Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
22/03/2025, 06:13
General
-
Target
86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
-
Size
1.6MB
-
MD5
522b3cc9b8e0565c5a2eb2d40b7a9513
-
SHA1
86d71ba007afecc0f28e9815086992099a13f2c4
-
SHA256
86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12
-
SHA512
a22e86028dc923064c045563341d3c144f9d3473935c8ebecf54e2a6ab4afb5b21d2cc0a80f92dc96ceb294dbbf2a33ebc48122079acb62f9ec140230e3e6c73
-
SSDEEP
24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 8 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
Drops file in Program Files directory 25 IoCs
-
Drops file in Windows directory 15 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 13 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe"C:\Users\Admin\AppData\Local\Temp\86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\System.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\SearchApp.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\taskhostw.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\backgroundTaskHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\unsecapp.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4576_864690144\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\OfficeClickToRun.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\TextInputHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\sysmon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\serviced\SppExtComObj.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe"C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1244d92-5129-49ba-a8be-91f831e8af61.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exeC:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22e1aabb-e38f-4110-af3f-9b105ef33fc8.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exeC:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\976dc5c8-2b4d-4e6f-bf22-86c423b55bb0.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exeC:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe5c363f-cbf8-40fb-98e7-d178a7ebacfa.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exeC:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ea92186-d602-4d99-83ac-0f21aa14f121.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exeC:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f12a3fbd-0228-4a22-8913-44b7eb2f0aad.vbs"13⤵
-
C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exeC:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3886cc49-b810-4b94-8507-4dbc26c3c971.vbs"15⤵
-
C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exeC:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d54df874-b8f7-4800-b747-79272bbab297.vbs"17⤵
-
C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exeC:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c01da59-e0d7-499e-8352-883db5be1fa7.vbs"19⤵
-
C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exeC:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24a520aa-b07a-47b9-8d01-b0e6ac76e389.vbs"21⤵
-
C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exeC:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f788efc-5965-4d2a-8638-e79506fef1bd.vbs"23⤵
-
C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exeC:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b6db04f-f59c-43d6-94d6-dee190c32cb3.vbs"25⤵
-
