Analysis
-
max time kernel
149s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
22/03/2025, 06:09
General
-
Target
279dab20ac900bec30b0f1793b059f0d.exe
-
Size
885KB
-
MD5
279dab20ac900bec30b0f1793b059f0d
-
SHA1
746b709243322cebafc65da649e8b2a9955033b0
-
SHA256
035e4ad513f0cb3ac0e1ef6c550e753ba271cf1795721a84f019c877cc53bfe5
-
SHA512
5a02f8bef439ed12276e3e7fbbb0b405988289cb2958c33a26f22c5a21d28f0befa0cc5df26abf1e1a51a0a81d37f2da945cc22f48ebd20503e7987ec5265338
-
SSDEEP
12288:UlNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:UlNCv6XJ5BClaXfD9vUha+u
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 13 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\279dab20ac900bec30b0f1793b059f0d.exe"C:\Users\Admin\AppData\Local\Temp\279dab20ac900bec30b0f1793b059f0d.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\279dab20ac900bec30b0f1793b059f0d.exe"C:\Users\Admin\AppData\Local\Temp\279dab20ac900bec30b0f1793b059f0d.exe"2⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rUDbQWxsNg.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
-
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\090123a8-e620-41d2-9697-de4ddbf5be50.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e5048e1-4f64-4e50-9592-dbe19f6d4c95.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b8a3d8b-337d-41a1-8dd7-79b94b8a5abe.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b26af3d-39c5-4e6b-b97e-6ccfdc1221d4.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3afdc0e4-cd22-4205-9493-c91bec976f02.vbs"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ec01610-bbcd-4945-8607-e82fd0fd5830.vbs"15⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d65274c-0ab0-4595-934f-96e8e20d96e1.vbs"17⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de74454b-c50d-4e7b-9efb-8556c3030bdd.vbs"19⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9be92698-ff49-49c3-91f0-f75fa540081c.vbs"21⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\644abf84-57a0-4a5d-99ab-4d39c6f8760f.vbs"23⤵
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1746c71-aa13-435f-8ddb-0b8ddcc01dbc.vbs"25⤵
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dee29604-5782-40c2-97e7-dfd0ff4aa771.vbs"27⤵
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe"28⤵
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbfcd212-0cfa-4c0c-b631-af7013855522.vbs"27⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a041f12-b30f-4a90-81c8-4a95887b6a11.vbs"25⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36cdfd24-7f45-42f3-882a-b5715411b3a5.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0844bac-c02a-4c63-9412-7f91b12e3e51.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6790e82-64be-4bf4-92c3-497682e6fc94.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6122fafc-4db3-4683-b35a-e4b4e847efee.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b083e301-f03e-49d7-a2e3-d7408b57353e.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86f3a05a-2cb2-478f-a649-72ddbd434e4c.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b7c777c-0b53-4a1b-a9ba-dfd0a3474736.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f113a2db-a11d-4fad-93c5-8a7d24b6fa5a.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe41c0aa-30b3-41e9-b325-76b25c639142.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01d6cc36-4b5c-4fc3-9e68-7d4550393a78.vbs"5⤵
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Raga\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Media\Raga\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Raga\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\4d7dcf6448637544ea7e961be1ad\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\4d7dcf6448637544ea7e961be1ad\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\System\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\System\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\4d7dcf6448637544ea7e961be1ad\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\4d7dcf6448637544ea7e961be1ad\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\en-US\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
885KB
MD5279dab20ac900bec30b0f1793b059f0d
SHA1746b709243322cebafc65da649e8b2a9955033b0
SHA256035e4ad513f0cb3ac0e1ef6c550e753ba271cf1795721a84f019c877cc53bfe5
SHA5125a02f8bef439ed12276e3e7fbbb0b405988289cb2958c33a26f22c5a21d28f0befa0cc5df26abf1e1a51a0a81d37f2da945cc22f48ebd20503e7987ec5265338
-
Filesize
1KB
MD57800fca2323a4130444c572374a030f4
SHA140c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa
SHA25629f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e
