Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
16/05/2024, 18:03
General
-
Target
07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
07e331d8f4da07460446c4946b7e1290
-
SHA1
236d4ec1debe9ff37d1b1612e2c6efc54f7900a8
-
SHA256
f0b7658d97ad3263b4373978e5b90674a08f57bd245fad82fb0ad2b883d75292
-
SHA512
49c1ee8bf1f5395bae30acfbc026d823bc5d02d2413755de768bd235121d5f992c5971e0479610c48f0d1593c0301ad713fb5cd2a75396e978acd87bd892730f
-
SSDEEP
49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 48 IoCs
-
DCRat payload 6 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Checks whether UAC is enabled 1 TTPs 32 IoCs
-
Drops file in Program Files directory 16 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 16 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 48 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nujwQ4LDSJ.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files\Windows Media Player\Idle.exe"C:\Program Files\Windows Media Player\Idle.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14b860dc-a6c1-48a7-b20c-5d0173fa861f.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Media Player\Idle.exe"C:\Program Files\Windows Media Player\Idle.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04289eb9-c9b2-4881-b339-9834fd25edd2.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Media Player\Idle.exe"C:\Program Files\Windows Media Player\Idle.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eab6a000-657a-4dbb-80d7-3fa78627a5f2.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Media Player\Idle.exe"C:\Program Files\Windows Media Player\Idle.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0db6c0b4-e7cc-48ce-ab9c-25b4267e033d.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Media Player\Idle.exe"C:\Program Files\Windows Media Player\Idle.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ee45125-61e5-4386-809c-f205e71daea1.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Media Player\Idle.exe"C:\Program Files\Windows Media Player\Idle.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a83eda91-f7af-4e9d-aead-c44df1b8b530.vbs"14⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Media Player\Idle.exe"C:\Program Files\Windows Media Player\Idle.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\731aaac0-5182-4602-b1c9-f0173c98dfc4.vbs"16⤵
-
C:\Program Files\Windows Media Player\Idle.exe"C:\Program Files\Windows Media Player\Idle.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84f2b065-681f-4e2d-9c2e-a7fdaf97df7f.vbs"18⤵
-
C:\Program Files\Windows Media Player\Idle.exe"C:\Program Files\Windows Media Player\Idle.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9cc582c-6ff3-4a8b-b149-234fb50ce606.vbs"20⤵
-
C:\Program Files\Windows Media Player\Idle.exe"C:\Program Files\Windows Media Player\Idle.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac014067-33ef-41d3-948a-ff76677a875a.vbs"22⤵
-
C:\Program Files\Windows Media Player\Idle.exe"C:\Program Files\Windows Media Player\Idle.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d0e5f57-3342-423d-a0c1-c5a853c2e331.vbs"24⤵
-
C:\Program Files\Windows Media Player\Idle.exe"C:\Program Files\Windows Media Player\Idle.exe"25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\275a683e-c190-4165-b6d0-7d9b252a2a58.vbs"26⤵
-
C:\Program Files\Windows Media Player\Idle.exe"C:\Program Files\Windows Media Player\Idle.exe"27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e544054-47ca-4f28-b7f0-8a24564f872a.vbs"28⤵
-
C:\Program Files\Windows Media Player\Idle.exe"C:\Program Files\Windows Media Player\Idle.exe"29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30c06157-887b-4d8e-8e30-efbc580f70aa.vbs"30⤵
-