C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exeC:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8458511-2513-4f14-b192-65b5a5fbb82f.vbs"27⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4756470-a4a5-4f5d-a01c-c0b3e81bf58b.vbs"27⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10b5992e-d7f9-4e4c-b7e2-a82f86ae5ecc.vbs"25⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86044448-32ec-4cc6-b1e4-255052faa4b4.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd2d0f7c-b22e-499a-9545-03afa6924350.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bd22eaa-0c93-4669-b844-ce6e4842cba0.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12481b12-0953-4086-8d9c-1fe1b1b60417.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\157e34d0-daa2-45a5-8617-762fcdc0ed5c.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0221ebb7-bc90-4b12-be13-d355151fa8d8.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60190aee-56d4-4875-a942-ef4ef3825d52.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f0a5285-de34-41cb-a3d5-a4cc21ad9a53.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ff92d02-ad09-447b-85b7-c146954d9888.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\772f040d-d24a-4d71-809a-1b1c5725c227.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2308dd47-6235-4cba-83dc-48bf9587dbc9.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\ServiceProfiles\NetworkService\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\NetworkService\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Searches\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\Searches\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Searches\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4576_864690144\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4576_864690144\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4576_864690144\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\7330c8a20692d0b35002ea5a\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\7330c8a20692d0b35002ea5a\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\7330c8a20692d0b35002ea5a\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\7330c8a20692d0b35002ea5a\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\Containers\serviced\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\Containers\serviced\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD54139f32ae1311cf8dececa1a3e5ba793
SHA12ce35296782ccec2bc4d6251a7987cf81f62de20
SHA256da9741f4c4a552d22e16e9ef5fefb509cbbab9c63e99025ad281d1fa9b705805
SHA5124a369ebfebae4ee623413c0f0a0ce2398c210f6da3810c7d78cad9d779838d74081bbb6ed3a77e614a768ecb3d1070aa31918aba4f26501a622a8d959da97acb
-
Filesize
1.6MB
MD544d8f0b81c1e0aa11c1d031e08048687
SHA1494c094e3b104e04efbc3fd4719cc9f468bbccd2
SHA2567a3f9ec94cc89ceddaebf682f4eaff21c167dcf02abf53aac8d0d7cb6e2bf16b
SHA512abca947fa58245c8084ba3298bafdea4016a991d6e1dc60bc2076a8abc046babfd7205cf9f1ac0ac4e775a2de0c21f92bb4b9a35cee0bc721d3c9245cc0a0f25
-
Filesize
1.6MB
MD5522b3cc9b8e0565c5a2eb2d40b7a9513
SHA186d71ba007afecc0f28e9815086992099a13f2c4
SHA25686700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12
SHA512a22e86028dc923064c045563341d3c144f9d3473935c8ebecf54e2a6ab4afb5b21d2cc0a80f92dc96ceb294dbbf2a33ebc48122079acb62f9ec140230e3e6c73
-
Filesize
1.6MB
MD5c3a593c4a0aead9c11b2373ddaeb77a8
SHA1d02488e2be1c29c33240d0a5ac910b28df688ae8
SHA25673cfbbd254e70382c3089d2f5dcd8bfe8362f694c16a75d523330a649dc173d5
SHA51290a06439d55db79a4cdf5a3d641d95a43aebcf52cb620991ad5d24ec5d6bc8406a5ddf022b405f4a820f79a906b8df849e5b68bb02b90c5d4ffc37de1a2cc3a5
-
Filesize
1.6MB
MD51927a45627407c8b287b955a23065201
SHA19d6275aae0339da96dae043cc81d9abe627ab22a
SHA2561818934b61960c0230563a5c115e9772236f7611382674a9ff13512dfa69cf8a
SHA51210a89a253cfeccbe59ef3a2b84168320c857fe02de0fe60098533035de0061401dd8109576020417a98f9ec8be791b517ff13aed6211ff944a0b33e33814dc79
-
Filesize
1KB
MD53690a1c3b695227a38625dcf27bd6dac
SHA1c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA2562ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA51215ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD55298af510096b88490b00b468206c966
SHA1afc8d92a832bf530001e9d7bce0a917067b1a753
SHA256d1dae534bb9fc91682d16c2a30657cf3eafa4db82fec8d1477dde2d0e9af5a18
SHA5129653df3b73599ad282259e3990d18b4e56f556d6fbc33697293503cc88738473245f7507b571059460ce57e6267219bc7b95ed1e90c198d0726a13b91427419e
-
Filesize
944B
MD5af1e26d635495e7a52c5dc500610ee76
SHA17cffa44b70451795e240e707ca3c134b15fe4837
SHA2563505a6078d79916aa201ce904383522973f0aed79ce19f86d74a879f81ce6980
SHA512b6cabf85d7c177df9b81cb3e902171ad1cad43dbb6b21fa5735f8393a7b7cacbd1ac6bc4456be691070fec964c10d867e2db29efd7c6c7581ab3bbecac57a534
-
Filesize
944B
MD5210a7332dab4b7beeb837a8d733effb7
SHA104d1d6dd4d3be5261446e14a6671bd8e64736c6b
SHA2567cba482ca75e6fe444c5b7b58bb4a5725c0fa42c90298ffab0649b9e88b2760c
SHA5124e39940735dd854e65a67fc665ddb5a33fb69b86e3eb06dbcc9dfdbd843ee0479272840450fb39172c13daed3f3fe4d84355899cf066451e7b656da22b28d2bb
-
Filesize
944B
MD5af1324e7a4e3e6cfc7ee7add0391f0b9
SHA119117163248a95e5ceb83b6dc8c21e396f33bcaf
SHA256a31abfc5cc0132c488495c81046d7f3c7eed1e7a6923d94ffd85b58436871a52
SHA5126a05a892ec41527782b418a2f232300da84eff105b2d9c1cb55c7e9ce1ef13beab2d57b4bf3cc73d1e5b2710010f3622500c4d8e0cb2fa8e5365b6ff007e9d00
-
Filesize
944B
MD59ea4fdbf8bad883929456091a1e50194
SHA1fc3b6026729ad36729c2cc4349b8e7a94255ad71
SHA256ca2f5b4e41b386c2f09fb10d2cf78cd395b614ea6c7c11ec155b415550262e2e
SHA51227bdd15bf73b9fe22005834e083c1e05919532a4f3eb4c4c41727f8175f35ab2119625ee7d8cc0ab86e00631393c8c839f05dcd3cdcd6644b83de41649472211
-
Filesize
721B
MD59a2941d67baf239bb3222a4b0a7ac917
SHA13c936fd34f8515c73ca872c9cfd2c9aae16e805f
SHA25667a6e1e7db89446a65792fee06a38302595cea9a0c2f87a9a12ed0bba8591bbe
SHA51262c82c3bd33c13d4b06fd406bf370ed3dd7c8030cfddadf9fe2e6dd1a2b1ecb4d5c1d7afb14e727ed2f5cdde6a398761f29a9437b1a39284d8d821ea29a94b2d
-
Filesize
497B
MD5670b4d455d0fb0e7597f15f3b85b5a9a
SHA1b85e2d450eb39da405e5f33091406ddf90258a1e
SHA256247993108c2609742c9b5b911c5d2ad20423e211be014d98a868d997da76d727
SHA512a7ed0a7656ddf69a16897241aa28dacfc442440b017401296e6f5e81e070b0a09e2a3bbd87dbaf63c8ffeb6661d63d0748f5e27d07c71393dfb6bc4c08edf3ea
-
Filesize
721B
MD56e84aa1ecd73a50a893bfd97e6fa4a60
SHA1f398bb118709e13ac3e73451a84c58a12d520220
SHA2564eaf391e5303508b9239519ce5213c9abe94e8a57a7c10924dff1bbe6af20076
SHA5128b5386619e2cd212eb2d06aec320c17c15910bfc0b021c6e329768f068fe441d85c9dab366c8261717efc7a937d0b453c698ece301d7c16f8fd5922924973f2e
-
Filesize
721B
MD5bbb1f728f562f2d14c2b03bd0aebad1d
SHA1d754872cc35af8ef73bd5a8e1d8e6a7efc8a925a
SHA256262fd8f562be68f77face7d61c5eb479c8f20ae687f15db632189f6c95c685bc
SHA51254db37b2ffbb9ead251036413eb639bfee8981c546ae35fe496274f474a9baa860ba132c79bd84d235e038e746e883fda6ffeb597ffdf5f720b98952187b93cd
-
Filesize
721B
MD50b5306919ce4684b9e645c14026fd79e
SHA14f13aedbc6e0682de5404d30b0b470116d96ba95
SHA2568d890ba98c6b6850d51508b0d1087d574f79f0d00d643ae6f3c761c0dfa9bb68
SHA5124a9b3d742960293adfea433e5dc2693f45eabedfce8ce6a4c389373a00ccaac6be8cb07def3d6c876fc1b5264e5e077ce59a406c8bae0d1518146b88c7a6072c
-
Filesize
721B
MD5f09ab11f81aec33b5252d1e2f42d8918
SHA1e2cc206db6459e1e345a49e15fa2492d5d8cb47f
SHA2564fc03420f00987994b60c9754f3bcdc57f2bc20bae44f38cc1635c8117750215
SHA512f041cf20b6caa92ceab8c8668271d5b3569e6ac704e994b0e9bece91def5a9da37b4362163c1aee00f8bc9825ed3812d6d8595f8778e3d5374c4dc84eb0f0244
-
Filesize
721B
MD5f0e14d8f6d3e23dc96b18a692004165e
SHA11550581620e872ff5f0fea73493bd218a8f63197
SHA256fc3eb6229810c29dd18849516e0998246a24593a0a4c4ad3ea5d26e605c6d055
SHA5128abbbe3abe852ebe9552fb79e156a855759e4fdcd68667744d4f29fd6669cb140e8ab71eba6b6f53ee8c8e4a780af52f16992cb32fc24abba3fd6aa9984d8f6f
-
Filesize
721B
MD58ef0a6e6b23870ce898e08dc95715bf9
SHA18c60e75d6bca4b8afa6652f1f1de9a519940239d
SHA256b1afc6552ea77cd0a5bcf1c45393d1de8d6b6beec39d2040227a3271ebcafe2c
SHA512c8207154d4e9a04a7f45f5f1a356364f69cc3f65fec2d22424ad3f126b0d350706895e77728f2167cdb03885c818d70f1993b5b36b45c6d1968607b8dbc8fc41
-
Filesize
721B
MD55ce76734f1583a2383f58f360a9dcf2f
SHA16079ccae196a51808eda2744e42bf0c54722c2cd
SHA256f12c0909928977fbe34d73bc4d31b54ddef5db85299dce0c8c95da3a3221828c
SHA51242064258abb27af5e9257958e2fe295f5fae0ad551c697faeaba8c383c5037f243e462fab380d92188e5ebc338f0e41bac5d0a36fecbb1191a71ae7473d7c00e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
721B
MD56fe1f1b3694e6d9440f4612b5d865168
SHA199b9ef66c14bec54dcf04cd735dfdfefe30bed86
SHA256235d6a43954c437ec85c09f519c3cdd75510eea89a05f2491753757dc126724d
SHA512ac3786336fb06207934d6ff942f02beae59afc838938f56e9a1f3a2420ea7fe0dac084652f2ad5779cf289f12c15d28ea78b1b9493e282fec7139f9517656bbd
-
Filesize
721B
MD5d954c89ded128e0a240c007cc59a049d
SHA153187afa458d26b84445d9888be6662ff49b1ba6
SHA25663253ee573305e0f729009cc3539e7977334a8ddcf9de2e36fbe5c7b4ae58f3f
SHA51209d9c31cbcaec3b9995703983d17f5bffb78c464f6c7bb0b74b232c389b5804697932b63cfc00cfbad2348d736b54e4ef92ebd29a647b7cf51c31d5b028c800c
-
Filesize
721B
MD50fb8348192d6a94ace677bdfccbd1973
SHA139d8aaa8f5cbf35bae7654ead5a69c3dd38541c0
SHA256900060a02032276b58c8f1fa4b6a6a0aac5ffab8576e1384713ea0706d270281
SHA51286e9fc565b3fc049395c5af93ed0230c8e9f7475b1017fc21a86aa9e409cc527edd4a6f0b58bb625e7c49252d5349d384983e693e97ade4aca0b37bf784ed7f4
-
Filesize
721B
MD5015a9b538e9978e6fe0971a2aac1e17a
SHA186d5816e07e5e0acaabb818fddee0dd13d1b0c71
SHA256a01e95cf943c4750ef7bd26344a8e929dba08ea72e311b8de8fb1d69fe2162f5
SHA5124c19e5849fa0f22f55e8f92975752900547c17764335224c481351604fec97d76e0085d07ba851edcdf2fcd4a5ab90352a24e4df8252906535243797e1b3d2ea
-
Filesize
1.6MB
MD59c6f59179f9ce815d134a949ca138e5c
SHA1f4da34b00fbd55a7e6e3ac8af718e3969d48f6a6
SHA256129b5e962c123febe8aaa76dcac9619a4b9aea3277cc445175e05de3c96e33f7
SHA512ef0823be39d5980037b798abe02e5d47cbec512f940728c1398559f8c555c16781363aac734fcec4af13a30691bc12e00f6d2bf149ddd6320752e767d512554a
-
Filesize
1.6MB
MD5fb3158e45f5fa393dd74ef4c7a648f21
SHA106ded0db8c7aefec5f41d8ac03f4d846cb5d3950
SHA256749ed55932f48d0717b7030197a4194915193a299f100774d6e5604d7819744d
SHA51236d8eded9082eeb538bc2a0d0d74e59021867225deca454ea96cc9d9612eda94533264d63a34a3eb1c387d70672ad5b08e764e3309dc5d7c319fd0902d6ef694
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
1.6MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
320KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
112KB
-
Filesize
136KB
-
Filesize
1.0MB