 2704 896 cmd.exe 81 PID 896 wrote to memory of 2704 896 cmd.exe 81 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe"C:\Users\Admin\AppData\Local\Temp\ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\system32\cmd.exe"cmd" /c ipconfig /all3⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:2328
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")3⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\System32\Wbem\WMIC.exewmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2692 -s 11283⤵
- Loads dropped DLL
PID:2540
-
-
-
C:\Users\Admin\AppData\Local\Temp\kendalcp.exe"C:\Users\Admin\AppData\Local\Temp\kendalcp.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat" "4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\blocksavesperfMonitorDll\reviewDll.exe"C:\blocksavesperfMonitorDll\reviewDll.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUTGzMQHLd.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1960
-
-
C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe"C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft Help\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft Help\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BootstrapperB" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\NetHood\Bootstrapper.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Bootstrapper" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\Bootstrapper.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BootstrapperB" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\Bootstrapper.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\fr-FR\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\System\ja-JP\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\ja-JP\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\System\ja-JP\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\fr-FR\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\fr-FR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\system\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\system\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\system\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\blocksavesperfMonitorDll\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\blocksavesperfMonitorDll\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
800KB
MD52a4dcf20b82896be94eb538260c5fb93
SHA121f232c2fd8132f8677e53258562ad98b455e679
SHA256ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a
SHA5124f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288
-
Filesize
222B
MD531d09b826dcafa2f8e963379b2fff6f9
SHA1f04b12631026be4b4a2ffc162dc5626b3973dfbf
SHA256bc39a49cf21aac373a1915c56eeae0c1b207f0edf6a3c99bc37f625eacf29ebd
SHA51236ad1c2103d7658abbe5804b96c1a93af5e772724dee65f6fdf2b00c334b513efc43699db3d0ed940865cbf253b45ccc07f8116547fed06fa75b4bec1f2d018e
-
Filesize
1.1MB
MD50d015cc111d53a019e680b0bed11fcad
SHA13b3fb6eeba0c2ba286a4db5e850697399ccb5e36
SHA2562b7365d9634016b0483009225b959692c290a6b17fad133e42434dc89fdf4150
SHA512c3a7ea551d0151033dde83a3dda1042e8fe26702c84da2b630ecffb739aecb654730bb5f7ec8914189f72ca7d0ecf1352f0ca7effa938bc1d6f0ae56c3358eab
-
Filesize
222B
MD5a6f295a2e58c722b5935cc905e81fd8b
SHA1a2a30408197320a639e3e2f18a57fc8578c97b58
SHA2568bcebca170fc0768cb1afb63f1350d63c3a295b26ca04602e07ec43498b9691c
SHA512839605d7eadcdc470dd4edd117cedd976cb9f36bf0a636d08afecc6378adadf0fccb80beb44de849b6dfec814845cef8ca83ca171b39c1f6d90d55485bd06635
-
Filesize
43B
MD57c582abd8874b9cc60df72d62bd86440
SHA1564e7b01338d08f657f2c02fa8fc5b8dadb92331
SHA256c5e95b783c6ec1b98a40edf8663370c678de43e9b657e09ca1f054618277b329
SHA512444cf67666329ea359e221560a229990013af07d1ed074b2406e903c7ee04cf279953ad0726a96c2ca875216da68369dfdde00f905adf1de9ed93b8582bf8828
-
Filesize
828KB
MD5d9dac9e1d95e84e6aec084cf2ddb3f3a
SHA1a231a41c7ad994879b15116dcea41fdc09bb5879
SHA2560fbeb71fb1dfe793eace5ed167f035a8f4bcc6b56d0930b6b97481f2b222b1d5
SHA512c4aa115de6f61c7311e8654d40537cd1ce08f0fb7efd0a225a42e06ad000ed420ba905e5cc26a19cb56af951ee1441aa257c073c47911a72fff733c0db1c2f9a