Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
13-01-2025 11:43
General
-
Target
OneDriveStandaloneUpdater.exe
-
Size
829KB
-
MD5
c1f1bea182f1c3477c2f133c3ac26930
-
SHA1
2145c09d2c3279ac83e844c4d80e7aa219e99b8d
-
SHA256
1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5
-
SHA512
6af6336782b29bdab906e4d289cb5c2c8500ba8a20dee53def21960e62afc28ec6756b746b4e4036a30726984a60b656b3d529b4abc119953267e91be4992a4d
-
SSDEEP
12288:P6TnOzi5kaag8hpT77JJMA+XSpW3Ari4VVyZC0+1cw2jINof7+vEnkdsOZ6:P6TnYa+T7dJMA+i3iE0nHfW6
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 21 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 20 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 21 IoCs
-
Runs ping.exe 1 TTPs 8 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe"C:\Users\Admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ct0iz23y\ct0iz23y.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB650.tmp" "c:\Windows\System32\CSC9AD9902F5A204CAC86E2B365C466CDF.TMP"3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\System.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\MusNotification.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Registry.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5wRJdzXquQ.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iOQJjcW06d.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1NLBXx3L0q.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e1ZPDUpkB4.bat"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650019⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m6vhCtVZgO.bat"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500111⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ij3ogloIkp.bat"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500113⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s4Al4mMfKa.bat"14⤵
-
C:\Windows\system32\chcp.comchcp 6500115⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qoP5fBU7F9.bat"16⤵
-
C:\Windows\system32\chcp.comchcp 6500117⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WwD8E48ugj.bat"18⤵
-
C:\Windows\system32\chcp.comchcp 6500119⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m6vhCtVZgO.bat"20⤵
-
C:\Windows\system32\chcp.comchcp 6500121⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ItcmNmazXC.bat"22⤵
-
C:\Windows\system32\chcp.comchcp 6500123⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tI0tYXMWWV.bat"24⤵
-
C:\Windows\system32\chcp.comchcp 6500125⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VvHaJEFDnD.bat"26⤵
-
C:\Windows\system32\chcp.comchcp 6500127⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AoGVOMtA2s.bat"28⤵
-
C:\Windows\system32\chcp.comchcp 6500129⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J8RurXaqj7.bat"30⤵
-
C:\Windows\system32\chcp.comchcp 6500131⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aehWhM7TGU.bat"32⤵
-
C:\Windows\system32\chcp.comchcp 6500133⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"33⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\55qZ0E2uab.bat"34⤵
-
