Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
19-10-2024 23:58
General
-
Target
93a3114003ed7698411f3b78fab505c53012a6e8fdc669182756d03609cdd587.exe
-
Size
4.9MB
-
MD5
8d6dfdefd799c9332221c796a6357d7d
-
SHA1
b4db624796583e409acabb081cbebc0a2b50c6a6
-
SHA256
93a3114003ed7698411f3b78fab505c53012a6e8fdc669182756d03609cdd587
-
SHA512
3118602bfe9b42a456319b0e8ed0df83974422bdb4edb59e37c5ea67a38b5411242ab114269aff7e325d880daedf93e55cab51cc74dfe63f66f2a661f5c01e58
-
SSDEEP
49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 39 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 12 IoCs
-
Checks whether UAC is enabled 1 TTPs 26 IoCs
-
Drops file in Program Files directory 24 IoCs
-
Drops file in Windows directory 24 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 39 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\93a3114003ed7698411f3b78fab505c53012a6e8fdc669182756d03609cdd587.exe"C:\Users\Admin\AppData\Local\Temp\93a3114003ed7698411f3b78fab505c53012a6e8fdc669182756d03609cdd587.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Setup\csrss.exe"C:\Windows\Setup\csrss.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b51b7508-1371-4ccd-9762-721bdc97d582.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Setup\csrss.exeC:\Windows\Setup\csrss.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63bfb678-3ccf-4afd-9fd3-99aa605f09c1.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Setup\csrss.exeC:\Windows\Setup\csrss.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2600e141-e3ee-4981-a4c4-3f9f85a4ac24.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Setup\csrss.exeC:\Windows\Setup\csrss.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ddfdf25-6399-454d-adb4-b3952fa77d00.vbs"9⤵
-
C:\Windows\Setup\csrss.exeC:\Windows\Setup\csrss.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c38162b1-1f85-4eb6-a135-c0a7c3cae7d2.vbs"11⤵
-
C:\Windows\Setup\csrss.exeC:\Windows\Setup\csrss.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5936cbbe-a6c7-42d6-9787-7c1930c53167.vbs"13⤵
-
C:\Windows\Setup\csrss.exeC:\Windows\Setup\csrss.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab4e5c5f-ca07-4361-aaaa-b77381205662.vbs"15⤵
-
C:\Windows\Setup\csrss.exeC:\Windows\Setup\csrss.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59124e63-5be2-41b0-91b1-3647c407b6e3.vbs"17⤵
-
C:\Windows\Setup\csrss.exeC:\Windows\Setup\csrss.exe18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05aac9cb-b6e9-4737-a218-fd95356a30eb.vbs"19⤵
-
C:\Windows\Setup\csrss.exeC:\Windows\Setup\csrss.exe20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad929c91-5010-41e6-b42e-e28683db750f.vbs"21⤵
-
C:\Windows\Setup\csrss.exeC:\Windows\Setup\csrss.exe22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4645f646-2343-48ec-99b8-6d46cd4abdba.vbs"23⤵
-
C:\Windows\Setup\csrss.exeC:\Windows\Setup\csrss.exe24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9ea1d79-b67a-44f7-9ee2-8177d03aff68.vbs"25⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caac3ecd-0fd1-479e-8fbf-362d95e06936.vbs"25⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0fb981d-ae31-4d2a-9ba2-f6d97a47e59b.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf0283ba-fdd7-4032-922d-95b8c1c6efaf.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89748976-6620-48b1-a8ff-b53ca6356e6f.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d101c0d-500d-4ca0-8cb9-c3623d1322df.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e33185b6-22c3-46e1-884c-87fab4bca066.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d47e0e1-7ad3-4a5c-8f42-15534e516b95.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0171bb6-c6fb-4c3a-97d0-8cae35b9c4f7.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\111f4009-81e8-40e0-b5ae-201d6729e00e.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb3a61a2-e228-4fb8-bdec-cc49377d7970.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee643ac2-9d54-46c1-b490-eb5889ddb1c8.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e460de1-2495-443c-8bf9-ccd2c2e58396.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fonts\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Setup\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Setup\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ModemLogs\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\assembly\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\assembly\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\AppPatch\it-IT\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\AppPatch\it-IT\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\it-IT\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Acrobat\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Acrobat\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\uninstall\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\uninstall\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\ModemLogs\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\ModemLogs\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\fr-FR\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\fr-FR\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD58d6dfdefd799c9332221c796a6357d7d
SHA1b4db624796583e409acabb081cbebc0a2b50c6a6
SHA25693a3114003ed7698411f3b78fab505c53012a6e8fdc669182756d03609cdd587
SHA5123118602bfe9b42a456319b0e8ed0df83974422bdb4edb59e37c5ea67a38b5411242ab114269aff7e325d880daedf93e55cab51cc74dfe63f66f2a661f5c01e58
-
Filesize
4.9MB
MD50c0fc386bf5a175843d7d4d8ca37ec10
SHA1d1035c59c15b19e117881e1aa6570c5f7616391a
SHA256fca4977ba1782b2f926562316675b00e9dd0e8cc331ae7f764dc641ec40b2cbd
SHA512e19a42841aec593d35e4d02c22e8a4175ca9d1ef93ad9ac5bc99a88c1cd99d447c2ac5b74765df7bd2d3bf0a5c72e3bb7bf6475dc27d6f1018c487beb1ba97e3
-
Filesize
4.9MB
MD58812416da06d77ef4a3424e0240cdbe1
SHA1501ed94db97b86d8c091825b4e0a0ecb9193646f
SHA256f9567f37cef2d4dc459885ccfac42404f3134b8aae4b0cd9bad9ed15f92af284
SHA512b9099e3a318c89ac3bc8a9d311a81beccd583174b5a9d2b3ae61286c21e47106b90647b9ce2c71634a93d33bc23b91d27ecf426af83ad153283f9e02288503b2
-
Filesize
702B
MD540d0e02a312d0382577a158af00f6e59
SHA1f9b93386647f7766df3f469ee951bb01df1f7989
SHA256d097b6ed04e70ce93ac36c0a22ee69c6e1b108fb1eb390dbad9747781aed8d16
SHA512dcfc3773e80c0dc5628fc11013e419b5bdaa54a2513afc5672c2a16de73a539dee764575257c5b3d0f52f1748041261335144211d8edeb51d98c8454d67eed75
-
Filesize
702B
MD5f34ff8c0a63084b3d94c82e75cc16017
SHA1f91f20ddff431dbcd62e460aac97d517fe66becb
SHA2561cb01ce06c77a51e3064503485f9c2c708420a12fbcc187ff456a65aed7bd031
SHA512f88eecdadad6811093053b3d273179dd87c2d4db78f627287a142dbe79c7a04314341c90d5bd90c733660b690e836d2ebe0043ef8a1218e2106d206e33df2b4a
-
Filesize
702B
MD56200c18f258dbc7db8d59ca726776428
SHA16a78f3b8846ed0da468c7809de7ec5d74e84fff7
SHA256ac3ae96b595c2fd5c2f296668eebfed69291871a77a46b3dc9ac51c4f193e1cb
SHA512a5ba74cfb68a8e24a13620ce15ead1f133f5c31994c666fbe87a0c033adea9c80e8369aa274e8715db61e9701c60b10f1af81614f92ae69a8a7e4197fd059c91
-
Filesize
701B
MD5b93dd8ca346de76304d0152484f1391c
SHA12d3c9f6121d5a687a0775d104c54862f7f9c8cd2
SHA256e849e880b52c475566964b4c70d01944492c6194e9ec6f11e14a0f794edbef42
SHA51207035b80b30b1645a4a832ee7fd4dcfede908eaf18d2cc2ef0a3d915f6463b72c9eb767b2b91be364a4753b5084230de4bcaefa9f4806cecf0040cd90117303f
-
Filesize
702B
MD5145e318088daa0e39e51e8ce25739175
SHA1ebc099af0ae8aeecf79fe7f4710c75951b109a3d
SHA2568f3757db8fd534564d3f9699e801fb8e133f014d6f8ed6394e29d92ccc0ba2ca
SHA51238ac12adb79d1afc416af3f0c5e87461e6a5599352ebbdc3c586fcc36bb8d8d108da4dda58a7d14b8e91e963cd2e9f0c322f9312445070e98474130c45057ef8
-
Filesize
702B
MD56cda656416fe93ecae7cf4486a1ff20c
SHA18c7c651702b59389e32a593c2511293c8da737ae
SHA256c358b64f2cbd7f3a2b90d347df709f0df90cad54043fbbb13c9e29194151d7d8
SHA5125ab7f5b726ed199054d11df7df821066ef5295483f574251078189511be7d47493958fff155fc31ffc332563c453097624af39eaacf7333b087d566783c118d1
-
Filesize
701B
MD5cbf15174ef94a95b8aff51fc48f63f2e
SHA14bed5c3f8463711a9f7b39c0610686dfbc9803e6
SHA2567fb4510a191a88dde19375da0830a0a24bc513acde46c671b5a616fb496cb212
SHA512d52035195b7be406950c8e71efa4168c691206726c5911984d34b2b5aeb112b59dc9f5b28425493374eda9d688ac0119ca707cf247c848386ddc4e93cebe4279
-
Filesize
478B
MD5ddda84c7ab20c3e1d72eba5704e7a6af
SHA1fa8fb827e0dfb89abfffda05fe2a040c3b2e0376
SHA256c1ce373d385f96eac15ab9371e36ab1faed45ae5e79ef570b2f9557f0285638a
SHA512b196085177d6f594456fbc0ab9d918bd9ba7a8d91523cda93f661d937b9b024f7918cc7d0cdea238ff724e04ea4bd892e99edc026134b60bd7f09e29c267b699
-
Filesize
702B
MD536cd4980903731cb2334071aa4b211e8
SHA139aacbf9421bc572410a3e45dd996dc193011308
SHA256426d5794ef924151002ab3601c54753576b58fe764a98454b8da5118aed79ee2
SHA51292993b923581e236b679b73b9efaefc36a90bd4bf3deb8b1188b10f9cf3a3bd0786f8fd23f24302912d5967d76ce5a7ddaedd403435ef7fc2e9a45890384d1d9
-
Filesize
701B
MD54634a258e378ce1703d99c71db772f00
SHA1fce5a049e586a8ecec69bf5a8f3bc5e5e6e0713f
SHA2569e7d64b91474a90dfab44daf9f635453cbde5136d46a5d3e0a6db3fe83653a16
SHA512800175d50e32c668700d4be6d58a1bf2ce1cd90c8bc408407dcb331c83dfe3f0c076529878daa8c65206f96b3ff13e983b2ff233f454f4b42b5eea406e4f77f7
-
Filesize
702B
MD57b1895020cc2c71b964b640cf6fdcab9
SHA1cd507731527e98bd637d1571d7f93003a634bd6a
SHA256baffd3ec6c36b055bfafff9914ce4e2eb392894ded6c720efe2f0f45fcf45b86
SHA5122c7b20da94b041710994b6981f0950650f33f98fb06946a3a3da00128460f8bed2fe9d62ac10fcb12afe969140db1436f1b27bc6a7145bcf9849cfb0712181ec
-
Filesize
702B
MD5d944c47d1c00877bc646f7d1c8567aa3
SHA185d3db0e7c6e1bcc4d68352a86de78781fe296ab
SHA256dbc15910e19c383c7b8594acaed5ad9325b8e6266b60b6a2cea2917952be5e8b
SHA512c4c14809c1fc237b1feb4b36b4ea3e96c98032b3245134cdaaa81333de42a122d9f69cfe47c9c73dcb29bc7ae80a0b63254b9115d3d1b5bb2efb294d7a2c93aa
-
Filesize
702B
MD58509fa31dfea6aa07ede37707044dc0b
SHA192a8d26161c9f069e2c3a4fc0e35e7a4e13e7033
SHA256e1879a68e30fd9d6c73b5d67d3b15062c595030c80265ba5f14cbfda6782b226
SHA512fd1ebb745653fd3f88ace2b66e6acffcfb49e4633616949e3f2a65a445fc1dcdbb89ee869a82495732e8a628ab2b43eeda1099d8794a3dcedfe5d832ef25ff38
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
7KB
MD547bb620dd4c983ff38cc1eb1433960fa
SHA193c9cc6b4b8009bc4b5e40fa7011904914281075
SHA256417bca50c0ee02d0c4d29c5b5558126e68621bc072ed191126b6300c6c1d71ca
SHA512367431af3834c2494a7bfb35c1374fde62daa15e726441f4efe2c4c37def2dbce76a3a64d7dd7ccfb62c0ea4bd63fea8f2cabdb6dcd3c0a0e698772329667b91
-
Filesize
4.9MB
MD54410cce260d2c03f27e0246e416772ed
SHA12a7aa744a7639750bfcfd9a5f29069a031e40074
SHA2566a40d00077a539def786632b93dad05ea91a0cf66514d7808918aab724ca1788
SHA512625577cf4c74006b274bfb29ebf092b2b8114a1e5f9e2129b4b4441c74b532889beba05ceb11b46b8fb6a280df23a18f2fe8a167dc3bbb573f2e88edcbc15447
-
Filesize
4.9MB
MD57c4697f02649231498a5c61553373cb6
SHA157a8f5e90d7613a33df16374f80f6b5fc7d10ec9
SHA256379d71c4397a1cc71c747a2c669c45f1b0b63f930e87b1e298d61673c513ad15
SHA512d720152c42e6b8786543788ae051e2c0e51fd4648989dad14c25e4705e552695f9278775563b2a95e96e34a22700e53468c5518c0ce6549428dffb8a625149e8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
9.9MB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
1.2MB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
5.0MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
72KB