Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
13-01-2025 01:20
General
-
Target
3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
-
Size
1.9MB
-
MD5
6b9554367a439d39a00a0dff9a08b123
-
SHA1
e1d22cde90c297c10f4fcba5b3980e5d551eb0b3
-
SHA256
3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9
-
SHA512
72ffbca1a2aa7cd2bb6b963d97b43d7d5eab9a11d09c647c7679e71877927b8c021e28cd1e28ae9ac5300c8621ba97aae6699e1abddc58be89c9bb3e84d1c720
-
SSDEEP
49152:xh0kcmcdp/caMMlawkBXRInaKYRouPbWGQ2:xhbcmcfM/N1RSavoujWH
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 14 IoCs
-
Runs ping.exe 1 TTPs 10 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\44k4a3w1\44k4a3w1.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7465.tmp" "c:\Windows\System32\CSC94EC12679CE341FEBD4CC78C6C19127F.TMP"3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\taskhostw.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i7eBtVP5zJ.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SScKKiGWPN.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"5⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5kD435lcwQ.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"7⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AhXa08j1h6.bat"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650019⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"9⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xtlNdaBxkU.bat"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500111⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"11⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cRBFrjfuSR.bat"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500113⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"13⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hNUloleJD7.bat"14⤵
-
C:\Windows\system32\chcp.comchcp 6500115⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"15⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qTmai1Dpby.bat"16⤵
-
C:\Windows\system32\chcp.comchcp 6500117⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"17⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6KfhU02lmW.bat"18⤵
-
C:\Windows\system32\chcp.comchcp 6500119⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"19⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NVJoNfH6eh.bat"20⤵
-
C:\Windows\system32\chcp.comchcp 6500121⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"21⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nLkpgeVQrJ.bat"22⤵
-
C:\Windows\system32\chcp.comchcp 6500123⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"23⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DqZM2URRQk.bat"24⤵
-
C:\Windows\system32\chcp.comchcp 6500125⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"25⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HY3kVmQ00V.bat"26⤵
-
C:\Windows\system32\chcp.comchcp 6500127⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"27⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hNUloleJD7.bat"28⤵
-
C:\Windows\system32\chcp.comchcp 6500129⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"29⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Edge\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\fonts\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\fonts\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a93" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a93" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD56b9554367a439d39a00a0dff9a08b123
SHA1e1d22cde90c297c10f4fcba5b3980e5d551eb0b3
SHA2563332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9
SHA51272ffbca1a2aa7cd2bb6b963d97b43d7d5eab9a11d09c647c7679e71877927b8c021e28cd1e28ae9ac5300c8621ba97aae6699e1abddc58be89c9bb3e84d1c720
-
Filesize
1KB
MD5af6acd95d59de87c04642509c30e81c1
SHA1f9549ae93fdb0a5861a79a08f60aa81c4b32377b
SHA2567521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6
SHA51293ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
230B
MD5f7b3b6ac31bcbea1576ab48f2d39de75
SHA1109f94b5d5589df944ba529fe8ab8fe0505c5678
SHA256d216a334df7c37e6a1903f98241c5acb26bdb4ba182c9b1da9cb8102cf852ea6
SHA512380af574af358bc11a139f6019077580e1f72da0268bf20dd84847f15440e9a6aa6ae6c268889d81348255e1b79c1ca577495414447db7883413ff0e893e8ad0
-
Filesize
278B
MD561ec676859c92cee4203c6d73bf73443
SHA1191e82cc6468ac4bd28b0a23654c4dffc0b03657
SHA2565f6b8c69306df5c903855e2d1b1536083e8a16c20a356e29720805bbdb426235
SHA512f6db108f63df5ebf28b8c6e920fb8b99e08c8a89250d36ab16b66f7e9407741454b2a4ac7f89da67fb7cd6e131ff7e0121220ba16881eea82c5a9ea56541a205
-
Filesize
230B
MD538a2be6a89a273976ec12799365cac8c
SHA1d40bf0709ea057505b2bbb67d01dcb4b10aa6871
SHA2564ce16a8bcf1e5e1441b1378a5f278606e46f3ad02575b5e3b1e9a561f7b57a57
SHA5128124230188b72f105d214df845979cea5ad02cc700355d519d88fdbf3bbe27eb0571c4c0220137e8c381d2ace0f38273fb41dfe3051c447c32ef9c84889daa04
-
Filesize
230B
MD55c5b9acf2367dfcce28ef8461c43b857
SHA1e14c508d46ec06fc64e7cc4d5858f55efb3bef4b
SHA25604f9ac75bc0c2c12ec36729600c722bb6c56aa6996bcbd04318359f94fc9ef2f
SHA512e5588330a2bf8e557a3166b3e9dbae5998a7666b945618ec1d94a48a38fe50440a9c3325a5503a4aee780f7703680cf6029f29320626a76f54a1ef773c874039
-
Filesize
230B
MD5a4f9d4d350add8c8519d959d4433223f
SHA15ccc903e31dc0c8bf616991fad097075cd2686b0
SHA256ab10494ef660a2242ad76db3ef6d1d994ab3a622bdf0592f88c2edcdb28443fc
SHA512e01ebd81c0359f38668e940b22fde86d11ccc6be4b1c950bee02163d9f6437f6970144a4c20b217eea166933f678c752f7fe424648549d3b2c927ec3e352c4d1
-
Filesize
230B
MD54f5f40cce005cf145a84184f4c634c03
SHA1d3794b15025de34b6bb57e5b28d935089fdd7260
SHA25601314e4ef146048ff9f138f9182a962570cc884c85f7b65880a98b4d718ad4d2
SHA512cd9b07d7a00dabd8fb219e0cba364c4f9ab85dd258684c91ea2ad87a15bfb9f811bcbc0a00f13842319ecf621bc88fe5373f32a69dae79d72d106756be2c0245
-
Filesize
1KB
MD543dbb9194ca69ab4e69863a73e8fb69f
SHA1ffb5c8e1e06d6ce924de554a6851aeb76600fb6b
SHA256a0deadd93dbc4f99634e808c853cb531ac6c2ce9c59bedd94bbcaedeca84179c
SHA512a2dda4a220b4d7f1d7b746ddde253cdda5dcaabc2fd013336c2ded83162ad0fa63b4ea9952ef517ddd7fafdb3b92d4d74e7d729406bdd85a61d6a24e4357fe6f
-
Filesize
230B
MD505412ae45ac840be2ca9a648fc696051
SHA15595d980783369c97985eb65da710616e377c8fb
SHA256932863dbc715ffae6cd857c355cc55c9c3821ba8789a49f3be7615008adcad06
SHA512cc31e5a9d195ae3812261b3d8b03d9724eeb19780c290137019486890cac239e5dcc98c3d9053dd2688990c44d0ae76f826767b9cf46a107a2fc97dc0044a047
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
230B
MD5fd57989adb4f877c18649c569cf3fcfc
SHA19b23967ace3bed295a00bb13f3f0e4f9a989b505
SHA25690d1b5ecb451199369dc12a819ea049f9ed245b915f54748b3955ee97ecb2825
SHA51253e181fb5b9af9c172d11509f7d1f954d190c722fa97755cca6014bae5257b08036f5fa9eda83b9a554c4907863a30b8ead1844222013d1fd4600ff2a899ffc3
-
Filesize
230B
MD52da79ded516862e0af58586d4e0249a4
SHA1a09b6a9a979d007bf0df3249882ad637fb786a95
SHA2565aa0459645f27db2969f2eacc643f1eaaa055e23a9a2dfeba6937ba61cb30ee7
SHA512f107aeea1dcabbff217a754be6cd8138531f7bf74843aed4dbe38d3b12f541f50ea86618e5d6dc309e6f68f4a4a942a2cbd3e5c8506b80c0a4e0bd003ec73720
-
Filesize
230B
MD59b9686efdf0c45c991d319a5794db0f6
SHA113bd2c25cc9febacc63f2d75e1477b40e03969a4
SHA256007e3b3aeb905100d920bbc8f37927bf858bd9bab8923b34d5c58855ba364d72
SHA512c241ea9ca0c03c4c2f7690d73f35b02b29bdc08ac11f43546f180baf7a8c8e22279669cbbe8afd1e0f63b40cfc2d7821c0326c8d653d502cab496c160e295e96
-
Filesize
278B
MD575693b3e0e8a9dd8d9b762912321087c
SHA14272f66255df12f220524fd13e3cf7c9d6b0e76c
SHA256e5e434b183a95fcf64d38c36181759378d6fa438bc02c3482da53c9d9c2aabb7
SHA512c5c56e7ee8f0886a5b9f4a125cfa71b2d157206da2eaddd70eb1f6d28071050508d52c1ad2dd4d7dde65d816122913aa01c07cd90ca8615c399eed5b8f260843
-
Filesize
278B
MD5a5462250812c5ca5b1499789d1b888dd
SHA18a19faa696d85fb9f24943836e24e18eafbe7e36
SHA256d9cdfcbd654d1264bbb195e6429f3b954c947ee1dfcce12edf6b59d85b29a551
SHA5122042f80cc9831f58043786330cd28ebd513f90fb7d4a02c4daf7c12146ae8ddaca87324bfeb378bdd0427bf6ecc63aef31f65b941be742fc4cfda680741d224b
-
Filesize
278B
MD5a10a5957eb9fd7df8389f0ae3f49142b
SHA1184ae7ffd95d54facbf89d876055e053f7ed1756
SHA256f11b2f08edd2ef665f1adde8b75c01e10342c32cbf4d591eb28f920a09eb44c0
SHA512ca978e39800dfb84ac07179ae4a088d0f06079bf2dcb20599de3b58550aa3f467532dc51e74cbd8b5c9b78ee3da4951235fba359329cfbdcee0c745ded36f163
-
Filesize
371B
MD5a80b5505f6f57840f5458e4186dddea7
SHA10e42217aa1c95adb4259d1bf9e0dab1129989663
SHA256e9782dc46aaee3822af26213fd7fb613136129e179c5ab6f80c594f6f83ca5ca
SHA512c94c1a8e58aa41b8ebf300389670f1ef69ac65c999e13030bae601abf0cbde34e0969f45829780fabf743f684b889fd5901be7d3d4d812d4cb71659b84f60f37
-
Filesize
235B
MD5fef54810eaae33a144026e993999eed0
SHA1717379ddee35bec0afd08c69d297acebdc160c11
SHA256de2a087d05cbd4ce4971c04e98610541fe13e7cfe57e4f7aae1dfbe350f741fa
SHA512175c7948a10f4303fb2f559ed5cab29ea60ad92917ee3826b7b74211626eac129f505648d250c2ab6bfc3eb8697cf0503f75f9cf0f8c3ed4e4e5c944f1ee7988
-
Filesize
1KB
MD565d5babddb4bd68783c40f9e3678613f
SHA171e76abb44dbea735b9faaccb8c0fad345b514f4
SHA256d61a59849cacd91b8039a8e41a5b92a7f93e2d46c90791b9ba6b5f856008cd8f
SHA51221223e9a32df265bb75093d1ebaa879880a947d25ac764f3452b9104893b05f2c8fe4150cb2465681df7a0554dcefdb7f623aaf54772ade878270f453ebc1bcf
-
Filesize
1.4MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
8KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
320KB
-
Filesize
10.8MB
-
Filesize
96KB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
1.0MB