Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
14/01/2025, 02:25
General
-
Target
3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe
-
Size
1.6MB
-
MD5
13a9fe232c423531f428e7ebf5bcc3ce
-
SHA1
7940d3296d943f8f54e6d2e58982812de6f66a79
-
SHA256
3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3
-
SHA512
ed6f68b31f034c49b6ef9a79a793d5ba46d6a8cffca33f1f5cdbb3db51ac6ae9ea5aa39ea7dede138c832b2a47c9f484441f549b163254bdbf5566a4590042f5
-
SSDEEP
24576:Dl2UpmjCMYU6XtQCBRSybXZgRRNsSSzUcYUHcAtRTjeXRE7QSvMllsWH4Xsmnobb:BdtdQCBRZX3HYUPtRTjmcQSTWH4Xshb
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings 2 TTPs 20 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 20 IoCs
-
Runs ping.exe 1 TTPs 6 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L8eZSrOPP4.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AC4J3hngkK.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"5⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dV69F4sOEJ.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"7⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KWBHRiM3K6.bat"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650019⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"9⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500111⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"11⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OEffu0Lctr.bat"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500113⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"13⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b2RsHXtgrT.bat"14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500115⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"15⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uhjF8j8k7U.bat"16⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500117⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"17⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z8EFjwB7Jj.bat"18⤵
-
C:\Windows\system32\chcp.comchcp 6500119⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"19⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tnXcb7QBZk.bat"20⤵
-
C:\Windows\system32\chcp.comchcp 6500121⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"21⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b2RsHXtgrT.bat"22⤵
-
C:\Windows\system32\chcp.comchcp 6500123⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"23⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I3W1TCNLwG.bat"24⤵
-
C:\Windows\system32\chcp.comchcp 6500125⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"25⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jcydu7dUmM.bat"26⤵
-
C:\Windows\system32\chcp.comchcp 6500127⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"27⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zd3m5m79sA.bat"28⤵
-
C:\Windows\system32\chcp.comchcp 6500129⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"29⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wvZOdU8aJP.bat"30⤵
-
C:\Windows\system32\chcp.comchcp 6500131⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"31⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BD0ryYfNdr.bat"32⤵
-
C:\Windows\system32\chcp.comchcp 6500133⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"33⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8xEBZwnpYP.bat"34⤵
-
C:\Windows\system32\chcp.comchcp 6500135⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:235⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"35⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j7nAGxaWLn.bat"36⤵
-
C:\Windows\system32\chcp.comchcp 6500137⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:237⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"37⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CRpzSJfEpm.bat"38⤵
-
C:\Windows\system32\chcp.comchcp 6500139⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:239⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe"39⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GogtzRNUlL.bat"40⤵
-
C:\Windows\system32\chcp.comchcp 6500141⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost41⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\it-IT\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\it-IT\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a33" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a33" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54ef3ab577fdbd5c7dd815e496ecd5601
SHA18dd86865a8e5f1c4c77a21cc2b26cc31e8330ad8
SHA25672a639b0e0027ca8e0bb9d3cbd12b56797c431a9171acaea9217aff387961964
SHA512ffe35302cf9922fb22d681c989162a46220b949b5dcaf076eadb1ced347ff0b7a77421ce6ee06514faf9c5364e2094f5a2ec239a537c28c88d32e21262501c9d
-
Filesize
278B
MD504f37fb9e3ae9a2d61ec5353f618fd2b
SHA11d4c6f2fa9b7b93d06f926e2948d62aaaa9d2b53
SHA25603a36ac75a91bcac60d273409a79ea5668dd170400f3d4e0215d17b9ff29b292
SHA512903fb2e7a82c9379856b3b5b436541e069624603e4525db1c7abd1f7d639b24e631d9eb86acd98b89f360842ef81ada05cb20c80726752e5eb681da0afbc805a
-
Filesize
278B
MD55ea86f510fb294424752e34c2e2003e5
SHA1711b1d6546ede7dbe829a17206f87f6d7a5c089b
SHA2560c3f35fbde2aaff71e03280d2a7c68ef22b10b92597039f54ac5cb0805306e90
SHA512248bbd35f807773c966aeb594f7dd74ab2093d1de738f7103825fab8345b537d6261592a6f7941006691a162c7f986ad1ba45db0eb0cd17a9d5814e010bedf91
-
Filesize
230B
MD5f303938358b6a187c1e5316981f0a902
SHA135d7ca34d2c34c6a636e178c6b243f532b1a4ba4
SHA2569825dbcda3e6764471b59d0004ae8298d55a1b119638644ab9e5307c192b5513
SHA512fcaf8f6a80277e0c854afe3d70289a047e856038fbde94c18cc79cef6bebb48fcb77db596da1122e61b772ab951c3356d97da4087b16763bdfd846628fd61220
-
Filesize
278B
MD5339f51ab1ea0d615ae43a71565b2df0e
SHA194bb7ad1fa9125be6080312c0e9204a10b7e8ec2
SHA256f168494ce4f8beed28fe5a854145a63f0c43e4e49c878000c00aeb88775a0a46
SHA512427654bbe7444c461d783d6e7eb3c670f6fdfcb6df101443ee0aaff5a9b89340d16069490d8f976342e15f54d399c25560ecf7174b65eacc91c6676a03f16be2
-
Filesize
230B
MD56298fd1c39e154f6e8de599134677ec5
SHA163fe6198daa3bf6cb6c53c846203b762d10d3b4f
SHA2567e977c48708c172b228e1a238c0adb1a7b6d23b7fe11e45d33d57f3726b6331d
SHA5128aa1146795ab0299c049147374a6a7c8204dd3adcce384f1a9a5ed4158422f7cacee98aa6b16320fd60b5aa22b5dd4b6c08cf5a4a79cc5f48e14aa559d8c56dc
-
Filesize
230B
MD50a539b9df715cc43a0c4b9d653120118
SHA16cc270c2cab312b50e53a4a7044a5baadd7b2794
SHA2560d0e0eaf183a10793c235880a53b3a95192029a50dde3b46157aee3771c3799d
SHA512056ab889f782f0a40938892ec58c7d7105e95ef1f16afa32f8f2c502a71f0db8451c17764284217727c21410898f64a90bb3b9d05e93d588dd6a0de6ca361d69
-
Filesize
278B
MD586e753358f8f128fc17d22afe9b8f49a
SHA1e2869b7d4216d6ec0670b0f88b27ceedd884c4c2
SHA2564abe1da3ea4dc6c247c6d626c98aae6fe1febf0854578d7cf57b3fd7ec724cb0
SHA512b4e5e8d2906d3447e2ac0139d988e609e7cee9a15e217251c940337c8c78119bb948af9ada1e5518afda9f0770e7624441cd6e8a051e2e536b3922329e65cd59
-
Filesize
278B
MD58b7b8dca2d155222d42af01652bbf884
SHA1cd694911f80f02f4c8011fed80b0f14ad57f0a1b
SHA256e93ada88dd187433f0a41c4bcecb7e9eb777f6532770b5378686afcbeef12186
SHA51202f0a2ab432d27213b8cf8a0d5cbd1111067448b139fb1eaedfc4ea49161a8bc229bd3db1159a15ab113072bbee90f8e7c3e349ebcd950fda26edb0c212ddd44
-
Filesize
278B
MD557bcbbadac0378399edfdc51e2eb6047
SHA13b7f13e5cbe2bb4483e36ecda47addf895cd7d8a
SHA256126c134427a73ab299b53356887ffa03539e0b9452cdfd294898a565bc329c8b
SHA51285d8d37c3c83892f2fb3258b45693b37a2f52b2765eac41390e3854fa5c1d1ad5076a422d2ba55359e003b1c190c8fc62008bf2fc97f725397c81e72fd3fb9b9
-
Filesize
230B
MD5a589ac811d7e324497c2613265610d00
SHA1db34d16b860359c7d0fd2de3b739b961d6339d47
SHA256e1e74d20c0d954a0e2ad73034dcc784bfbb06265e3da56361a2a7821b439ef22
SHA512f07ff4ff81e33dc390a5a433caa0364b41d6734fe2f8b962c25356b8bf0d808871e653de07ac8a015881bbe7c9ff74a15f17208a51362ec8cfc54fe56d73653d
-
Filesize
278B
MD54f6aec1288424bd99b36a9b6879c99b8
SHA14a7b2dec47e167d88bf53f72f4f5202ee5d5ce6e
SHA2567a12167059ca525ed02edfdbaedb09ef29d3dc57097e1d5eadf0f28352fe5dc4
SHA512d4454f27bd4338088fed05e80e5c25a4f4735739cf250d0e093b072b364e1cf731236c32f1172908576db072b6b8f5c009096d60fdbf8c009d98886cee8903d3
-
Filesize
278B
MD51ab5a793d3bad25515fe85ee542639d2
SHA17928436de94621959f56c4b204ec704c326e1d2d
SHA2562635e717dfe941e371f91b6e0d1dd373c4774a65f03b3925472073af1262933b
SHA5125207b785106e6bda7bada9dd4963bcad309a9b31d0b41229caec3dcf4cd0e2b064e6323747fffa63c6edab02ead1fffaa476002a5f3e84f416c11fe02b95f6bd
-
Filesize
278B
MD57a5012d229bc3265a5443d7268896026
SHA1eddf44d265784b920ff32d11a9a4455594d01146
SHA256bd9315741a1bdb88cf4593ceeb5bc60876e014a2888f35fc907eef49222c37e4
SHA512754221b343097f182b00fedc21aeb1ece7df825acc6b18d94df081968ba915f390f28f95b4193c56154206dbbe3b5bdd04ba8fa669dad0e8e875e9bbb78ec337
-
Filesize
278B
MD503b7c245464258b9fc110c41dc5291d9
SHA1b0549538fe8297c61e444d38f563b350a409b018
SHA2560efed0dff085188401b886991dd1f2b192d507dbd16e21be37562a13f088de37
SHA5121544f79080b7039f012a0e7a41b931acd933fe2410163c2a1762a7e6ce7e87626dae3e265d406601ea4986a1b2af2b6ad2891f266a9138537040668933e7112e
-
Filesize
230B
MD5b7644bd59a8bf3657fd8f1acb5ab8c3f
SHA120637c818ecf167a18c0f6b1e67fb294e5ebf5e8
SHA2566ef01e0f52ee211a26971a5c585f285c211b18c7d597f107ff45d6397572fc72
SHA51229dbf24890b59783887030f9faa465690972100606751475970a42d06ea0ae0aa499d953eaaa4b43f94ffca5f4d813bee5455a10b1535e255931e3cc47991899
-
Filesize
278B
MD5e7f3f7af67286a6c38c8c8998b28b300
SHA1dc3e86eed89189df2a864302a5bb80913f4424f6
SHA256d338cf0a740b44af3ba4865414727d5be97e9217387dde02fb41aa840f90d830
SHA5120226fb6214850d3c9eec5f7f11f8569e506ffce35c0e824efc3ece0e1c7f4c5ec4aa7a9065133f0cc1949208126887fd91f080556d542bfc088d9e8264c0236e
-
Filesize
278B
MD587f9b185911c99d5c8759d5b9d70764c
SHA167607da58dfa89064b4ed78bff3abb0c3ebf342e
SHA25667a19da657c29010874cb734e797a23087e66d0f18c5791afe1c697b59e3c143
SHA512a856c52baeb70d5c43fe8085e9b5491243bb952cb36479c6ed5c1ce2382a0ede44642a2dc692fffce793bd9cf78acc04c73587b1e47fc3b18dfe321a217cc037
-
Filesize
278B
MD5f4361e314c7ad5147279599390b01cd0
SHA19719ff1b1803ab2748b24646257ed9050f4b3e47
SHA2566553b12eb75542860539ff81caba61fc250d7caeb67360f0c795a9cf55d6b056
SHA512156087ed8d0dba0cd22dab66b53339f0a8858970d54cdb45cd612009acff743ff03b651d86484a7180157d6c23c86457fc8ce25d3537615dd6838b54c4fe233e
-
Filesize
230B
MD5cfa1d8145b4a1b1074c4e48a3354f69d
SHA1310fc4da66533c5e0d4ac9d2aaca2c277482db44
SHA256920268c494c9ceca016330a932b887a422f003b1f15af4a75739d766f0b3889b
SHA512c09734ce8ac2cdc3b35f66db51db1bd6a227df4c9f2e9a2e2a98193729a444cc3334361621cc006ce8d0e353b29f82c0b4b4099e6d668c2046145c5a8d8e69f0
-
Filesize
1.6MB
MD513a9fe232c423531f428e7ebf5bcc3ce
SHA17940d3296d943f8f54e6d2e58982812de6f66a79
SHA2563e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3
SHA512ed6f68b31f034c49b6ef9a79a793d5ba46d6a8cffca33f1f5cdbb3db51ac6ae9ea5aa39ea7dede138c832b2a47c9f484441f549b163254bdbf5566a4590042f5
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
1.6MB