Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21-12-2024 16:25
General
-
Target
e2d03b6739a8de1b747e53f350420d32e8d3d930a988089e1b9edf6e598c4a6e.exe
-
Size
1.3MB
-
MD5
ff93deacee9f31af19efda4595731582
-
SHA1
ba6d683976b798f81282262ffec4246375938c22
-
SHA256
e2d03b6739a8de1b747e53f350420d32e8d3d930a988089e1b9edf6e598c4a6e
-
SHA512
0d4d8c937b432e8667a9d0e5c0f8f2dd6c2c273ae3b1100914cfeeb09034662f52200aeaa1c30d3f02c33b3ef55691d8c1f2ffbd1487a9f482f202d15d159e3c
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 13 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 24 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2d03b6739a8de1b747e53f350420d32e8d3d930a988089e1b9edf6e598c4a6e.exe"C:\Users\Admin\AppData\Local\Temp\e2d03b6739a8de1b747e53f350420d32e8d3d930a988089e1b9edf6e598c4a6e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat"7⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat"9⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat"11⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"13⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat"15⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat"17⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"19⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"21⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat"23⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat"25⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat"27⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\services.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\My Videos\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A6z4DAcL8j.bat"6⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\conhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\conhost.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Services\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Pictures\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Pictures\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\providercommon\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk1.7.0_80\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Videos\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Videos\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Videos\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\providercommon\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Documents\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\My Videos\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Documents\My Videos\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD58a5a0e52f4b1ac79d5ee952742b4dd81
SHA1c1031fb4fd0f951ec4fa21a742f8196d4db03853
SHA25674085c20d8bccf185487f69a842c19af5336f1cb4a079dccb4631b04ca300eb3
SHA512024fb70e9f9107ba6dbff67421972ae68c56a3e882d4016dcb880efcc61b4a4414e4ebc1c773dd682c0294e7c0aa20db7d1ee1984f2ef1ac8b5ba0de62947afc
-
Filesize
342B
MD5fb9f84d2675067e5bca36ffa53de2780
SHA1b16873383c225ff3144a0cfa63b130ecf70b0191
SHA256ecf7d2ff160cf07e558dd4b42c9c99b5217574122f850d8042e0c73e32a7ba28
SHA512af58d9741776f584921b1ced3341d542c625cd549ca446fe495b6867cf90b8cc814c2261e0032a29888fb0612fbac144263b784bd0b33b74d7ebc0b57658a418
-
Filesize
342B
MD5af3ad5c3a31182c499e7e7097937c1f1