C:\Windows\system32\chcp.comchcp 6500135⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:235⤵
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"35⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qoP5fBU7F9.bat"36⤵
-
C:\Windows\system32\chcp.comchcp 6500137⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:237⤵
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"37⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1iyfU6Kdf1.bat"38⤵
-
C:\Windows\system32\chcp.comchcp 6500139⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost39⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"39⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzP9pAsQzT.bat"40⤵
-
C:\Windows\system32\chcp.comchcp 6500141⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:241⤵
-
-
C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe"41⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eMBuAd62pF.bat"42⤵
-
C:\Windows\system32\chcp.comchcp 6500143⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost43⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Downloads\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\MusNotification.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\ja-JP\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OneDriveStandaloneUpdaterO" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OneDriveStandaloneUpdater" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OneDriveStandaloneUpdaterO" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
829KB
MD5c1f1bea182f1c3477c2f133c3ac26930
SHA12145c09d2c3279ac83e844c4d80e7aa219e99b8d
SHA2561054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5
SHA5126af6336782b29bdab906e4d289cb5c2c8500ba8a20dee53def21960e62afc28ec6756b746b4e4036a30726984a60b656b3d529b4abc119953267e91be4992a4d
-
Filesize
1KB
MD56a3aed418cf5a7c9aa5b86d639268376
SHA135f8a197c9336320dfcc221e4fca90b59593cea3
SHA25685eceb3e29340da0671ce59e5b4fffed73f2f3917b617c0422d526b5ca842ca2
SHA512855b2e1c90eed4216f896aba0745ba21526f2810b81145360ec2fecf815370f5a16e47d6d631d49405308ee9dee204df554cb85091ad7d0e7a6eeb73c72fcbbf
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
242B
MD568e1bd10ace145b4d2428c021a131a52
SHA170828044696c8abe4abf92ccbb3fcd9972448d2f
SHA2566bad743a8db2a7edba84af54339230ffc4a3eb00f62b09083e7954dcadc080de
SHA512e789031064781ec1abdf4c2e6cbf94a469c15b5844b6bfcca4c062424ac4aa689b8c3b0e3fe6014bf1b4f64feca87352816531bb30cf7ab16771de0cafd95f75
-
Filesize
194B
MD51af154ae56e00bb331f60ad7bb5daa36
SHA18804fcae58eacafbaa75b419bb88ca5dffea58c4
SHA25682e2a6caee26941407a0418a2e9fedaeb186c350549b2f8e3cd8ac4df3973b50
SHA512a8fc3fb79ef3ce4b60ebb2542495149844be666d54b3b6dcae0808fb5173af0ca40bd87a24bed0522aee0fd269298c5cc0a558276e92d2c11bec31084738b725
-
Filesize
242B
MD5157dc12f52b0447ece9658f40a84c6e0
SHA13247e9cd4803ddc00be118008cc2bccab33ab440
SHA256b92c0b8e956e53e17e14cd7961551387e4a9cab353b235ae8b01ab7b0eace036
SHA512484d5fc3d09de08368bee50be538e677cca747112297e4642eb6ec70a5cf0a3f6771d27ab0387669a4cd67d6676f60a9ae6e89a37e03afaca1ea988a767931b8
-
Filesize
194B
MD5ac24856871f94c70898345a2b43993ab
SHA1125b97e31c430aa2f231917e7246544edd4e23ea
SHA256a9f041ca89bd633f08dbf29863da70701721299daa17d40c64e61969538eb960
SHA51298b35c270c42fea9ad162e99464d77941c5ea71274b8935819f644e17fc6b4a7f859dbb1a177acdc31cebebcf0b04964074fa8ed7fbd67e0ac2de865d9b22592
-
Filesize
242B
MD5f88aa9a92609b7909447603d4779bbe1
SHA1f206206862c65db6629eebf35c33a69a35dbd1d2
SHA2561ddfb877b133dbd508183e1c703991dfa8c5b746513da92156ebc044f2e0f2b1
SHA5128af2939f17d14c9c562cdcca5419e9a2cc32856c1af0b274689f7945490e9944919cf594e3395b4c36c4c81bdb02ff0c5ea4c2b85ea2dd33285cc3bf5d45298d
-
Filesize
242B
MD515e384260064e5de4febe8c30de99046
SHA161467a4314aacf61364795a0adeb7b970d9cd13c
SHA256a9d6ccfa5707b37ac1796a7498b99ecf19531b4fbd0bbfe3d912f198cdc74457
SHA51250475fb5b487661a69deaf5ef77458ca4cbda3aa1b4380f73e2997694922ff2a226d180121bc8fbede2ef3fa5f141557bb7c454658be9e2b1947dfc95cf7f101
-
Filesize
242B
MD52a21c9b08e4654a42b9e9c83937b6fcd
SHA12e729fa1f360b3bc9c5a39e7880f861e3a93ccfe
SHA256a818d936e81ad7a86a484b7286081cf1530e75b24710c5337a35daaa46b0c26e
SHA512524f1f53e672d98984dcb382ff6344cdb18427eac67705ca3ee7d0145a199ed2c827f284574abbe46f52be245a300663c83a2c603b8a1df943857cdebec147fc
-
Filesize
194B
MD5e71bccee1bee891234cb7932aa469628
SHA1fa90a2b0a7affccb10f9f70d52f053b37f4ae578
SHA2560f221502d3175a33b964143646a8f70c7257a4d5f8184d2e04745e191eb78149
SHA5124e73035961df15ec4c5858fdd7d991160843bfc94de167ec2963b47375b6013c360225eba64bb3115a6450d609660bd75809cf06aa75d67550d7b2930eee7c15
-
Filesize
1KB
MD51316f2c35134b1e599f4dcba2e15f9eb
SHA1cdd5718416dab1099ab7b057bc6b954927762d80
SHA25648a3e89dfdff1e5845b6a791f5ce301c19bfc157d576f881557107989f67abb7
SHA5125ded10207c2db817ae1faa0d9f67303eff051500f055b5abcf0a03c9b9060e08ffb1f99f90fa415c3c194ebe66308ef24f894fb9831df33e7f91009ccaf876e6
-
Filesize
242B
MD57a0fed4bec4b50022e2b3f3f2d987273
SHA16f6a16d96d5cb6f5dcc8f37bb6cbfc0db0650f5f
SHA256e1ead8d728b636b0f714adc3cc3c54102b906745bf5a1028191d5c23f6f451d0
SHA512f89a0494b57f7182b295507f9f824d939691728a4d0d298801e2852e8f3ac8f353472532ccbf0f7ddcedd2dbf2b2098414a894a98e1324e06a5eb15c80497ef9
-
Filesize
194B
MD595d31f924c485d1b9c1e2e30bda4fd9d
SHA1fc4a5e69258b6326216650af8a360752ad2786ef
SHA256392bff84ed42327586c0fc77f3cbf1c256a71437cc10a9f36f23f013d8a1618c
SHA51253d7d37b22601fe2696460558b16aafc10c4154ce94dd3645c6b8550795a5110147c47472c166f8485f88e2ae3ec8ef7dc4be358e722166d42bc33a3bd6df1bb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
242B
MD5550f2cc0c3a5317e33a8d21d730b5578
SHA110a5b98e5025ce1c32f82dfeec1b44d1c568a694
SHA256fd9de16acb1b295a0fcf00999f8a77b200e1bd981a501570b19744719cdcb760
SHA512741c1cb73594e9fa0a820444cd1e451bf78bde748f8a6b45680a3ec544c6706bd4c1818ed6d2d6165ec5212a2469c6b91dfb07fb00841e045672d634988a2f70
-
Filesize
194B
MD57de8001efc44e8488e93978db44c3c91
SHA198bd3318da7f4382045f4f4ee580052859e33e3c
SHA2561dd34e3298e3634221b90a4ce1e1a9e7023b936db7beafa90dfac0416d1edcd6
SHA51255882614d47006d12243de9ee7196a9983360012a7a5ebb8ebb6bef4fd1755693b793558379371ae9c028e5e484e3768aa9d405b322d332ed0eb563626d3ae87
-
Filesize
194B
MD52d72b0a587f9b7ebe2eca055993e1bdf
SHA1acbb68ba5913f37654c318da4adac549d1af11d0
SHA2560404554abb034c0e8cbc3b35f717fe5929cca9b519d1c972a8b8ca0c382996e7
SHA51260f0bc535a9f37b4e7cb683e8e5d39f4add430a8a53f7c7efc2a38c6509f4faf7e838e45df93955fb00e730cb2ce864acae786498daee99bc82758d8543234b3
-
Filesize
242B
MD5272ddd713dffa9e0560ec9abf0f16010
SHA1a41c73786b49a0beada7329c1670b82b6a594f83
SHA256e0d5f3a9ad27e627173dd039e72b755d6f92938117c5a97364e2d2f0bf5d24b3
SHA512d9defecbd74c161609e3acc7f4388d6e6255df6ba432e2ea4dba26d4686b5aa60607b09441591a8d5b6789344340bf6f6a3d5973cde23a7820ec5bda8ef7004c
-
Filesize
242B
MD5d2c6af0c09cea62072ada244f660e22f
SHA1cde615ce19b81170c1c6817041807266e72525aa
SHA256debccbb859d5d9bb399bc5d8b7dfaddc4c1ee5289c81ce4d9c0fc6d9e1ae0638
SHA512e3211d8f8c372f18b1f65b9265b2e0de5410aa600ad6059ea2ccebe6c8edf648deea7560ca0f5b9b9d2d3c4258dc07b6f0639959c7e7423416138bef5804c40c
-
Filesize
194B
MD5558904aaac76de86899396694e6c52b7
SHA13ef6db19d00709fa252ef6503c66767202dbda54
SHA256e3f6384dc86b8b2f68153172eefeec7bbed5bacee7e1cd3d0be9cf60ff9d82fb
SHA512a40ed81464a3822f04450ac2b9d9d53b1d17735bcc38f1a2641b335e0ec3fb7068c3d516637e57c0cbf654f88f537423b233255ce63466898df09bd82c244330
-
Filesize
242B
MD5fbdc3796c1e3b1ac7a6c736f1ec45f46
SHA13545f8f071cac5a7f477e9319f313ceea9352a54
SHA256a94e26bf61676279e87354b15104e833dcdd6163e2720c3f0777d092489fb2f3
SHA5124ddd262fb9b259694aab823af44e8f005b82f1e15a41f8e4eda74e2453ba8e69b8a19969dc52d6276bbf938d4d5f6f4ed1cb80cf1dee93e06e84ae25e3c91029
-
Filesize
242B
MD518eb3d5df97f8ca270f23bdf396b406e
SHA11913848b6936996242877b6d531830f102c3f740
SHA256e55ff6133222c9a69c729b2e1e05fe4c02d14f2fe3fa220900947398fa66fcd4
SHA512e03df75ad097cc519436a7549f10075be0b96eca2d4e68aa44a34ae5d3f4175cfc073b39f58ae8579d6410fe88a33243c3ceee857c9aa580267a1ec82ec75c65
-
Filesize
242B
MD56013f408f61b58be72b9840f478d82c4
SHA1bea7acfc7140084f42629227c3136faec60d6600
SHA256bbd6234d413d66dd1c32fef9171055158b0e0ea63de98592a26dc175bff4b5ce
SHA51285937f4d0c1ac7c683929236dc01b72908330973f74b2f4ab19e0fa397df895a14ce60cb9d39bd780638e676864af2050f193d98f0aadbb0c3dfd6b4c916bd7e
-
Filesize
361B
MD53487ea1351c3bce23c945d138b008560
SHA1fa0b103bcb04469018ab0d2570964a9aea81a37c
SHA256c6ea865c909b857a3825460e88b195d7693a73e8e22b88fabe1e0c27f9612876
SHA512cc8172a724c471e3ecd1cb50e2d0d3ff1fcd62a624460962ad8e8acb54627ec1bcc0ebc4fb7ae5336b8d48c924867296ddde9b9f89700a212cc28f10fd092c53
-
Filesize
235B
MD55673f1c72508fbb1a36bdf9b33d18453
SHA11566b4a7ea7b3c98ff16aacff6838e9c1c75fe3f
SHA25651459c1d5b81d9d580006e4ed14677d0ba860f945e2253653c54c7285af24af1
SHA512192528a7d051c066cb0608a99fb4f68c36c5113e3ddab8a2993f582e91566511ee2fb903124e6955d85c8466d984b63ac2195cad6d2d9787a89767c8eb72f2ba
-
Filesize
1KB
MD5be99f41194f5159cc131a1a4353a0e0a
SHA1f24e3bf06e777b4de8d072166cff693e43f2295c
SHA256564d9051e5639603c83562a9ff2c2e478cc7e13d54faf39f761297bac78603bf
SHA51251d1a50772bb7d689193e6a9b2e363185cf5438103644b2b68cf13e08274c5d99407b99f8cdc856143d28669f5ee4ee316041a8e33df42f55bfd181aa3f3c0f5
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
856KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
136KB