Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
-
submitted
22/03/2025, 06:17
General
-
Target
070c765850e2f2bdfda3f7dc34b78fee9ceaedbe535aa29feec8e63afb5e3e3b.exe
-
Size
1.1MB
-
MD5
8178e5a952fb588b857dfb7ad3317e6a
-
SHA1
bd304f931d02f01c5f3aa3a680e633b989ddee11
-
SHA256
070c765850e2f2bdfda3f7dc34b78fee9ceaedbe535aa29feec8e63afb5e3e3b
-
SHA512
27f4516b3faebebe03564899ebe542687f69ba6e93917b66151e472ce011ce7e726eb814c5696d9cea28b7cd297bb32bd75a3de6adceb40e6bdacf18591da87e
-
SSDEEP
12288:d6NE5eSwJu37+GXJpkaI7ShG54v4ahgVY3whNG8/LI6i4ejmtnbAouuFteLBdBN9:d6NReJXJIwvJgVQSoPEzKkLXa
Score
10/10
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 36 IoCs
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Drops file in Program Files directory 37 IoCs
-
Drops file in Windows directory 19 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\070c765850e2f2bdfda3f7dc34b78fee9ceaedbe535aa29feec8e63afb5e3e3b.exe"C:\Users\Admin\AppData\Local\Temp\070c765850e2f2bdfda3f7dc34b78fee9ceaedbe535aa29feec8e63afb5e3e3b.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\070c765850e2f2bdfda3f7dc34b78fee9ceaedbe535aa29feec8e63afb5e3e3b.exe"C:\Users\Admin\AppData\Local\Temp\070c765850e2f2bdfda3f7dc34b78fee9ceaedbe535aa29feec8e63afb5e3e3b.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Pictures\Sample Pictures\winlogon.exe"C:\Users\Public\Pictures\Sample Pictures\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\lsm.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\Offline\System.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\Offline\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\uninstall\explorer.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\uninstall\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\Microsoft.NET\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\ehome\es-ES\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\ehome\es-ES\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Windows\ehome\es-ES\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\en-US\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\ehome\smss.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ehome\smss.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\ehome\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\dwm.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\services.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\WMIADAP.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\winlogon.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\winlogon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\winlogon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "070c765850e2f2bdfda3f7dc34b78fee9ceaedbe535aa29feec8e63afb5e3e3b0" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\070c765850e2f2bdfda3f7dc34b78fee9ceaedbe535aa29feec8e63afb5e3e3b.exe'" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "070c765850e2f2bdfda3f7dc34b78fee9ceaedbe535aa29feec8e63afb5e3e3b" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\070c765850e2f2bdfda3f7dc34b78fee9ceaedbe535aa29feec8e63afb5e3e3b.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "070c765850e2f2bdfda3f7dc34b78fee9ceaedbe535aa29feec8e63afb5e3e3b0" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\070c765850e2f2bdfda3f7dc34b78fee9ceaedbe535aa29feec8e63afb5e3e3b.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\MSBuild\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\taskhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\taskhost.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\taskhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\audiodg.exe'" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\audiodg.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\audiodg.exe'" /rl HIGHEST /f1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD58178e5a952fb588b857dfb7ad3317e6a
SHA1bd304f931d02f01c5f3aa3a680e633b989ddee11
SHA256070c765850e2f2bdfda3f7dc34b78fee9ceaedbe535aa29feec8e63afb5e3e3b
SHA51227f4516b3faebebe03564899ebe542687f69ba6e93917b66151e472ce011ce7e726eb814c5696d9cea28b7cd297bb32bd75a3de6adceb40e6bdacf18591da87e
-
Filesize
1KB
MD5ad1cc08034a9d9f3f89208d039c49ed2
SHA17d0f739c13311cebc28cdb2335bb9dbd1b8c44fe
SHA2564472ffbefc931e6377faf5ae985c058321e6fda367fdc17fc6627b3103c5406c
SHA51228979090172617ab0cfc352f8f3bf755bf47719a42e2cd20870d6b54e3b9bf078fdc02fc7a8e8ebe911664febd501e22a12790ba5e6904c23ca96d425e443341
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
88KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
72KB
-
Filesize
112KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
1.2MB