Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22/03/2025, 06:10
General
-
Target
4e248cce2fb9b5f155ca62d21c6e9da7.exe
-
Size
1.6MB
-
MD5
4e248cce2fb9b5f155ca62d21c6e9da7
-
SHA1
c5eab96ba2a3310bcb3cef05918a38efe5cfad86
-
SHA256
74c882cb1bc2e8f293c67a7c9a2bcc0c37e0aafa6fd173b1990b5ba667befe86
-
SHA512
958763f40b1371177b4cffa09701a600948f3126e6ac4d041a08e11f903f51f3beccd7a9ad9cd9b20cbc443310af573ac2fbb396c21f8d61fb05324553c0bb23
-
SSDEEP
24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 11 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 10 IoCs
-
Drops file in Program Files directory 25 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e248cce2fb9b5f155ca62d21c6e9da7.exe"C:\Users\Admin\AppData\Local\Temp\4e248cce2fb9b5f155ca62d21c6e9da7.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4e248cce2fb9b5f155ca62d21c6e9da7.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Roaming\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Solitaire\it-IT\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Hearts\audiodg.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mto9DLwMv4.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaae96bf-57c9-4729-b0ae-02462f5eee30.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fbc233f-3836-45c8-9263-55de77442e22.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4237ce29-a420-4c95-9ff6-3e21ebc3212c.vbs"8⤵
-
C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f89dae86-bf43-4175-b00a-152f4a493565.vbs"10⤵
-
C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97e87b94-d6bd-4fef-8a08-148b1c0d39ed.vbs"12⤵
-
C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\836e652d-e808-408a-9dc1-b337fa44b98e.vbs"14⤵
-
C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5337e518-80d2-43c8-99fb-461ade211a4a.vbs"16⤵
-
C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a795375d-fa25-4c91-a530-2eb0c6f0ef02.vbs"18⤵
-
C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce0c98e2-8144-4814-99e0-ebd0fe0567f2.vbs"20⤵
-
C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64748840-1031-41f3-bfc1-7e2ddc2f1037.vbs"22⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02d2492a-15f8-438b-b111-b5316da805e1.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\968c17f1-e000-4943-a9e2-16d9c1f61395.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0466a76d-93f9-44f5-9fef-2c5b7388ff52.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5de3023-bbfa-4266-8d36-e3206f40a430.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\792c0fdb-22a7-4ef2-baee-42dad343b853.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da1e9675-6744-4d15-9e8c-4f1860d069e5.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8ed7ea9-b6cc-4130-b142-894284965d5d.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99ef4ddb-bef8-47aa-96d7-361c97b12023.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8dc9ce6-e5d1-4da3-b0e7-6bd1f5ffc8cd.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c83f1582-e5e6-4e91-a1e3-44f4250cf12b.