SHA1732519e988f75d3a8fcd8d4e83ccf00130c3f873
SHA2563446eab6c38fa9e7b07cb22c25244be683e2895ef897d4101cf1078f0c54e641
SHA51234685a80490079c3e43d1b0df12c9751bbfd806c8d8ce93f113f9559fdd5bdba3c786231a9d2f61a7f641857c75f9ede4f72c4e2c519f65a713799b152fae280
-
Filesize
342B
MD54ccaee8c27858873dea39e7a29086515
SHA1ee2857c73323655726134cb6db5e786a850d99e3
SHA2565eb29f8469877d303a85ee2f2aa8c25a278e12e518f704b9b39329f36c1f3a97
SHA512f507c9477552a134549258038be825f1bb7165a85492d538f16d78fd98fb3d9a9a6abf541666c04897b67bcaff9afbc74e2abccb20a3d506904ec946b8c32673
-
Filesize
342B
MD5a7d27adfd5306ac4163aada97ee199a2
SHA1ea2162a752710e22b96de5834706a4edbdbb9934
SHA25675ff856d6f1c057ef079beb6a763fd6d6d633d17bc51ff18a471c930cca933eb
SHA512ef492153dc650848b2aa45ebfb9d1deb55b351c242eb486bad9e81cd27fee19b912b1f65b9c805b61258430cdba9a48b5636467b4d9c4ff6979a0bf29cf94d9e
-
Filesize
342B
MD538a2183a60e2e9112b80a75a15678029
SHA105b99c8da472dc7d5269aa21a66bb4ee4f0dd651
SHA256b4e85d5f3e33b1c87aab294415ae5666dc2a7b5726d740bf1199f6964110175f
SHA512f6010ac43a15deb379e7051d34380505c7de7a3289209a7404c1d2c9d22c8798219afe3b1bf4f1905914d3fcee515ab7b167889904d6f97ab69fe67266fcc7bf
-
Filesize
342B
MD5297237917e1b35fde467ec630db45899
SHA1ae80102f97dd3905738f5875979d50ae08233ca9
SHA256a6ad7d9580feb25a39655c3ebae2a71aa47291f0729a529a8c1468d83ac3683f
SHA51234c1a2e6f45b39e3588fab28c3855086d39393ed45224ac750ca565ce69328ba9b13dc9c4b1c511b5dcb6d89d55db8ac92b9a7a7c688fe1a2e6626c7b11e6e30
-
Filesize
342B
MD55438f061b069c2d44508108797108f83
SHA10dfd8959e958630ebbba75b40727b90f5ad1e211
SHA256c9319d251edb61dd2343693caf671732889ac59f7cbd0e535a91ace72ad342a7
SHA512e90316cd48cc6c37f6554d9b825e45bc1e962e8e62fc54d2088601abf169dbb426645d6cb9b84bf9dcf2e1bde0957866a1a37493bc222c9e500472370d632fd0
-
Filesize
342B
MD5ffc5f2f7883b40c2cb5f45475e5c96d9
SHA132407276a61d8d2987c6de9cdab42a52e1463b4b
SHA25657b0f05a313a2d7e189771a66199fedef236e606b10154d209129dac204a53c6
SHA512de61cdab569643e7834a2833a8bcbd6cb34049f6390e9dac1831a99042a8b691b993cd9b4da4da730123a05ab19f92c4a8a426616679a5c449bedcc7887685ad
-
Filesize
342B
MD56edec90980b47c8786cc012d05ee445a
SHA1208ea97f4afb674ae30ca18b8de4a708743f5565
SHA256666e13956559c7ee607823874d7037761a2f95e1141a6b695a46115b4f945792
SHA5120630915b5af092cd1ecfb07379a6e1a7587b51ee6f7564ec5c84f01e17ee284f99510260063200ac6482c5395c1dafd224f2f8b00b67002c6ffa278499e19483
-
Filesize
197B
MD5ffe183cda71da4474eb2a2cd08f08958
SHA195ad2a6adb9020a5e04f411d14f46ee652df547c
SHA25673565f697cdca9f201670c862a18a28d16f5622cb60980d6fbeaf73b2e449402
SHA5125cfdb0432fdda6b038a40d2b6b54f5528f69340ab34f019fd43015b0746ba53d5fee21add3b545377b3eb46e0f1d5426138f13b75c118904f9efeabce9a8904b
-
Filesize
240B
MD5d299fe63f5871dcd2be7b83f898185aa
SHA1d85f2d59391ba9593949d3f17d1424396c5f4fe5
SHA2568cd72ffb324f7e3a5e9ea7782b555470ffb387b557c36c4ff749f0cae9e9b242
SHA5120b9968e056584ebddb483f0400e25e113f55a6ad864df0667536b38b4478e2742d87ca84bb6dbc4394e0061387dfcf233b22f287356329a95fee5a305843e61e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
197B
MD50ea1d917799b18008780eb9758bc8042
SHA1b47d5ae6053a625b418a08a04df539b8f7b643ab
SHA256979a6ad36083f6e6849219e677bfe24dbda06ee5f5c211311175a7426984b9a8
SHA5126677b680d31eee412810e38400430e7d5ffd212600b43c68da6c4082980c0cf84e8644e065ffe2fe0b27387b59feabc533c5e5c9c9b38eed5b101b24b8a20c9c
-
Filesize
197B
MD5a60e9603fe78d5a5149060628aeb79d6
SHA1658570d407915782f9cb61d739b9d8c0e1e41ba6
SHA25641b94361c735c5dda03bac9f6f856d299ac75386dbf38a9891d6030032333722
SHA512e9e6cb8987f1228d5fbc84f0a1a4721e8e547e97694476e93c47865b190263f17938c661b3b17f2379dbb493cdeef2426e9f11fcb49dd16d7eb067662f6a9b45
-
Filesize
197B
MD526970d34dc357ed6b3eef035263a6ea9
SHA1e00a1a28cb1444b4b2dc3beb1e9a4a5aafd00bd5
SHA256b21bc2a81eea467c9af110b19f012ceaf5bac5d73ccc6ebd5ccbcda38d00a496
SHA5121b02905e28a6d8eb9a1c1884cf098f838266d5c80a39d6457d46842279a231c4db80f15358b43d0d52cbf97445ee6281d1476b4bcee6c03481280ebcc27a13fd
-
Filesize
197B
MD52bc9f5e7557d915e5e7d3a0f456f3e3d
SHA177cf7e6757467fd206f90d4b8381c6a57d509efa
SHA25657333290900a8174ffb401f9ce43f6ed19e947d4e0a9c80cc97e250ffae5a388
SHA51283a019fd4a0ddd30ba268bde57bc6f3815022aba2ed2f38176fdefa1b26ea634fe16adfbdadd3fedee3a57b8e8b30cbd1f85a9a3b11c8039a042391de7e05f39
-
Filesize
197B
MD5e8382008ea0d0f807a7513c906d65724
SHA1455724624cc6bc57071040c2f0d062631ec79aac
SHA25639a81f6a1ead01fd149afac87d9863e0ec5215f7fc8f38cbb1d05f02fcd1f8ff
SHA512674883e7af87e3b757a9f327aee334bac0a7fb823a65048cea03b101e65842bef11d4648ab6eedf54efa9c3a5b7a3dd5ef603514adb2eb16c818bca43625e15c
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
197B
MD5b8bef0b3f5d2d90b72b941896faef819
SHA1683478877bfd2816f831d25c39eee3c67bbf2718
SHA25655b2e731cb5bf991b6e41ef3b04fc147d2074262efc1cd26f9b1d5cefb108f1e
SHA51263a92e2d515c8d7e83375a5799e6eeff700c5f4c8c173a006bfcd568d79084e2b25ec0438059202e6046c637425af423ae429888730c7b3eab7dbd1a09b40700
-
Filesize
197B
MD56392991d63a9d8bbd846b032faa96a9d
SHA1c912b9f46bb538f693e8c405a58fd013a52b83ad
SHA2560ab665109a2df6c3939964f781629625718379d162995d91e94423d758f79559
SHA512041fc5a535508a94917bf52473a2684bddc89a5aca9c96b597e188e851ee1ae853196783887b4768f5c0fd81b192da54c3f94b39faca6a6738bf12c8d0169bf4
-
Filesize
197B
MD55c7d1e6d47992784215bf53ffb51bf35
SHA17a30ca94315306001ce684826edec32a45755b46
SHA256072b9267922027f59e5df93903bc04258400d474ecafdfd520dd971f488eca99
SHA5125de128e8452f8aaa423e68778b5f22fc29cb14dbdc782490dcc5ed0804398f36bd97fffb5c26a8355a6213d0f6e92db186b3e55fa33bfe21ea670f63056f7a7b
-
Filesize
197B
MD547624a10118af2393a77cc0bffd15126
SHA1e3db09f19c358b3ef8215619a8cacbbe09f2aa86
SHA256ae45a40ae3c45ebccc7ab49229506b4a181c0354777fec6beca99f4c89bf0fbd
SHA512f3e2f36d4aab75961cced14a811232af233898a0b7f73466d0a173983cd726eafd224c2961536f62d29fbd5fa825b0c4077c09f29efe8cc86b5a08abdd884c53
-
Filesize
197B
MD5bbef76baf75c6e40c811944ecf8c81f0
SHA1e8bd9bb70713125abe6d1ecb3ee724eae118fd42
SHA2562a2ad01ee4010fce82282dd2a56ce43b4d81e435346558d97dd2771e3143bbe5
SHA512b3c37fe097064fb49f34b6448677026429d1bdcb65c4b6be19c49d8ee7b992bba161926c2a9afbeef3c7469d6a0ddf8aade979d9846d41f93c5fd285a7d77860
-
Filesize
7KB
MD52703cba7b6caa7e933f8a76aff3e7e65
SHA19c8f6c34753560f562e74e180228242cc3208d4a
SHA256c92fb427db631ff70b31ed68af06d853997a1a40fb79e9bec956227ad8920c34
SHA512abf74c4d0b92045055d79f6ea747a4b28bd55b4b286bf3ffed65c66d9b3eea829de96bc2330b96e8578cabb3c3c80f8a8584c36a2a0fd92ef7e9e195e70acb16
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
2.9MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB