Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
01-10-2024 21:46
General
-
Target
8c372da489d2df3e057fc7732f05f3752bea32059805ed27db2f6bd4945e1005N.exe
-
Size
4.9MB
-
MD5
88f7bc75464f6ac36d3f2f02b02bce70
-
SHA1
6c7f6a07e89aaa94f683021571ba198f18518410
-
SHA256
8c372da489d2df3e057fc7732f05f3752bea32059805ed27db2f6bd4945e1005
-
SHA512
fe4a35f4c6f916483248bf28860402866647f4f080b7bf29ad2057ef06c7a3944cd31408cc8dfb43b2ef0bb95ad70df0d674bb31795e8260bb0017ebdb81063c
-
SSDEEP
49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 30 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 9 IoCs
-
Checks whether UAC is enabled 1 TTPs 20 IoCs
-
Drops file in Program Files directory 36 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c372da489d2df3e057fc7732f05f3752bea32059805ed27db2f6bd4945e1005N.exe"C:\Users\Admin\AppData\Local\Temp\8c372da489d2df3e057fc7732f05f3752bea32059805ed27db2f6bd4945e1005N.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lRBQoi3P75.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d554410-dc5c-49df-acc2-d9026c6dd0cb.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29fba611-e900-4bb0-ba78-407df433cd68.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c7c8978-7a83-47dc-87b9-e0f9f36dcb62.vbs"8⤵
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e69c3dc2-4ec0-4c57-acad-4485f7ffb917.vbs"10⤵
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d894dd5d-b1d9-425f-8e6c-26ee91aa4b52.vbs"12⤵
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52feefe2-3649-481e-85f5-3f42f5f1f2f1.vbs"14⤵
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4028070d-49ff-4feb-9f62-2df579614eee.vbs"16⤵
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f126d279-5598-488c-b0d8-bd4028fdde1f.vbs"18⤵
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df08c8c4-42c5-4373-8960-5eed314ffa96.vbs"20⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01c6521f-a107-440f-af40-487c1ba00d37.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8a84244-dcac-4c28-a222-0f73eee17ba0.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\710f7172-4f35-485c-8e3f-bcefcee2548c.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebf266cb-2c2c-4e82-a44d-c06e38a4feec.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1b20df2-15be-4dac-8b27-070e5ef2d4f8.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\509a8e4e-267a-404e-a92e-b7ff14665cad.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a243845a-f7fa-46c6-86c8-a003f29c13fb.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e97be89-35eb-418f-b66d-d17fdcc66b16.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c6dccf1-fc84-49f2-9fd5-5ae4d8916fd0.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Fonts\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\images\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\images\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Fonts\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\fr-FR\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD543ef2b9e06aceb2c879f5df0ded25c11
SHA12ef135bc4cf85be1e3fd5b68b47128a56698cf5e
SHA2560cf689b94f4809d71eadad8174e7a8434e724ea58823dca6ed2268462e4721d6
SHA5120453624dd71fc16b8f24cc81c74e79573bd1ddcdb61baaed9846856a474141341c8451fad4683caf1b206118c60449b978133eb350b19d5abc0d30ff4d84e4a0
-
Filesize
4.9MB
MD5d126524f8fe334dc27dd8afaee60428a
SHA19bd7d823a005db540082f275851c0a7c43619256
SHA2563b8dfb78eabc292225dfd76059d1488c4033e793840e292d79c4e2a6f7172c32
SHA51251a7ca649b0aa2edec7aabbba5d2e167d26e25cf4cabc883d88e5a3b644b87491f64d3a71cb5f8303bc78f097879f7f2282ed2f3f44348cd7d6f42dd31848c4a
-
Filesize
4.9MB
MD588f7bc75464f6ac36d3f2f02b02bce70
SHA16c7f6a07e89aaa94f683021571ba198f18518410
SHA2568c372da489d2df3e057fc7732f05f3752bea32059805ed27db2f6bd4945e1005
SHA512fe4a35f4c6f916483248bf28860402866647f4f080b7bf29ad2057ef06c7a3944cd31408cc8dfb43b2ef0bb95ad70df0d674bb31795e8260bb0017ebdb81063c
-
Filesize
4.9MB
MD594c945a2aec54aaa4287ba9fc1867887
SHA154bf2362332ff9fe061cf32ee73761d5cee5303d
SHA256253ebc35ef09412024b578397ae83370e04fb34d63458bf5fbc57c348fa12fb9
SHA51206eb6946841c1b5507c807c1ac6e00d98ff17d463fe9d3327fa21575391d00c3fef88dd07a9ae6505dac843656cf939f70002d3a3b9e44e43044a111b266293a
-