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\Roaming\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Roaming\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Solitaire\it-IT\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Solitaire\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\Solitaire\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "4e248cce2fb9b5f155ca62d21c6e9da74" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "4e248cce2fb9b5f155ca62d21c6e9da7" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "4e248cce2fb9b5f155ca62d21c6e9da74" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\4e248cce2fb9b5f155ca62d21c6e9da7.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Hearts\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Hearts\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Hearts\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD54e248cce2fb9b5f155ca62d21c6e9da7
SHA1c5eab96ba2a3310bcb3cef05918a38efe5cfad86
SHA25674c882cb1bc2e8f293c67a7c9a2bcc0c37e0aafa6fd173b1990b5ba667befe86
SHA512958763f40b1371177b4cffa09701a600948f3126e6ac4d041a08e11f903f51f3beccd7a9ad9cd9b20cbc443310af573ac2fbb396c21f8d61fb05324553c0bb23
-
Filesize
1.6MB
MD5d7c9ecc29c7899b2607c51b1d26ef5e7
SHA1a7863926600f1c92c652b91d4476236258393ed5
SHA256aeecffc3654352020e44e9de217146d0316a7733535a8c73212762939828cc31
SHA51264b4cd8534b83b49696324ed004e66facfc10ea8dacf69a9a353609f3837f25478cda2895497519f173b540ece9190d7ddccf4e5214718603275444388675537
-
Filesize
1.6MB
MD582d2c69302d6f7f36637cf2d1baeb411
SHA14c7df0727f30bcb8e93575ae86dd4e912b7f83ba
SHA2560f151d48a0632fbe18e36f9d163051ce731415a5ba792f92ffbf9ae6d91607e9
SHA512f28a16d07cc6988d674161c39bf5e18df3cc2be15b93f63b8cfb896431c79f11896f78baf484eb60212384ecb2a2502d57d8129da86da54348bb99b8f34ea2eb
-
Filesize
761B
MD57673007ed53f1f38d93975636a8a8527
SHA1238a34970ac06234b4ec77c6f0fc60ae27a429e2
SHA256aceb97c8968eea93d07f85f857b5e71aac78f8e3de2c0e036d2632847aa550dd
SHA512a023036e3d94dc0d2c9dda3412b9c9258549ff121ba37d458de4d6d667a6be1780aba9a49404852120a2613b8e05c1679e57e27e80fab0e61a04dbfe4eab48b1
-
Filesize
762B
MD51471ed458317d3c23bde3d0f34052750
SHA1c6eb96ce822fa4d7a168c72d20283294647be325
SHA2561016db4ce2efff3055be8142f7a7eb4b3788cd05cc6ba077d4000016f9ad7d44
SHA512c90c262139548472fda03df05620881cf733def0d1ddcaf95cf1eee6e64a64a6cac6040f8ed4f0efd15f72c64a9e73f744fe3294dc10e6fbd62acff0bb9a1d38
-
Filesize
761B
MD5ff4c20d7fc12cabfc5e94edffb89f529
SHA1175af326ff660fc9cbec61e479c9dd495ca078de
SHA256343601605768ae2ed77fa7ac402827e0b45b9fc71b707be2bc6584588c94113b
SHA512e805029724ecbecace26c5a45c7de97dec5775e4c10a0263cee5310acc202e9958b0a75e3712acfb6af9d4d31a0604e70269599a36d56831722efee8015dcb0a
-
Filesize
762B
MD5c88ee039f277f8623bc8401617a2c711
SHA1a1a04be94c96bd96e85eabad5226e99dcd73fece
SHA256d150d63c30dd9c5769ecee16deb426d2fea4a5dd5e506f2259ab657ba87fbe07
SHA5122571b0b7aa5e1da977d0480deb57003cd9ab8a748c5e02469ea4203fb1e8666504eae9ad28e8158716b16fa62aeafd3c24d94d1da6ae7f29338ada3927c62c02
-
Filesize
762B
MD56d6bcbb14d5a8206251cfacf61a0bd5b
SHA1679f0eb6020c2dac32048148741816f01edf6bea
SHA256981369d42c8231d91676b6aa62e7c9e26d07dd1ed04eb56e6e11c9aff6e8f09b
SHA51287bc8b1966462a0e0407e6f86d5452a62999607a06fd77963c6f58720066efe933bce2b11143e7c1a430c4b7a406f61b3d953646810d49df8373f19180356217
-
Filesize
762B
MD52f9fe89568c5614ae723f63202def088
SHA123c89399af026cf6bf0d6c7118c3b792590db651
SHA25619611582c96dcf2b84b4c8b7efa5250dd9ffce3da54e49bf0ed1810777178635
SHA512a609aad3e6edf48238d988b5f911a79ce3cf7627d13d06dd1e873138c0fa8b983ebb5c54d87c238719be05aa98bea92283546c3f11bd114019694cc2853650a8
-
Filesize
762B
MD50126113d80de493fdf01359563066547
SHA1bb135d94b14372517b48da13081b2770c3aaa4e9
SHA256557b0355b7e94b54e36e7ae3d0a1f82972e7154a9f01a98deb8c9f37d9a2b48d
SHA5126e271c11b19c7bef3ec42baf7b0dae30a190b09c06c3ea36a77dd5c9e9e86cf106eb59471eac36fc6b871a1ac65e66db90a0be0d1dc148717196f489582a6ec3
-
Filesize
538B
MD52b63d43c0edbc7aefd84212d4b98ca1d
SHA1ff1cb3dc92f6593309359d887a5370c68d608152
SHA256d257b619e50975f6350dd2cfc541a710b7992d3e79a3f0f087532f8a9fec4dae
SHA512d21bdd0274d0325f6576b8611ee6a474efaced1bb28d1f77385976c9cc4990f6f6eac1d4f2832eb0959471a2b8e92d4cc4fb589839afb538542bfd16df26b42c
-
Filesize
762B
MD50160bcfe74ddfc2621ce3c917bc9fede
SHA1b9787dc4f0749c6772de900605405279b3bc4879
SHA256b0c443395ff8d162eaa2d129e60da0c8db90e57bb9d97049da9d6f4f633e5c94
SHA5127ea7f28b14f55f8364d2f32f9b2842d06e7cafa0305307654bbece3b40f032a3308d35668e8293b7cd23aed3a0d0b978e0cd1d90ac538c73fb3ce1f4987e5af3
-
Filesize
762B
MD54a2603267a588c7696cac84e1f47a407
SHA17f56e2d2d2af6f936bceec0138f21a3055aa285e
SHA25671cedc208c288bd48590eb5e734badc8e4f9ef4b93c7826d55872bc2c36f29dd
SHA512ddadbf98af3b42ebef5a742f773f153226c985daa504e13dd6f2fc8e08c20183236996f2fa379f61981e9f9fb138d0a1b3db36ee04b522cc8d98847a18754e4c
-
Filesize
762B
MD5a67556588d655473074a49082806fe0f
SHA1a0025eb2fe281a215b88fde7b3f6376b9c11c54e
SHA256c60eceb0d1c7c241df3a64ee149116ed18ad8eb74e0ca026687bd3ca7887055e
SHA512d0be3910fcc5be3ad9ec1a692ecbc94584438321eb5cd9ea12259df5b1f04d01372d94fd250d54db511aa04a13ff65c71e324d190fec0b6793fdba41ee07df0e
-
Filesize
251B
MD516948cb1c376337ac2325940eafcfe2c
SHA1ab16be9f3c06af959e6031ea75bf6b3e16dd76d0
SHA256ebe3bf03c1d0819530a7b6bffc94c4d6db49923af27eaa330c0130884c90b0c2
SHA5126798828b53441838357c25593c8607ad151f94f819bc391c3e44419410fe184657705a51eb0c592d2f5db6b7c7811b10443714155715319b0f25514112ed4243
-
Filesize
7KB
MD5ecc2305d3af93fe55388c6d84baa5449
SHA10fdceafa349044071cabc4f6388d06bdf419bc05
SHA2560df1d89660cdeaef127ec8ca809f5123475ff4875197849db5ad0d421bba0d59
SHA512a297f9fd269153741cf5b479aab1cce346bd38c6a6509d4b825709266aad99f7506f2afbbecfc2dd1e7a2fa5b9b104fad4d9c0ec7ff291bb4477cecf73b6225f
-
Filesize
1.6MB
MD5ac60174accef0bbc6e8e0f4f944cfe2d
SHA112cbbbfd15603485b1c29e4d29ef7cd58331a0a0
SHA256cea6fbd92e36007d8ca719381ccb27a5ff3c3dc50779584d6b6a0fe54e402aff
SHA512a3d729649b84cd948728e820902d1627f32f38336adfbef2be35623fbd290d9d69660cf988b01d0b3d516c7b4ee96ae7f957c9c1793bb9096617aa67fe96ad68
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
1.6MB
-
Filesize
112KB
-
Filesize
9.9MB
-
Filesize
1.6MB