SHA512c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554
-
Filesize
1KB
MD53690a1c3b695227a38625dcf27bd6dac
SHA1c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA2562ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA51215ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1
-
Filesize
514B
MD54c01f8ae021b2f503af513391109ec1f
SHA12f194db5c005462008bfe5cf77d51468fd45d0fc
SHA256b8f1497f9d9683a4157def66d4a70969011329e53ddb105ede70abccddc6912e
SHA5129e5ac0a41aa0f9a24214afb8d496cec75196d0f1c6ad6288120458d39531dd36230885fcb027d91a59c1b1f61fe60eb07eda9667f21f74d2da8b5808d1e10398
-
Filesize
738B
MD577180def0b7fdc0c45081e0d32804f10
SHA1ca2e034443aa7d1cfa48e9107260ab16260e5bb2
SHA25642053a179d2e8a40c31d854f31a971e56289fe05c379015565cee82b97c9fd18
SHA512fca7b6c107cc62a16bd603bcec53a4afafdd0058fac5e6791c30d29cb2b54d60ca77049c8170be246bcf6e65324575ab14cff95caa32ed7eb9079c457652ca4d
-
Filesize
738B
MD501a0c93cfe789c8fac6775143a108571
SHA1b0f7505606c2d436611cb9a24fd5565134dfb328
SHA25612671f2aa10782c3b748dec0daebe867b02f7d30f5bfb776bc00e0c1b3040768
SHA512b3286adc6eeb5a9cffedae803344cb834cb4e0dcf273fd05cb47f309804290691d02d7f88a341bf2a5a166dd8a771c684be4c5e1fbccb32784ce560a5899f583
-
Filesize
738B
MD5edc9526dcbc086de413a0c6a23852af4
SHA14ec324fcc87911953a30ad43bb16efad133c39b1
SHA256e153b2d690001ba69658d742671a85e4cc2dacd386a5d3d4ca22f1bd2dd5150d
SHA512b4b43593c512b2b45cdd7ba7ca56fbab7d9f0457e7814eafccdd650304ef5e433460a39fd1d586b64786655a79dc7b974769d358a75d35c738afd02d047d37c5
-
Filesize
738B
MD57f380b7bed708882b5eeec7b4f26923b
SHA1d94a57c91023689cc7ee56da50a6b06c909aebcf
SHA2563d61c04d2c7d01c8db81b1fc414960e5a306ad1511e68d84c70a3afd05cc58f3
SHA512aa9cbe87ce1bd29e8c499e050d035c749539091c9b865a9af832d8dcb1f3c2535a65ea64ab4c3592877261a3aa9b83980b66e2a880b7852c9b3be4b5263f1228
-
Filesize
738B
MD5ac1cbf7792224815306fa1515f6e7200
SHA15e29139bf493c15bdff4d4334aa10cc80b4ed07c
SHA256146d6ff939351f8a3c5bdfba83fe7021661fdd863cb30d21906f169ce0ff6ed8
SHA512950abba4b8d7694abf4825a8935f33c01c24be98598a4890be685bb9eaa0dbc4e0159081917ba081fff555290bab6e116077c2808132bd7ac4df648ecbab4792
-
Filesize
738B
MD5827336bc1d1d411b9ef9343f96d7af83
SHA1898ca4aaee50d20a337622cc4a2f02eaa876a084
SHA2563c14baf502c8ab1b11fceda739eba9f1ac23789ad4b9739ebc575fa5a4ef8cfb
SHA512535fa9926011f1e06b63a76c49640deef0f564c7aa6a5d02a7da1b01de617fa6863e3f43328d47b33b18a3c9fe1ed53b8268d6c8cb5830de42f7ccb8feb4b31e
-
Filesize
738B
MD5822b5853d9f19e8b5dc1b2cee7b01923
SHA11b01cad890d209a2697e89d51506803c610c0e90
SHA256f8b326eb6c87c5e073b9e73abe61df4bb778cd17c8e7161d01e0b88f940483b4
SHA51236419d7b00a4c1f4c683d1ef5766baa99ebde18288a97af26cf7a314be68f28f7165e49552a273a3e6b62858aa393e63d3267d4dee10f3f332c352556b7ce067
-
Filesize
737B
MD533f63aa4fc52696061b452b25f1c9f0e
SHA1e21a7c682c494bb303785573aecc195399cf7cc0
SHA2564af4c00cf230186810cb758ea56278d9f05a45755a0fa5cdcb3adcb891134a29
SHA51204281e3527aa1ab67e9dc9592e596be280be8c01ab8c11285b16fbe642b1a5ba4449d6e8ad99a2c34146bc593b8b15b0b1158b790632c84e9d11df103f85cd60
-
Filesize
738B
MD5cdf086110c5717b9309626424e43de2d
SHA12d04b149aaed06abb56ab70682dfd93514dd82e4
SHA2565b9c47c83cb90c124451420209c41ff6637cdebd43ff500bce9a69d903eb1bca
SHA51294fcd34fe7369c69eacf40c515acf12295dbdea0fce5ef0b15060c489b275bfc5530563a1959d431e5551d34b5b7d33f35af1572123438cec18b8c6c4b69bd02
-
Filesize
738B
MD552677f3edc7fa15e5b568858853551ea
SHA10f873549e960b57632115baa2670ea040f18c6f7
SHA256ff14e10495073c3e8decce372364b843f50252ed9a6404160ac751bfa36ae777
SHA512bffb651b8905649c0147f0a3409c70e63c1fc0138abadeadd88a3879d731d5cb04529e103da35dbff52c117e20357ccd8f9ef79369a1f0c5e4f863441518c099
-
Filesize
738B
MD5d3255d9886cbef1fd2c6c97a1af2a5c4
SHA1ef128bcefc51e0968d5b72abf2c57a9ecb0b7b21
SHA256b20b1d8b613007c88d62de97205099218eea7d863cc1c76dc7435cd90ddfe6e9
SHA512957f43809d6397a9d545ca7108b1c068647826a213a239848ae85eae341b131166e7263fa80240f7510490a81220f6de5b177507a09e3e17a5c7b23756ff1fcd
-
Filesize
737B
MD5b5970f7e2e14cb56735400e5bdd69ea9
SHA1884dd670e5dce2560ee01ab35e3de7c2ad30228c
SHA25648ce80ed2d9f2df25bb4ffe10814334069a7b5e25274ad116f034f24978cd19f
SHA5127f27c8dd71ee2573cef023115e29e8f6570cbb0564fa674e6b49b8da93ebb09330070656df3860cd78b1c406215734862f80e6b889759305d3458985ea8872b5
-
Filesize
227B
MD57288532bd983b9a126421f15a1192b53
SHA169cead4e8d879cafd5009344b9d6022386102952
SHA2566796142ceece28cde520cd1eac190dcf81ad9fc226a28c9f1a6c20e9a22d8f0f
SHA5127bdb2a27d281627591b504ecf982173a2b08331e4cb396c0a88eec009cdfea04f7ff56d086f1a5c5efc32736eb1ed9a8f26a9b66f39b53ff699c2a9eb31e796a
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
912KB