Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
12-01-2025 13:52
General
-
Target
6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
-
Size
1.7MB
-
MD5
0624cb81236f6a0e8d0487a766458088
-
SHA1
36ea7baa5b367c60269eb1a277bd5ad4bc41b54b
-
SHA256
6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8
-
SHA512
742d2c2d154133ba9b38c67b59fb4ddbcd16b8b420c8e7fbd14a4c4283c8a875ae62d17924a53b000caf04f5b627d15f031b12e7f98821f03079451008b86553
-
SSDEEP
49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvD:OTHUxUoh1IF9gl2M
Score
10/10
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 9 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 8 IoCs
-
Drops file in Program Files directory 29 IoCs
-
Drops file in Windows directory 17 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe"C:\Users\Admin\AppData\Local\Temp\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe"1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe"C:\Users\Admin\AppData\Local\Temp\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3q7JtkAt6H.bat"3⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
-
-
C:\Windows\it-IT\powershell.exe"C:\Windows\it-IT\powershell.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62e77963-c9b2-4b10-a2ed-1901ec15c9a5.vbs"5⤵
-
C:\Windows\it-IT\powershell.exeC:\Windows\it-IT\powershell.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2adec37c-cd6f-4a91-b406-878a1226fe09.vbs"7⤵
-
C:\Windows\it-IT\powershell.exeC:\Windows\it-IT\powershell.exe8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eadbc89e-9259-4562-b121-6121986a915d.vbs"9⤵
-
C:\Windows\it-IT\powershell.exeC:\Windows\it-IT\powershell.exe10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a8e7e8b-6107-4daf-8a52-5b60d53b7db6.vbs"11⤵
-
C:\Windows\it-IT\powershell.exeC:\Windows\it-IT\powershell.exe12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83566fea-6c22-4bb9-bd27-efd504ff7a43.vbs"13⤵
-
C:\Windows\it-IT\powershell.exeC:\Windows\it-IT\powershell.exe14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e239840-9686-4fb2-9186-6fcb82bc7017.vbs"15⤵
-
C:\Windows\it-IT\powershell.exeC:\Windows\it-IT\powershell.exe16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ece0d466-22b5-4b23-8a75-4e8de09b2ab8.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c66f2de-1363-468d-bfe3-ee0827124f11.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\601d0190-b12f-40f3-aee1-40b8024a49b8.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e24ad25d-e9e5-4a6b-87c2-8f192748b67d.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac5bdbbf-c0ac-4d4a-aa15-23a785333ce7.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21e8cfa2-d647-4d84-8ed3-64a3ddc19bd3.vbs"5⤵
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default\Favorites\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa86" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa86" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa86" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa86" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\de-DE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\de-DE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\de-DE\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\de-DE\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\NetHood\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\NetHood\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\it-IT\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\en-US\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\powershell.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\en-US\powershell.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\csrss.exe'" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\csrss.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Videos\WmiPrvSE.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Videos\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD50624cb81236f6a0e8d0487a766458088