C:\Program Files\Windows Media Player\Idle.exe"C:\Program Files\Windows Media Player\Idle.exe"31⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84096bdf-6258-432f-9c38-e316e1c67a43.vbs"32⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21f358f9-3a72-4e09-a412-5c25d69a3d17.vbs"32⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca095619-afbb-4df9-a20d-5efdd42c18c0.vbs"30⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\897dd357-7e7d-4215-a3bc-002d520221a7.vbs"28⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de2934a4-597e-4bdf-ae84-dad792bb545d.vbs"26⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06bd2703-d2f2-477a-8388-627e091c8374.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c081b93d-5066-452b-9745-1ec78316dc7a.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f9577bd-8c71-4cbe-a8c5-d95aa4376a3c.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9df271dc-e400-48e3-99b4-4a81c61643f6.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a4b3667-5d86-4afb-9344-15c55760ed73.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d239163-5510-4d8e-bc62-d3340bbe01b1.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e23bf5c5-c8b9-4a2f-ada3-005438165578.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78735528-67bf-47d7-8c3e-a831b4185a10.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2c3575c-61a1-4093-9ee7-e6129dffb0ff.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1b181ee-ba88-4521-914f-410dd7026608.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86b501ca-637e-4049-87a7-cdfdef7f4fd1.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\ssh\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\All Users\ssh\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\ssh\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Windows\InputMethod\CHT\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHT\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Windows\InputMethod\CHT\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Common Files\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\SendTo\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD50636cdc47b6da49c6edf69570a8b6f24
SHA1f753a9060dc2e84585892d85f172d212fe94cb48
SHA256b629b0a27c36f8f2702e116e3d1efa24a84a3b29a6bc0cb32111f35a64067054
SHA51279831b43318be4cea291ec8a67599c8eac60fce40d2a48c2f495c4f3648666a95d74bcf8ee549aa40c336e22d3d0f81ed79df5c1bb4a5578bbcb906be3869e3f
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5be9965796e35a7999ce50af07f73b631
SHA1dde100f3f5a51fa399755fefd49da003d887742a
SHA2566ea6a56f5d5ec6f60b5a748840eed28859f792db2e37f4c1c419e3a92fc619b3
SHA51245369246c8f6e80fa7a3c34db98922702e5f10e67348c94bb27f5bb241ad72cecd72ff5843a2c6b47cec390a6b9c97ba3c4d4244c62b8119ce1b2ca0c3dc3e37
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
722B
MD560f1a300295fe1bc14ee1981faf6bc0b
SHA12c96196b8ad69c8c4c6c151b8023a4105e6ff8f1
SHA256491d7520aabd6c92c61e588dcf1e13a82ad16125e22facadc76ba58f50aa12e4
SHA512fc56c9a043b3934e7a7369431df7aca9eda7f1cfc8b983e4953c4e243e73988dd091a7abb150776ec747e7eba980d315e7af4a3d8cbf4e8dc1d1cd6055db231d
-
Filesize
722B
MD577a84fd8e427138e16c3015c22daef61
SHA15db2a93ad159062be5dcfa0972926266a1e7a18f
SHA256aa0f2a14b223fc483166dd983c4290d142e548ac6b0c01b1120dba973af715f8
SHA512c5789170c1f13814c6a1e5e0acfd1c9c9218cd3032803876fe2f1c0832c2d9844fa2bed1025fb2a34a45587c9dfd4e9b9199bbd9ef16299d525851fc1e402be5
-
Filesize
722B
MD5e41e374ed800f3684e1d15937c9b542c
SHA14272e4847257e572e93666e4895682600a7fdd36
SHA256db27c57878b6da8dfde13f360f53c53ce1df9fa08c1a4f39819e6eb0457b1968
SHA51244a1e910404c6d7d1778072b1f669a017abe50742fd0107c115fcf22a1c066182deb41b061f0964d39af42e93287a192e02bf5b1331275e6957a182c4389d8c4
-
Filesize
722B
MD50c55c561fda174cda88c5c52e1ce9216
SHA1c60ffab412d544b6d77902f0cf1e7089c463dc86
SHA2567bd01dad34bc19e671408315c698f36b40cf6ab809a74e584dd081238764939b
SHA5123ca75039bb961db923a4030bdfe9336dc69c7eee28b70605fbc71f4842c9f46dda97f2f5af4648b564fbfb7fdd9fc5f3d281533ee76425ed5ca50170a3805215
-
Filesize
722B
MD51c7f53cd5a24e0c6c52b90711fabca2b
SHA1d2c1640019e598cc852b102379ea7247aa20cd68
SHA256af4e9821a41e0665ac2bb77c282faa74c86ad5c20a43d9f09a10d2fc8e77d975
SHA512be8d0e8c1b9b4c1901ff494b3420544e9ffb44e531526a114ac42d28605ba5f3327d26acad4052e3b6c42a2ec35480102c4c7f7c56589fa394975e58c780bfe5