Filesize
4.9MB
MD5c51c8bc9b45099b32f1f1362054b68bc
SHA12d1b69ee54a8a5231c365c2a8d683c0cae116fb7
SHA256adcf3cff4acea0e9fbfc5a963ba7b78a75a25f1f86c81f37695cdfe0c7b77594
SHA512e78b4124a245dfde07b7284adb5ae7e9455dce1158628422fa5cc135674dd6630a850ef87dd190436fec48e46a702ffcee77d14ecb6c518fe5cc45a95f8e841d
-
Filesize
751B
MD5bc1bd4be891b295195135e01559a566c
SHA19092961812154e9dff00d2f1f96a099698b15dd0
SHA25600e384f36b3b472a3b8c9a064fbbf4810ef84104605e88993ae1b3b9eb7f200f
SHA51264fcca7ff1b0f873226bcda0965d0b04b35907af060cbfdad5428aff118e2fda9d8b6bb47e76524fded2be4ffb470736e3079a273a9a5acfee0b900526e67734
-
Filesize
750B
MD5abea442230daab68db5513b62e33f1bb
SHA17e47547e9c5ddf5315be9a3c0f2907720cb5dd8f
SHA256d9cb6d38570bbcca0ceec9be82f0e34874f9cfd772079531e9f92396a8df8664
SHA5121c91042728ae1be0afc958d25d7eb6548c862138474f05d52fdbd96d40fae2f6c284d96c92582e0e6d6dc09f712bce2df2f3d6ab8a9085587a4678188bff951e
-
Filesize
750B
MD5390792804316f7393b298e9c95549a8a
SHA1a1a74d1ba088ec0afed2aee85ba7fab27e49c9cf
SHA256862d5719ba9d8eb7222a2b469e76554bd89a20950196b47e0a655c62229ddc8f
SHA512e2d922c0108fb3e82baa12b02271caecbbe91ac504bc7c086c28e8ad3e0f8fb6a77fe9e2cfd16286d3fdd1ffdf73510eeec323b302b51aa4a8c35e75745f5f75
-
Filesize
527B
MD58207ec08841fb350549e1a972a661b68
SHA16f24868f6838108e5e8332cbf20a7d2050f7c564
SHA2562026a52b7ad63b15f10a106d3482285c5d9b8a3cc5d908fd18305f03268933f1
SHA5120f92b8adc8e0d146080363cecf3bf8e0a96ab52274c496b2dfc6eb8c95772c41a6f7f914d13ef596c09307d0960260ab2ffeb3fccb5d665571c81f3fa709f6dc
-
Filesize
751B
MD5a0e9065162fd71b23ac08b362e364f30
SHA1ced6a93babf2ff79d6486d63e3fd7ea3f09f6feb
SHA256a1a991f3c0c2d47e3158f99aa4d338efc359159fad8cdad098635dc7095d348d
SHA5124d609ff0ca2e995ac7cd1cd3927c35410be89221e19bf6588114c7dff3d97a3b57f19c5e703762bbe406886e82bd16788b5ee856c57437b5a1135a5c7bf6a200
-
Filesize
751B
MD57833e0afc113c3069d27247389cbf349
SHA1c5803eed69e1802ae1fc6f0e70b2ef7f290117df
SHA256af38b828169765a01fc1f6c9e7dda1d551f549257fd6da9217542bc34040e4dd
SHA5123ce1f279a5a9b3359c5552c85f1d2298bbd0c3c61f844f636e90fc7b6c98e8f21bbea2202a001a5cb12f0fbd3f5d75b04ae51a1c782b8f297ad577d30f9610b4
-
Filesize
751B
MD5aacb659d8bec1f64e90d592370145587
SHA18b9439e17b3cea4a9532dd2c392520a5ee0b5f01
SHA2560989578b4f544297690dbbe5b0a73f9449fc17f1f773c4fd36b1e78b830cb7d9
SHA51262c49abc8ba32754258e7a9f6b5d8cb829b1dcfffd3ea679e65ade42013b2edab5d0681fbf8404528e4e8be22728a7643359a89ca6f00aae0450be0845a23461
-
Filesize
751B
MD557bd456459fbf4cdd796fc6268f98daa
SHA15239366437248975cf8cd03cb86fedd90c33432e
SHA25677c146dba852eb52bd203c1093a2798158ba11e3c8a66423b40b6d57881f1a02
SHA5120f3fd842dd58b4858140b8a0d5d13ce34adaf3c655f0925917c24161464bc1a22bfd53e7d5b56ceba84c3062170e72140c48a633915cb4a795c2c9a0ea7c8ced
-
Filesize
751B
MD562cfd6f939f40e48de661ff234fe5e2d
SHA14e83bcbc36c1d3e92d7c8878c0ddcacd78411ce1
SHA256337e53182d408a0f771c4bc07e4c76aa0239b81e85dee4d8cb8ccf99f3e955a6
SHA51214d4124f89e7c74f412ba400b4fa20c01f61148bf607b0201a567e2b9148268c8c207b6be2c14970c2a156863fe1cbd4b4bb5f65553fc1d22a63be955ca2cc90
-
Filesize
751B
MD570be4c0b0e2164bc04282591ea9e3e21
SHA16c44a24804b71a018f3e1f22f5298432a3c8712b
SHA25654b9a3ab884130b090f2c724c50c83abc13fcf3389e5f837c1d84379ff08817e
SHA512a800420d19a7bedbba8d79a6ff52f356dc23c61624444c7ac8ef4a1bc8e70c2b10b72a0926d848b8aa8fba0e4fee9f6c02bc349cd3c93d0cfc919dc87957f4e1
-
Filesize
240B
MD5c62c340e962a9f2ca812a0c0d1034802
SHA1ebfbc1b4cf0d01e15fb30614c099ebad1eadb630
SHA256790d795fee1106f5d411a920961d439d58421e8cbf28a1a86176b8dba1c32735
SHA512c1f0677ad7ea97a1351ff291059aa7b874242f6852b9f254cb87430ddea27803ef7e27335a9dfb29fa0ff1224d97e766a20e386f944de82eb4ae975f1e90d80a
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
7KB
MD5c8eb4c9ad915bf0b8ea475e62e93d8d1
SHA13c9955d8068076f6dce40212fa0111420d853e04
SHA2563d4b40a14285849402500f5b5b65cd654469c4c9e2da53bbef33891bb46370e3
SHA51223c303bb132fc51893ef367af2c0b1993e9c470bc072a7be8b154c2fa2f97d510b51c8d91c5b021274d5d26e71513b7904092fb6cf3fcf3dc4f2471941bd2a61
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
9.9MB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
5.0MB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
1.2MB
-
Filesize
9.9MB
-
Filesize
5.0MB
-
Filesize
72KB