Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
09-10-2024 20:20
General
-
Target
3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
-
Size
4.9MB
-
MD5
a6c4e2d077ec90e6c69325b0da5adb1b
-
SHA1
945d07aac7c54ca5560ba5cb1e05b0e6c25f8a0d
-
SHA256
3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14
-
SHA512
d0fb442b6b0b846193a63abd8cf7084de8c435a7670a6065edd720464897af8ea969f7d452c99457075d9ac06b05e27623fd992b76cf9d26885d8e91ad9ea918
-
SSDEEP
49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 36 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 11 IoCs
-
Checks whether UAC is enabled 1 TTPs 24 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe"C:\Users\Admin\AppData\Local\Temp\3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AFF5hliR7g.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ff2042f-7aa2-422a-8ad2-f69b4f2b1742.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77892324-5378-4ab7-a789-804b6b635052.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d004ac1-e7ae-4b11-99ca-fe935a20e383.vbs"8⤵
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8432e54f-7ac3-4532-86fb-2267f970d0a1.vbs"10⤵
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e9c5462-d701-400b-96ae-35068648214e.vbs"12⤵
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\834b9c3b-348a-4d1f-8196-a022c59b02ce.vbs"14⤵
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36bc0ea7-757a-4d1f-b3c2-6078be533d5f.vbs"16⤵
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39093eef-fdec-4ddf-bff0-3da412dba89b.vbs"18⤵
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68dfcbf7-de19-40aa-800e-b494078e0b51.vbs"20⤵
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c92f21e-30fb-41aa-bd89-cba13c5a1c38.vbs"22⤵
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4ab4f6a-6614-4673-9e75-66b0683487af.vbs"24⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e67ef2b-8811-4bdf-b810-4972551a87cd.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66b3baf8-7a5a-47e4-8f2a-fc9d55e96535.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\185d66f6-a1a8-4d64-9b42-bdba9d9b3267.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f0e8056-263b-4ada-b4f4-17d8944e0468.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46928c02-5f8c-46d3-ac37-59fac964c5c8.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc24b49b-485f-4dcd-8fc4-71e124a165d4.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5190a995-155b-4449-b3ee-d3f0693e279c.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3aae1ecd-f509-4d51-bdef-7b76ee4aa96c.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0228604-1920-44b1-afe7-2765795442e4.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3531124a-e591-4032-b756-c41c0989387e.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\641c7f2c-94aa-4f3f-9cca-93cc8b6c99e6.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Resources\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\OEM\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Help\OEM\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\OEM\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5a6c4e2d077ec90e6c69325b0da5adb1b
SHA1945d07aac7c54ca5560ba5cb1e05b0e6c25f8a0d
SHA2563ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14
SHA512d0fb442b6b0b846193a63abd8cf7084de8c435a7670a6065edd720464897af8ea969f7d452c99457075d9ac06b05e27623fd992b76cf9d26885d8e91ad9ea918
-
Filesize
4.9MB
MD5eb69867c11abb12a8e26da0695a65fd9
SHA1de031eec9f340fe39c32d5a337a0ebad3b0f4b2f
SHA256685b97b2626b5cb4e8eca8688a6e9f2e193727e6b80cb27fa1c12c87b3688086
SHA51200b7f10661693f3d450e0198d6d34b3f6afd9f88949204b17cd087c99e5bdffc6b89965fbda4d0cab880b756df80286529bd401de10d622eede95256a0d95a4d
-
Filesize
750B
MD58e27336a95cad0f47cfe4ff85a695ff9
SHA15d71673d21ea929d99d61297a4fd4870c95cfbec
SHA256de5270e3761ea2d4a787503b3dcc10d4dad40759046719b06b0b0bf690d1ec79
SHA512d26a77ffc5551123c6d5fbfef8bb72687d3067b18cea6841ddb07b5732be97311cbdfa58c00e1a53c862840e0ea62307d653870ab11ee62ab7fcdd54d08845f5
-
Filesize
750B
MD5aded57784bbf74e62eea5c800111aee4
SHA12e80f37c455dc3df6d2049f1f4bc04bcfcdf79a9
SHA256bb89c57908ddbf0cc5c5f56db2c941f779f79f2518dbac062f25864fdd545f1b
SHA512cebd6c32e503bd30030d30cf46b4a8a50aee02c7ea0b8ed31bb23764fd3d5710b56d06e0a91eaf8f94541df1040b8d30f6cb4fae7f2b4a8999bdc90bba7b8914
-
Filesize
749B
MD5274211e05c64f79d0e24da998177ca85
SHA19e1093628d8a5b986ff1d0569b4d4653cdd05beb
SHA2568ef03d58290969d3d73ce6f99561c2ca8f012718e84a095abfc887dfa612bddc
SHA5120b70226db8dd6ea4d2e85a4ec7a51f05ebac34dffaf9a1831687f20abeb97a8042e6047c15128401fc2459ebb5d9e79d6f32ccd0ea2265fe9500323039f32a29
-
Filesize
749B
MD527f4cad8ed3a9d86492eab1162836ed0
SHA12d292074b8d7adee10da86f589255b7716033e5c
SHA25636c4cf84e9e8d601fd9e31ffc78fd1f2a0c2c472e7cf4045f1c34effacaedc66
SHA5121e4484c1e1ee34f94e995eb2a3476fb4934a70beb22826b8587ba494f0df3b6a7ae4de4c6469e71fc4d25fe4d6278d38727cc32959c3e821b59d051bc2ece626
-
Filesize
526B
MD5d53c6314c2f2a5a1bb2ab9154260fc98
SHA13b10e4736fe2f8ee5667c2dc4dcd70fc3218b0fa
SHA2564aaad711803969c7a587cf1fd97beca919ca67af3ea897e313a654666a39287e
SHA512ff2da259968772324eda2005cff9d09ff1b70b2b54c1818c618cc096fabe8175b74d25b0e4e86fd57dcce4fe14bb617b82796027abf46086a00acd7711b7d7d4
-
Filesize
750B
MD580b8bddb9a352a269fc0dc25e6b9f93f
SHA18a6d4886413a35c6b91666508c532dd8feb11592
SHA25687d8551909827960ca7d861a5e0d731ac73248f4dcc6a71ec9453187c562506a
SHA51242ace1097d732183d1af23c560d6550d5234861a42f53b620946d464b34160b3e7d6fcad7b011ff1dd792b9c8c8020f004c9382538b0758eb09ed7946bcfe62d
-
Filesize
750B
MD5df50e3c08f100290629058ec9f48fd5c
SHA107e8001f62115edca2bcbaa99ccc5dff65f3feff
SHA256f671d171a749f368ca99afa901e738a8f774f102a2b1ca15eb0103485d53e36a
SHA512d58525be2ec382c1e539efb945c8d4df81e703b0ffed4a8d49dd014321a15dea12b5c59e50f91f4465f1bd24927eeb1faa41acef31ed8c5f677ca492b54b340d
-
Filesize
749B
MD5747c0cd0371ef0d682fff87602f64fd3
SHA163f760e3594efa764397d7c2d1db433b71b0d937
SHA2567cd5e2560bc0ccc5f796ebc335b89632e3ce319cb4699e3d26e537c066eaf2fe
SHA51242b4981b14687cce28c3df986839025297cb9344859247d56d5e98d8bb555c2bb90c192211b244daa750155311fe66a58ec4fe4856c791c53dfacf5c5220a2bd
-
Filesize
750B
MD5f9f83c6760d1017a9aad79040779b7f5
SHA14e670acc979187015baf7f4d9efbeaed9580d12c
SHA2565cf6a972ea813c371f3afc186b87df4a945d960526f0c8c34f5ca423ad3104e4
SHA5124bd2c05437b9735faf1d9f3cc367a14ccd17fda1d51ff5a33a22b1b9d7e6f86aa1ce9b1acd938ddcd2efafbdf1b9f91eda72c84d4a98065688df51c7a9880436
-
Filesize
750B
MD5f4bd1904c8bc7e1c2911d7bf2b7d4f09
SHA1fb720f062d85f83832cb273200ae420203451a41
SHA256bf9c960e05f5e9a137ecf1470510e8fd5bc619fe224a8dbc2f2aed0ae9993cd9
SHA512a22397594c79923839dd689c02c9331e1a5772d77470117c795381e359e105a13de316957cc1a66ed01866ac710b2e627f8192df94b7f50a8764369f2bebc759
-
Filesize
750B
MD5a98de4b88eede92312aa37ff089d2664
SHA19393ccc7c36c0ce1680c4e767092865b3e67a3c0
SHA256600cd0612ab9809fbf2e2878b0d91835d5b73d1999b1a5aa886783c453eae3a3
SHA512b3c5c3cc2821de3a7429f25049803a36b8b8c442352389a75c93985330b78b3dfd0044527f5591d0c7fb82cfb2d1adb36f82a70183deb82bc4b604575a106073
-
Filesize
239B
MD584dae56f2887dc2ed4396aaf673a5ae5
SHA127111e96b1214b832bab01ec2d525b11997c8963
SHA256cebf98be7448d55ac292b3daef168c2bdbd5b44a140b1386a472a49c6ea16947
SHA512c3c8770f7de4443a9edca5dae0efe64672cff84c683ef68be342b86f63a037f8f22f083199f27bd7d5478a88c109aba58f62fd4807fb9b485762bf5e81622e8d
-
Filesize
750B
MD5699adc4607002bf65f810f37d9297cfd
SHA1082df4967b008391f38592911eabc0a7d3283c8e
SHA2560e063867d36156b26379c9dfbaf30068b62918fde23841f3632a007a30ff7660
SHA512c32c2655ded1ac4c351392d687dd4a2ef4eb8e93ceff06c1a8d09163f0c177f033daaea2c656b6b2395e8edec01f4eed50156a08013c48564ae9924def89994e
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
7KB
MD54cf44a5d0a0b80987b096bb383d79ccc
SHA1b42305cefac6eb21929b340587f46086e0c88750
SHA256171256961ab8c4d7202c3e038ed2075fbc67ef283f643a83118a88dc85542db3
SHA5125df1aede4e27a0304291ac74ea4b3bfe31bebe6d98a3e4b3195e858a33c14d3728d5cb90c62bcd683445843c8bdf2042967d72488567411de84104eea1ff11f4
-
Filesize
4.9MB
MD54f8b5ff1d510510566ed8b70b88ce8fc
SHA168dd156763d1fc94c1ece0bbd1f57ce51a2b15b3
SHA25635c92cb350247a18b96737594602fabdfacea97e4610d856ef761d74403ef616
SHA512fc42620bd05cb11570028dfe6aab55a61ddcc63ef5a155371a5e15220da27d6f332705bfe45ca1e9de765f3e66a13039866185182f1a8bf03228d77f890078e1
-
Filesize
4.9MB
MD5e2b06d34e6d6a309a1a70e4f7726a8e1
SHA15a6a3d49e034d0574137cca25ce08d8f28bc75eb
SHA256c641b15cd91db0f4e54707a53c1da70465b3c70213fdabeec0fa984f0f72d6e3
SHA512a06fed1b778c80760103b271af53c5eb50bab3e5a5a34e148c700d2cf22ccf470883f6fbdcf8f819cc829acc2354dc4b5eda7129344ea44ceff378be4359c47f
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
5.0MB
-
Filesize
9.9MB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
72KB
-
Filesize
72KB