SHA136ea7baa5b367c60269eb1a277bd5ad4bc41b54b
SHA2566854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8
SHA512742d2c2d154133ba9b38c67b59fb4ddbcd16b8b420c8e7fbd14a4c4283c8a875ae62d17924a53b000caf04f5b627d15f031b12e7f98821f03079451008b86553
-
Filesize
1.7MB
MD5c0dfee6576fe2ad2086b80940a8d1e8a
SHA136e3be6837d3993ef356bed1991dcf8ee0cb0084
SHA256e7dc286640d1136f9ddfcd7196d8a54394b8cda293f1ec1f420c25ae643ad05e
SHA51205794aee48937823c3053d353fafcdff6eaf60db104849564306bcdcd15c812c8abe923e3a677039fb2c89c78ca6b047f7177690227e5fb033b17c6c6fae8299
-
Filesize
483B
MD52bd74be5c2ac7810ed815e3c0b0d7268
SHA1d30af2172b00c986881540015283639856234a51
SHA256add7c66e50c91be537782c9ca6eafd72c44403f4907c3eb8cb429ddb1bdeb413
SHA5125e487f2001597999f7a86119d394efd42c86f8cd150aaa5b9e2e84b3d097bd28bf3948a87dc4aec2f9a7aa9ed98eeb0f21e6daf160f4d5eea57cfc50120e4e62
-
Filesize
707B
MD5f4ae42cedc55298bb6e00e5eb38586eb
SHA17bdfe3b12985ce04c1e265d8147d38ed08224d95
SHA2562519c2eb9199de92e7f3825ecfdc26e1a06a52a3153acc2c22ce1e0d55a1cfd6
SHA51261ef1be7932b2be896c47c82ad7a7b663809b529203702ce8236bba76fd825194f4555ba3782d57ca7de3d5c64a8e42cea8ffc49e15d9fdd009465ebcab119dc
-
Filesize
707B
MD5cf5993c7724a1e773db00707d364005b
SHA14849cd5e17fa0ed98424c242cc7d0e4c5b7ea3cb
SHA2561c74f00799b1bb914ad1951830e3d5ad0faeeb1cb39b5faa57eb32b50295f56f
SHA512048603d0ca0b6cdddf6377b4e71b8db363fde7df66406f218700fb07972945b1474485a0f85b2dc6ae5067b020cde99c377efa8ad20b6a2b1d7dc425e8eda260
-
Filesize
196B
MD507119114c235c6a6ef12d03d60a54eae
SHA1498f10319ae93964e9e59fc97977f20c81909bea
SHA25601f0006c545189117da90acb7b843f666cc3259826faa7af401909605013ae2a
SHA512a38e36a115c41aa31279913fa0c727b6d380c1775c71c89a22f96e9c79f6923dedeaf7e1258edbfa4a3d4d25c6d26acd857fab2ac285ca337e74d6cb46e2b2d4
-
Filesize
707B
MD5c34d42ef66be30b841a551866c39b457
SHA1cc003a43bd76140671f9ad7b4c32de08e3864b22
SHA25603168e59c78cad587c8566ad0bc0e44e227a5eadf3fb94c46519aaafc10b9665
SHA512d8a836bfcb52ee80ab21b423848f10f8167f9fbfed50b7e48bc5229596330006e58d9e6ce787e385fa01c53220eedcc4831d0441ec32d86c655d30185f340b45
-
Filesize
707B
MD5515af9122cc52612eafe2f4d4a8c4ac9
SHA11e52fe20b5c97beebb5bb8d66b80d513e5b36ff1
SHA2568144be680871a684dbacdaa3f67bad044343cde9808d96afaec5dc91b8bb9dbc
SHA512954d4d403fe1308619a1493171d52330ebc892e914e45305050c9d31eeb13f7a4e7cacee6a00793566a312231a524f5d9e784bae28cdb86d81bc87960a364f5c
-
Filesize
706B
MD5de9f94bb620bb0e087adf96ea34c9d7f
SHA122fe91131c6cd0e397cad94e5b9464af86d89808
SHA256d9400f0f83b5c41e89fde0ba03bc766042b20f9130d4e95dff28809e2df2ca44
SHA51240e8f11db09b61ca753321774d0055f4e19ebe842965d858cd41a69cbc557efee308116494aa6b9e10ce92de1ea2128e5e10f86dcef54c24b669c50fc3ff00b1
-
Filesize
707B
MD5fdda58c4502320cf020349b0811131b1
SHA1aa8fa03a28ca38371c91f8e128404e63cbfa3a3d
SHA2562ddaacfb8ced6e65cd53f4316079c25f34dda1957a5b5345665fa2d81d6386e0
SHA51288166ac034c01e343455d6f4768be806a3837a73c906e32d100b67ac8ec27c0606aaa8f6426dcbc351efb176b5dee03944b4e83292ab15ae39a8457647ec6b2d
-
Filesize
7KB
MD583d6d8f50559f6694a60882e0042454c
SHA1f39f55f87b9389274834958810e4558cdb4450fd
SHA2567b32fd4f912a0883f77fb7a1c73f4bee0ad82924051acb50d135b90e69bd9129
SHA512478a41d5109d37567535274585265a50166d8670e715251facc8ae6ca390c9dbd1e1cddba345df6259b7d97d21126c22a956db76167af77da3bf4c2cc8ca25e7
-
Filesize
7KB
MD5cdeaba31fa5993c5756e927a56dcef49
SHA14ad9fcfcb6a59b45e74167d98cdc588911772736
SHA25628aa20f8f506e62be409d6b9b7fe1fdefa88dc2161010e2a80e5384463a4353a
SHA512da5d9a4e3e798ea371e6f7f49e8c45bb9ab4ad2e09a70ddc9a1fdfd37341c52054a4404c7947ad51bbfcb23329ad3ace825dd8d18e8860e776b3f22de477e219
-
Filesize
1.8MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
1.8MB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
9.9MB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
1.8MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
1.8MB