Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
21-12-2024 16:26
General
-
Target
75b13dde011211b5513b92084ebf378e5557f0ed0e3abc9e26f2ee5b63b1e2f7.exe
-
Size
1.3MB
-
MD5
a872ad32daa1c1d80b2f31eefd0ef47e
-
SHA1
d48e5b59688873c32f81cd7ab51a5b1a47ceaa98
-
SHA256
75b13dde011211b5513b92084ebf378e5557f0ed0e3abc9e26f2ee5b63b1e2f7
-
SHA512
2fb15ab49207f705a5e543b394bb50221a2937a3f34e756093501cc669a026fa4432186abf6c3671a5842f57b0452859299b8f3c7dd7de90c2d15175548624a0
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 8 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\75b13dde011211b5513b92084ebf378e5557f0ed0e3abc9e26f2ee5b63b1e2f7.exe"C:\Users\Admin\AppData\Local\Temp\75b13dde011211b5513b92084ebf378e5557f0ed0e3abc9e26f2ee5b63b1e2f7.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\es-ES\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\de-DE\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\schtasks.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\lsm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KYZNZVgiVS.bat"6⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"10⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat"12⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat"14⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat"16⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat"18⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat"20⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"22⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"24⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\es-ES\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\providercommon\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\providercommon\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\schtasks.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Links\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Links\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD542a18f3976cf29899fb1d82f4e3a1762
SHA15e00b03dc533697e4cd20890de95eaa6b94515a1
SHA256e475123b2298703f444373cbd66d25301b7cdaa6f9af5b38303765c45cc06602
SHA512048df2e0b2f7c539fcc4c174cf979a6fa174f3500966c3091344e11f79d830d8455b4189591dd22e57aefcdce1fa00cd8ce0aa15d7bf67618bf095cdf87af1a3
-
Filesize
342B
MD513650f88a5cfc10e69797ffb511e41d2
SHA15b67788a9f1f40bca8b71df4156182d277c5ef51
SHA256a0d8a3eec6338a2c4af8e00ea29113b5e0b19dbfe4af0bcf19e3f214a42beff0
SHA512a90855918f118a1d04b9174791cb0a3451515f60d28c3bf029b9a5433e5db79ac0d47de4f370dcc5194bbbf4b81909da185dad326342f4b81978596c545a5291
-
Filesize
342B
MD57df03f4a58f19921e13c6eb3877f446e
SHA189b088abc43bd8ee3097fd685a7643de80c535fc
SHA256145e590b2f7bb170b468a9e8a668346f2f5d9be3120cccc70a7ce3034eabdfbb
SHA512106d1e3a5b36546b73a661bc64e34f26dc2f3ca1a85b6013da724c7de29c0a15cedc2af170cf5737bf2fe1d24a62f6c762d00459bba3025a2f69593984e7c3d5
-
Filesize
342B
MD521755db32ef432c01c1bdd8cdbf2feb1
SHA1b626c4d4d8cffb54de1e3f16add3165e2514a355
SHA256266c2ff9af637407d0f0a165100e4870613cd93045ce698c3e81c6954a8380eb
SHA512efe7d417113c44fa9bca98536a99e2f15058be68b5c69496e7cc695a489ffef052edb354f38fabace8e9a703e54cf8c59e2d5691871dd9fb475cf08abb834020
-
Filesize
342B
MD5526136072d5dada47910173b52bef007
SHA1f129131e2dbb57f94d7988ab0244069614271c05
SHA256f27a6e8661ab3c717f3824b4774180352d90f1bc4d3010571ad99df84faf3031
SHA5127477dc905095efa848d94c6b111dc3594dc89111b3604f8decbf35b89dcb0f315adf7701011175d134f27a614e78f778e1fbc4f71bb9c2cf873d3c03b20beecc
-
Filesize
342B
MD5b1a1e8f5f20f9317fdb7475b18e2e04a
SHA1f9c5ef0b8683210cb5ba5f10bd1e6d51edfb20fa
SHA256596f968a2145b7c1c8434c18aa6a62d3d7139ca33b208678aa66b284e5133336
SHA5129d62cc3c9d1137dbc64c78faa90b27ac907fa62da96c9ef171a08452c0a23f9bcc2fd3ca00da7b416ab03d83446fa2dd158074bb92c01702e2c347759f18c202
-
Filesize
342B
MD54a5ad5561cc496747797f9a8ab22f023
SHA134ea7330ed6c8db4f02b21489c27dc39cb16cac1
SHA25606400e5d414f659618763d0d46796cb1961383e5e721dc43068851c12c391f22
