Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
16/05/2024, 01:03
General
-
Target
9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe
-
Size
1.7MB
-
MD5
b244f673168b94dfbd0c4120790db0c1
-
SHA1
504ae2d279ef5640bd6a91729a856f6f62744756
-
SHA256
9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64
-
SHA512
37ac77251f3f776483e0cbfec920365e4916c2f8f9cd115e72c485cedd6975af5ee6eb8edad86837beceeebe633776ea1e8782b3e4209c78490ec2d221485a94
-
SSDEEP
49152:ZTNFXGRlxp2vui7e4E/wcimfuUx8+iUI:ZT+Rl6vHXE/O6uUx8+iN
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 45 IoCs
-
DCRat payload 9 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Detects executables packed with SmartAssembly 5 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 30 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 45 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe"C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\taskhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\OEM\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AFF5hliR7g.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04b2823b-b194-456b-aeb7-173afa633f56.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d11ba26b-4933-4562-bc04-d6c9ffd2b3ae.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f50e57a-a135-4259-94db-fcc8c5acb4bd.vbs"8⤵
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eba172d5-ae07-446c-a51c-d53a414f594d.vbs"10⤵
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e9df990-6ee5-49cf-bf9e-d2b64d4cef69.vbs"12⤵
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6f72e65-069d-4105-9a90-374c53e8ebb6.vbs"14⤵
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\093cb249-9c92-4fc5-a44b-c938acd84eaf.vbs"16⤵
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\791c4edb-89e3-4e11-b368-7ad96592eab3.vbs"18⤵
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fb2bb95-b6ee-486c-ba90-ce26d667aa8f.vbs"20⤵
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b5214a7-01a5-4ce9-b959-4ad57d3aa1c5.vbs"22⤵
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\613d7958-e214-4eda-b690-e3aad559e623.vbs"24⤵
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"25⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c3c2a91-af01-44aa-8682-d25dbc135aee.vbs"26⤵
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"27⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fee3d53-b82b-40bc-9964-2e75eaa90ea4.vbs"28⤵
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"29⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1cc3ed6-25d9-4d7e-8b5f-99c6f562ef5b.vbs"30⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05df3311-bb1c-43cc-93de-ebccb199cf64.vbs"30⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78e5eca0-1d60-4b50-beed-3b6dd21cc389.vbs"28⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb4ac21c-91f7-4310-8f0d-bcc02bc748d0.vbs"26⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2580e6f5-68c1-4a07-b5d6-03550be1fb06.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d65d151-3154-44b0-9b51-41d7b0d33e23.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\768dc9d9-4a72-4807-9ad0-b27e7c5ed284.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06a3b784-1082-4880-b71c-3c2f073005a7.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fca86325-20c3-4908-9a62-271bcff903ef.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2abcb4af-ca17-4eb6-8adc-fb7f8646c7ab.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62136ba5-ecf4-4b47-8dc0-76d2d620c30a.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\859be087-e026-4fc7-9207-74b3c9e232fc.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3398dd94-332a-475c-a320-2238214d2d1b.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3baaa3aa-cd49-46c6-932d-482720fd9811.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68d747ab-e2cd-4bdf-a326-97595606517b.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Resources\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Downloads\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\OEM\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Help\OEM\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\OEM\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5b244f673168b94dfbd0c4120790db0c1
SHA1504ae2d279ef5640bd6a91729a856f6f62744756
SHA2569697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64
SHA51237ac77251f3f776483e0cbfec920365e4916c2f8f9cd115e72c485cedd6975af5ee6eb8edad86837beceeebe633776ea1e8782b3e4209c78490ec2d221485a94
-
Filesize
1.7MB
MD506f0070d3588cf6ed4bf34ba0d784ed1
SHA1f3dc63b2212e62df1bab79170abb5695f65b4272
SHA256ba4a91d7f8c835934fb5347e47b3c1d908db79857d94ae958fd828dbc5d82dca
SHA51216c0186e092e4e863d26c8d47dc0e4cad27fa98d2eb21fca4dd36e25b366606ca50fb2c67034ac1c45833d756c8c2523fbafdd920e23316fa1dcd264de7492d7
-
Filesize
748B
MD55488a03aca6dbbe13af45b2b5878ed18
SHA134236511bf427504cbf2e04bda405fbcea1ef304
SHA256b1c06033c644e9aa0e8034d98caa17305a4392a23cf29dcdc31bc72af110d68c
SHA512b66c1124ea11f57e9b717102f012234872b518b401f30bde5a4eab1658050d029f22b78eac9415f2a2cad2d66f6d5877db7800051a72fe4518ee534905a2f429
-
Filesize
748B
MD56d17e4e9740f4d7854caa0890074da79
SHA13f3e2fb71ad5017b536239896aa62cf6620249bf
SHA256275df000e1547e331d3741212d6fd9add0f9eefb2a5b9babe94cca436961aabe
SHA51286786aa91e8f069788c9df9bf4c17e2b461ed8d631c3a25818348249bbc34fc9b9e888f22bfc4c0b9a8ecb500dba31b928fb91aee064d8d738e196ceaf5e1cee
-
Filesize
748B
MD5766595d8eab74f73c2a5d6f56ade410c
SHA19cb823b872a8cfb672383b514f20c6094493e32c
SHA256ba95d23116f8e838f8d40946c4ba97b8ed8695161b96b6a8af9ddd76f8d3959a
SHA51265e4f97d04eaa3652eb8541ca2bbcd14301fb14a963aa4f9a112c81e9059977d8ad4fc07721b5d465a111303d7156eadae2e8e589c15de4cd64278b453572f6c
-
Filesize
748B
MD5a3c5c7a5e7bef542830ce2ddfe25564f
SHA1b59eaca474ed0938e45f1c3ff46858f0b23adb1f
SHA2565d4304e06f0cd7388a598971a7e99c760b4b9223842aa1edd6edef59143c9109
SHA5129b34cffb789eb5ff972841d48e680a58f06ff753b077da9a70e86b7fe62c5fbcead3a03bda849e22c95362131afcb9d1d317d4db0d2b86e1da2ad0d282f2f7c4
-
Filesize
748B
MD523adbb3f878c32f48548b671cb52db78
SHA1f04085af3f364a48acab26f84bfdb797f7a6d367
SHA2561223bfd00a89bdeb65dee7ba2458c4bdde3420ec4023912d3250598c50e3901f
SHA512b92405c436e55d910eac01264f9ca2fa05095b5349d61d94211a5658e828955dcca697d566b1638fe8c99a0b4bee69a48004f04434d412c366cb8336afbd83b5
-
Filesize
748B
MD5a0fab8242727c949fb568dfcf926dad6
SHA1da1854eab87a3ca5ff0af0d3ba54340752c0055d
SHA2567abee378484388f474007dd5c0ccde88d67ee645a2f0bdbcec0f26acb53f08e2
SHA512ba2c56ab0057b51cfded28963c6dd8297cbbbf25304f7e0b2bc1383e88c092f602c71a24c0caaa784e3f82828ad09fb3beff77fbb1c527c52d063535418417d2
-
Filesize
524B
MD554a468f69a794de52fac828c2553a6af
SHA131cb8e749ac8a312c7bac338b8af74bc5e9722f6
SHA2566a1df4045ccd9e3fc06c7de44975f9a5be774948abefc7cf8fd0795af114dffe
SHA512595581bbd159c821bec308da3ef7b27a79de50800af9e69e538e2c8df7d314013020691d892d1b1b5cf7c3e4077e22c1288d574bde26a987780633e79a0b01ee
-
Filesize
748B
MD5b5230970b847213f64875f7fba0ed173
SHA11fac2ceb73dcab053fd9c6185cb07081ccee7f14
SHA2562fdd66d498ba8a70b667b516ca98fb4a969cd6fb8e2de4f110b6f32fa06b1133
SHA5129ef6fd716ea4d5ad00552c37588fcff050952de7026331249814a3782b6c710b6ad2916a57a45887debd59d26f8e9f6e9fc5025ebebb3e99556c5969f1c0e2d9
-
Filesize
747B
MD59a25b461806157695c919738a37c28d2
SHA1ffa8e2e2301333e5650cb6b53aa066c6661d746f
SHA25629b02e0fa77de1230b91aeab62732bf48360760e70ee2f72ac033e3f77b0629f
SHA51290023aea0a946acabca55c70cd4e0902669c8e4da224f04610d73e38d7c132050d1000c370cb8bdd96aff3e2f86541898636eaf94f617d5f6884bc4f5baa4322
-
Filesize
748B
MD5c592bfd9f2ecb2b314bbfef91536da8b
SHA1a8ba7a0cbec7f0ef28286e7fb5c4a5420290c0f4
SHA25628b2ec2d884fdcefc0a18632e36c538f9f2c35bcf2e63099fe57b307a893609c
SHA512876de67bffb47fddfc16260813c02a930bf3b5c008b4031b11985d39a23a9bac2db007ffd55cdfeeae2a327e90150fa44ee06a8263bf96b689668390c095899a
-
Filesize
237B
MD511ba1a47d4815c1d6bbf547978b784ab
SHA192e5aeb56e63bb29dac5a99d906ec8d95af2d008
SHA256be4ca71c65e8e0f6a09c6a5139910b5268a2341bfa500601150c5b81b8193ce8
SHA51210c60d381dade067256c29235d4fc4efa5424c5def4193473f1dac206b72a3c5ab19b982ef667ffaea54407f624fa311f317f79dbc941bbe22119c94f1f8c1fc
-
Filesize
747B
MD55e29724014efe866468cca394701934b
SHA1256377fa6adf54769b26c90b9c1846f68780adf9
SHA2569e2907c9199eb858e3d63c935d490a80b67fc2d5ab095a032e32b91748f2a7cc
SHA5125200d798a84802c381ba671e437a3162a211048d46f37b945f0a3e41e2b577ada1ec5f47b9afa1fa97986554d3b38cef632af1744ded50f5a549fafe0b1c1617
-
Filesize
748B
MD5b888caf087ea2022d5e1a0f8844c7492
SHA15e9d230b32e13c2e86edd47aece11550d199f89d
SHA256e94e0ef0f48bb08db94db3958d2ec8bcc7a2105a2e04c499b56d38039bc0d221
SHA5124d05fb14012f12e3b4384c077a54133ecad4bc8dcd4e1a9d0a1448aebcd5e4b728aad17ab5618ad8e4bf2f0aef5c1a748cf82ab51e8844015963ac38107c35e6
-
Filesize
748B
MD51e43276f7afd5dc79829d61ac5c39748
SHA109f4c185f2d8f87a3975af6e4b3ba0670245db5b
SHA256ed0c0d66fd73e7b6e6846efa112c074a5be663ae108d3b5cb68780238fafd2c8
SHA512cf15b976810de7d3360bd3259308aaf014b3afaf6e390bb033029971398e7de9bba67b330fbd073be7c0eaf72c9d301310f4283b24ee9c715a1eaa71d3c515d9
-
Filesize
7KB
MD56b4ea32dd4dddaa7cbf9bbad56c441a9
SHA197ba53f26f72502d781f04bf7947a61aad47810b
SHA25638bd12b58c90a7b767b334453938e27f61ba56c197399c911d19ce1df0673648
SHA5125e9694ad0b10610e8e7604160866b97e90c6dd232aca7932af852ec09ba24452f52b81645f58a26bd68961cd7661e82f21ba5d20599c7f473c66b47870e6b0db
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
112KB
-
Filesize
9.9MB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
1.7MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
72KB
-
Filesize
1.7MB
-
Filesize
72KB
-
Filesize
1.7MB