-
Filesize
722B
MD5bd0dfc89e04a7fc05608b30281ab4653
SHA100d2a2daa99624b5b56b9b1c4b6d303844f0b741
SHA2565c0a754b873a474cef23e362781862dd130fac63abf94a1f621f03805659c46b
SHA512481a1ec0d4b7457fd6ea375000c9e7176b612a041796f63d9d49f8616e94f133bcd11c18652c1715e5f38a3954ebb3da7fae58036a347553f698bf275034e241
-
Filesize
722B
MD5bc1c854c2c4053aafd976afd8f0c510f
SHA1fe85618ff719704872d62589bd273700762a0888
SHA25672eb3e22690099ef383f41213ee80648b45edacb5eda7e461bd71d87361ad4f7
SHA51285613eb384d0db7ac2671f51464c87201e706b5661e9ef118486b12380f3d5c6bb02efa7aed10d2eeb7e65fb9cdd9ff9eddbdc309d8c6e949819cd8a9c4fbc59
-
Filesize
498B
MD5284158fb41f6d5fe3e1129ae8ef0ae97
SHA1d91d40505e046b1dab38ba25692210aea7f33622
SHA25648de25deeb0553043e21e98c098ab1a052761bdaa1d052440bd14125a4c826a7
SHA51246fb20d1895be99f8c2db058e993500822bf961c1b176ca03771ed07cde643389b574338b07c4f1073cae988c914538db670ebd63ab32ec0e364105f61f3ef12
-
Filesize
722B
MD56a36feaa160b1458db77126fcf4957ae
SHA10d505445fc99585a1869cf99180f4e7c358dfaaa
SHA2563b2a3a7dc40bf4b5ea6edfece33e4ed1465595176179497c7f7eb38d79803364
SHA512bda913bf04bdf953040a2801ce667af9e94c9ba48a7ec4b3c6da1565b9c07d6f59502f9aae5558321b33959d8f173fe69422205227c06bf82f480475434c6169
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
722B
MD5a4eb8f08ea5481772eb7d84d618d85bb
SHA1507feee7d58e878d6f0d01c3ed8577ac8b282995
SHA2569ef53940a254ed84ce92065c516e6658dea83210f69dc09eb8d78204715cadb2
SHA512f5779b7eb521f78fa66b8e9348a91fb295dc7e9cf5647c80afa7c0540150b0e7da4b527d3714de033f32ec4c1da79ed5ac05562285b028451856ff8bfc085aad
-
Filesize
722B
MD563819dd7c41d4b08f11bd1583190851e
SHA1289f487e4397ccd7f10185a6faa3f5d5a5668541
SHA25682f023d3890cb98d79ba52a3f85981d1550d500213b754884d582f4ca5c55d03
SHA512b0571f574c1d16a48ab7d13b116f88a65ef6d4ef32904251e8b613c1937d14a0b3c627b015f8fe8ee7930c198ac195ce0ebb86d7ebe05235f806139e07efe200
-
Filesize
722B
MD506b4125aeac17201463ea7816df1e86a
SHA140c5dc405f9c27892a0772e516fddd3bd4ca59cd
SHA256677bcd7e6a10ade4f9fb0c848986ec198598b5c8220e33fa9a0fd8dac0b0d379
SHA5120b982f730290a1b1cef6295d1e39afa3ca20d48e7ed6319ed849351a6b60962527eadd2c64a9d27b6fa86471f9fa8d72609e077901293be4e83ab92f9cad2e94
-
Filesize
2.9MB
MD5fb375c53268ca6265b60b0b1aca01621
SHA17a45daed1c41657419cdaf13e910203ea55297e4
SHA2566ce9f06d26bcd22c1572d66b978d16fd5fb802289a11f8520ef3f741ffa784c3
SHA5124f038b8a2d8ba6ab3fffb790522d76dd50a9ac7c25adaf2a0261d3f63d16b70ba38fa62f7f1525ef59da39647a336971a875277504d4a19aa6fb2b20eac5bf30
-
Filesize
722B
MD5fe7e691238f9804a81f84867c07be28e
SHA1c5c4dbf888f42d348cee0bb03f13e5b786086fee
SHA256c593b0ecf68e15042a166ad9f6564b0bda1f2184a362e8ac080110b1ba3b7f83
SHA512a6e43f765f49c4158e7a13f03302088e183894926f03c6dc11dda946f8f7c93acf5a03a020c96e26bb23398297de5de384215908e13b25e4e0695e8d950ecbfb
-
Filesize
211B
MD5f52e3c8af7ba5c633b1fcf87b8f514d1
SHA13039f5113bb771f56c268465c7d2e7a80ccf39c7
SHA256ceea9926722058daea20b6d69ef57782c28353fe524d206baa9401f2643dda67
SHA51293a3c4e61304b7f8712d0a7a1c98f6b9f5d4f6b077ead9b2cc7988f270ca55d54cd2501f8c6d2311b58521f564d8da8e8fa3d332069675c1eb1e16c08d9caa4b
-
Filesize
2.9MB
MD507e331d8f4da07460446c4946b7e1290
SHA1236d4ec1debe9ff37d1b1612e2c6efc54f7900a8
SHA256f0b7658d97ad3263b4373978e5b90674a08f57bd245fad82fb0ad2b883d75292
SHA51249c1ee8bf1f5395bae30acfbc026d823bc5d02d2413755de768bd235121d5f992c5971e0479610c48f0d1593c0301ad713fb5cd2a75396e978acd87bd892730f
-
Filesize
2.9MB
MD57d05ba31426a7557f2c6b701765863ed
SHA1ac257e0097dd7b808aa8c66e547cfb29f680f58f
SHA256ba8426b9c563b1cc33572c01c5eeffeb0e14d076ff93b8f875ac486864fd3b20
SHA512bc465f5995a7bfcd2a2b1c7c57785f73ddbfbbc2b84eaeb64ba1d64417c1873e49a2c8ec14ef4972367662d471f32b694343b2bd8b1d8a33b0dfe566b0986024
-
Filesize
136KB
-
Filesize
72KB
-
Filesize
2.9MB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
5.2MB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
88KB
-
Filesize
10.8MB
-
Filesize
112KB
-
Filesize
320KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
1.0MB