SHA51299fadf51a5ece6b7f2e0612ce422dde7c4d8b2730ed087f499440e33093287c6f653b12ae9a168649a4895d9d7edd0a31ae26d29e53d0deb7162a0f2cfeda3ce
-
Filesize
342B
MD576212e87f0be1149679a2ee1d1353611
SHA1cec5aa1a9f7800d3b4d7ac6702abaa19a1e693b1
SHA25621323f05718c232f230e408ab2febe3c08af52379d89fcd7d55b9f7a7c26a1bd
SHA51213bff7c6bd8920bc620f09d5ca8778af31ecf700e1079794d6be4512acc1dac2d2c724e5fbeaa5882591f9a3be85437924fbc0e86a4b776317ae0763d9914eb9
-
Filesize
240B
MD57cd8f0a12e1315558c49fe79a41b5a7e
SHA158c56adb24cb73bfb73fabbef1255197ebc10122
SHA2567bfb6d4a4ef70f19d0a9288445fe55c3ae13bfd9b1a0d82d316b642d9437e917
SHA512c80d073aaf72e0aef34d452d36abc775064a93f6c78bfa7fe453e38e815701eb3795549e046c2c98c3cc1096abb11bf59af450129dd4dc4bd909cf721d228405
-
Filesize
240B
MD5b899b227b5845888cd9c812cf40bfcdb
SHA1c5f3781e22bee3ecdf729434bc44e97577286b09
SHA256f3596e885a8475258890db8faa921a381620ec3b9a6c6f620245503e058268c9
SHA512c46d461c02ed1a0f26a2e2a818efa4427e460cc442be82c3887e78d66b63bf1050a1d21b11a558f4adf4f725ee1fa2037802b12bcaafba89eb1a589262a31143
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
240B
MD51fa1a560cc72868b5794de7bf8209375
SHA1db02f242b55cb569dac6571acd730c4232b68b85
SHA256384bf8cdabe4e2699790e23276b7d951f93a04c9645823cbf44b7f24052e7ae0
SHA512108bbfc77373fa1fe359cf5137fcf821814650bc24f939f47a88f516dbf7530ba621a50387b2cc245ccc2eb52445d76d69dffdc9113e0329e3fe784e5ecfc198
-
Filesize
240B
MD58c03b9335d8a9a8e5350036c1c9fe65e
SHA1e9548e9781f12ebe38f508d9626ca25843e131d6
SHA2560b29a7fd5fabf77709af363fa2887b98d4c95b3ed9a2452a5633b2581ff73379
SHA5126154e37cdbaf33d0bd9356130066287b0e74d3d3f8568f5c82d9c1a65a4398aeb29a08de7b978090eff4e1f8c91aaaa89ec64be65bdfa9443e8c4d9979efde82
-
Filesize
240B
MD596d1c1efaf1306b44360cd7949fad5b0
SHA1852a8afdbd113336b3cfe0b833871e0a1edf7e57
SHA2568bd032f01086e330d9a352709ad5db07d797b5d699a1d8c43c3e86499df2a56a
SHA51294ffb4a42c38a92e58613bfa532f06cca3e092285dd54d84656e6077e81abbcefa62f58b61db54ab5dfcc69d25266dbc16bdad195b90ab2a7df9519674cf60d7
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
240B
MD5d16346a792adfd79f1d645610cfee80f
SHA1fc4516861ca1d398da7d8b85c90ead36fc5c6147
SHA2567fe6f93a90e1be568953d6386b9f33ac50285f2db1b89e020e21463b60315b63
SHA5127626c98ee6a7c765dc25f42a3dfc2e45c446d139bc8f2d26474a2a5f329038fe8b5e97a9abd90ac2127d7a604ebb8d0601dede780cca22f1b07845e2a81ff217
-
Filesize
240B
MD58c7f900a98fa1ed4e86c4aa2558c8672
SHA1d1b7cb7132144d523175ba94dfc676a10b95e87b
SHA256e4491cddaf3220936e184a5351c7c38204ebae51d6c40ef89e35b00ec33b81df
SHA512a566c484b5ef4e08e4335c08fe630235769d93018babf5d858a8c5c43e8e1019925c70e54fecdc6f37ce7717ba0508b09f182c461d1c567f8b677c418f821771
-
Filesize
240B
MD5e78b31048ea802db92157a3fd05181ab
SHA13c697797c58398308a6286c5acacccfdeb414a5a
SHA2563e7f9cd7927550a7b65d95cc026cda8858c88919db379c949654cf50e2c2a935
SHA5127d72d6d563f50c878074b418a577ab58ed516a12b0421af6711de5badf75ddcff19ceaa125418c7bf765a860fb83a23f7c18cdbc740527d47220166c3e618ddc
-
Filesize
240B
MD5018f248d87d1d646bfe26570c419df62
SHA19e014ac1071df3128056c693278a318aaf565f93
SHA2564fb53c4925e89e0a632a41ff0af8bebbd9fd711eb1c21e31cbcc708badde13cd
SHA512a15d79c221b192b9f2aa9699085e4cc07eba51e11e60f3d89284b185dd122c356b1c83ad186dab77d17d84ba78de24a143dc6c80a7707808fe07763392f0d4c7
-
Filesize
240B
MD5bb8b91a600c93f9f410c616e44ffb94e
SHA1a5bad345e2c5b49194df3cba63b269a689b40717
SHA256e5975b057e5965619a0ea7d9193127e41a77814534abe610a8cd6bd6dd568892
SHA5126f70914bcb4db6c51d122fc9c045f53359e1e7e8a996285992512f9dbdfaac100dd9c243700f403e72d718da0a0d6eb7e91f711c1e88700721f869373eedc394
-
Filesize
7KB
MD536570b8d223e39fc1d24706f248ff0db
SHA134f5176d395cee365d72303efc4907d0e07d8d6f
SHA256850677db4957604dc4883ab697f1190ce0bf1dfcc5d9b8cd484f74e526a05c20
SHA51231daf98b6b3a815564324a05fd05f36413d8ae395a36e3930057d729a63b2df76e24955a9838d19a299181d872809078ed54ec1cc600f733a93cbc130edf3e35
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB