Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
13-01-2025 22:16
General
-
Target
2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
-
Size
1.7MB
-
MD5
46702766a2b352b3db95618c69a14526
-
SHA1
0c2c1e90dc69c16e2b09b705f6914b2372431a59
-
SHA256
2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9
-
SHA512
e1f84e854034293444f0f3ce562816e3f011ec58008f3601e00a7cf7125fc29c2f965fad7a59498d4d96b941006f20a4dcbb3373b325cd9fb6018cfa2aefc06e
-
SSDEEP
49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2
Score
10/10
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 9 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 9 IoCs
-
Drops file in Program Files directory 25 IoCs
-
Drops file in Windows directory 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe"C:\Users\Admin\AppData\Local\Temp\2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe"1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Me7UXZhmqZ.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a5e4f13-1c76-45d2-b310-a06ca2855c31.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1837822-e7b8-447a-9baf-cc03b1ee4e26.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3149158c-3018-4350-bc9e-bb93b8f33f29.vbs"8⤵
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05a0c0dd-2f67-43ef-9e1c-173ece6694ac.vbs"10⤵
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a8a470c-b7b9-4a10-b456-ef6a235c2ca3.vbs"12⤵
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a2a236f-84b2-4fb3-ac25-447f1b2ab0f9.vbs"14⤵
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\761999d6-6531-4a4e-9b14-7fddd00de4aa.vbs"16⤵
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\674f515a-eb6b-483a-b3cc-9310b1bab662.vbs"18⤵
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2589a76d-a79f-4c44-b099-46d5efe7425a.vbs"20⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cff5bd01-8687-4da9-9596-de2616aa74f0.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5058d3a2-bf50-448b-8df7-9821586cdf7a.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9aec5df0-da09-4e22-97bf-b3a3d25567c0.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10d817a1-c20b-45ca-a010-739dd7d3595b.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9443727b-a63a-4bf1-831f-152d34d5ca76.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0a299b4-4021-4a40-8d35-096ce9ed4478.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbe10c8f-ac70-49a2-875c-a2dd4bca4a1e.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4626b2be-910b-48cb-8807-43a926a00238.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6954dc5-4a7e-4ad8-85f3-ca7fe15281b6.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Pictures\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellNew\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\ShellNew\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellNew\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Default\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5a28e2396c1a646be5ad0796db9ea089b
SHA1086f4e7dd0446015c4f965c9d847658a4c198d79
SHA256136d015280693b0ae2615fc50f0c4a202ba9179728e3efcfd01a5e0b9a2a2187
SHA512e9ff79a9291d50c8dcb4efaa4dfeb3de516026b8083611652142e9b94fc4b6d300a9e4c2757cf744365afdc898e6f9875beabb0834a3e8c8edc89a82053999b0
-
Filesize
1.7MB
MD50ca054d394141fe9e267ecb74526da98
SHA1b7fb1c5d4de7c5f4da9707cdc59e4f2393212dbe
SHA256dc0de207e0b6eca118f6a11465690d968346dd2c914be64692a8f29a9daa6eb8
SHA512e5683475ca176760f68e42a9268f895845eb0ca733586923046b048494ef7a9e754712e06960d8c53a3a94b0d7b591eb7c42eb11e20b01c046c245f1135b3083
-
Filesize
1.7MB
MD546702766a2b352b3db95618c69a14526
SHA10c2c1e90dc69c16e2b09b705f6914b2372431a59
SHA2562c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9
SHA512e1f84e854034293444f0f3ce562816e3f011ec58008f3601e00a7cf7125fc29c2f965fad7a59498d4d96b941006f20a4dcbb3373b325cd9fb6018cfa2aefc06e
-
Filesize
758B
MD5a3951787b94bd77a2f9b949701fad490
SHA1c7634b5a4e60b5b307442e649608363f58e35c13
SHA25670b9309edd83067ea9b362cd3d469120007f32f8ef545cfc17e51806d1ed0e25
SHA512070261bfe7801d39f5a49c4e67e783ccbea1228c6e91e890a6b053241dd8c7fbbb6ca3035b965a3d4def179e51cf010f68de79a42c7c1106194558282a0eca70
-
Filesize
757B
MD544150baf41f3f0d99afaf665236a4056
SHA154fd54bb8dfb6f9fdf06eb9055efe4d1348a1820
SHA256081da5cb9469e05e546b805f7d73f496c6d7b7850812fb59817535caf5e947df
SHA512ad64097f585f295fd7260f98ecbf10739dab6e32fa114ca9cae7f2df609e0d31433916054c8d045247dc18bbee094fc9feebbd0e61989d17cd782c819db699f2
-
Filesize
758B
MD5fd65d4d8042156df08350db46bfd66f6
SHA1b1d652cb25ab3d9fe6fad4c6f34eb60fd7a72140
SHA256af22458d3e3ff4226dd59c01e62975e7c64c9e50198c8edc2a63f7117ad4e1f7
SHA512d3b239cbbc424995824a5c7beab71a379bf3d1c8b2def329285fc4a829e8891e1e399efe9b29f2690b3eaee5c864702687fc6f00d58f9711b3a4189cfea552b6
-
Filesize
758B
MD50bd6c14d91f0a1570cc3a30442506588
SHA1153f1deb60fc4a58999918411c5eadaa2b52311d
SHA256d0efc06d9b49f463b27b713c3177b823df1374250765ea594f876f0ddb208ac1
SHA5124b544a6a33174f2469187ef5f5c832627721b9c66774d363ef5982aa3655eb8d5f08c615df75942e8f577bc8ab4d8c3dfb2343bbf10e98a34348d9099fcd24ca
-
Filesize
758B
MD581089d8cad6a0bde752c14f5e00ffab4
SHA1d8ba4d33c08b1ffd6941ef045141a7b89ce24e2d
SHA25621325917f4fafebb4e03e30a63a3ac901c0d32308eada5af77895654b09c13bb
SHA5129f0d978218aefe01659c2c591186d720d7e061ac6aed6e60bc4681d690f68b244b45e5bd7dcada08dce782ef18101eea62a1a05aeea890e3f1dcd46980410347
-
Filesize
758B
MD57addeb8f05bf7d0c72743e4a14091ef0
SHA1d6a538988f4727ff88135326065b9dcd46322436
SHA256a0966f3b4498a996adda42358b337503cbdc381c5c04aa252c8a73863bd1f597
SHA512f124067cb10ad18623218612d92e3f4718048d35ae32bf92c1b7988de7b6fbd679cd0017b066f3935c0e708931e9062c2f243513bf3fc9eb74ca43791f57086c
-
Filesize
758B
MD53463dcbe1ecf0b60db7f6e01447749db
SHA15c043dbeb898a2dac20531618a5dea255d5a3413
SHA256311842bbccd78129399cf716366e4adc6fa9723d9389a14efc791efaca9dc284
SHA5123766b5aded2207b2b817477d33ea6d035e1c553782960b1bfad5fb73abbfe3d78efef12eafef5bf3e12e5e1bcf719f995e3516c00c01067a4f40f0444c85779f
-
Filesize
758B
MD5c08ee040c2754ebf4f020b4473b9ca51
SHA187d4393f45dc3f26ac527d5b434524e005dc8c62
SHA256f356c7d13db81a6734233cd2a4c75096962ce91156e2313cfa997fb8222cb3e2
SHA5121b1dd8f4ceccd84e0e12c2cbd4714fa7d0f81c3393b166e0180eea34cd4fd954cb9451f9d8a09e686a259982b6bda12ee6c3c8174d88b844e2327efcc498c80f
-
Filesize
247B
MD58fa6b677fe3289acd32ccc24634de884
SHA166efb399cb824c3c881a72bd221e34eeb36859eb
SHA25612246e20c65a872c717acadf7661720b5ef446937448659ba743ebcfea234dff
SHA5122421492ce4946d93a1ccd3bff21eda6f164d28c5c6cbc92157b4cde5452093e11a4114bad6afa562fda27da28bb852a57ffb07101d3032cb88eecf6a47964d31
-
Filesize
758B
MD58320537fcad6c8c3b1b95acbef505c9f
SHA1eba16a9cde3b714ad1c511e9d0aadff4854ff6a1
SHA256e286d92e1bf6a6970ecdb41e2a4c696d9519ff6ec6463db2eb895c96a0444d8a
SHA512359ffe066f442213a7991a661651a52fd1f8828c8dc0a250990ca6229b416cd6eb7aa510bf872654c0867feda48c6267a83518f434e8104b958065e20268b062
-
Filesize
534B
MD5c5d7f042b7228fd2331408e42c38c782
SHA15c776a968164662393f247cf9ec26577ca2ba33d
SHA2564a07fdc7647f02d35ca9c9b371ff467664e1e59a1037caf1026bd4fe662e6ace
SHA512c364f4f173bbb711a102aae695b0d727160f5577075ce096543f31f3a277996a3a671c27997b55a121026eabfb390c8092ac1dbaa34316aa9311de52594a8910
-
Filesize
7KB
MD553a07c69d2686cda1a64e1b334e4a191
SHA14e4744b5b86a15c811ea486fadab29e6efb30dc9
SHA256b594e197b20eaaa2c8701bb7c1c8795fac2959936857bb8091fbaae831b2e5a1
SHA5121af48b68224a6291e579934adc2dca30e8fab8b03fd49d43cb62673b1e405eec6f9bc78b9b7de867cdd54327aeb0e5f4e08874af79cc42574fd800638f03d3d5
-
Filesize
1.7MB
MD565f36acc63b9393386d0ecfc30cef884
SHA1326638ad72ae2cdc0c9ebca240f1ee1d49193152
SHA2568cc2709a48c241678e7b4358becf6c2e2d8c87c410b06df68b78f67329cb4963
SHA5129bf94de022e620a13bfb0596badb1f0ae54d9b535530da9a8dcc534145115d8a44620f43d1012dc4e248f422d194263bd5038d80d090d1252dd6b2635260ef81
-
Filesize
1.8MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
1.8MB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB