Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
20-10-2024 18:51
General
-
Target
101706972216b2377ea15046f3707034c45b88e70773942f47ab0e74468712b5.exe
-
Size
4.9MB
-
MD5
682295e9dea6b6c362facab1d64dbcfd
-
SHA1
f919a213030d33a2cdea27e7471ddbadf2f2a268
-
SHA256
101706972216b2377ea15046f3707034c45b88e70773942f47ab0e74468712b5
-
SHA512
4cd90d088a4f5faf082b5567314e3d5e1a80a1ebffb1f3cf7eb69a71386e6f87205e38a49a350a7118e03b888cb5e61408b356f78e16a6282913dac2a09d622e
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 36 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 11 IoCs
-
Checks whether UAC is enabled 1 TTPs 24 IoCs
-
Drops file in Program Files directory 32 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\101706972216b2377ea15046f3707034c45b88e70773942f47ab0e74468712b5.exe"C:\Users\Admin\AppData\Local\Temp\101706972216b2377ea15046f3707034c45b88e70773942f47ab0e74468712b5.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nMdX7E06KS.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c0ce140-5a57-4c0f-8497-440f19d29a57.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11fb1b3a-ef20-498f-bef2-5c8d59f66724.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1a23370-18da-45fd-b24c-7dc36ce5c547.vbs"8⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1abd3269-246f-4c6d-9a96-fdc0f9677165.vbs"10⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b335071b-077e-48d5-8541-3ef2dd65ca40.vbs"12⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8721280-d732-480a-8304-3dad8e65e570.vbs"14⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2425909-38e8-4c83-a9b2-3db80a677992.vbs"16⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a761aa21-3bbd-4173-b66c-d7c4a848db9c.vbs"18⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\724e6d32-6f96-43ae-94f8-030638b248ac.vbs"20⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7f1bc77-82ec-4fee-bfca-395975b390d4.vbs"22⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcfa3cd9-3448-4148-97e9-ba96080fcebf.vbs"24⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac96805d-c74e-4975-88ab-1e9e67b224a7.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\945266ac-51b5-441c-aea7-288a6ce462e0.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cc67e5a-7131-4e78-b0ad-4058f8b5b1d3.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a899ed15-f61d-4da5-b035-d34ddc35c4a8.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b92d217-bece-4d1d-9767-ea8bb226cb8c.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\050ab71e-c3e8-4607-b8a2-5e302e003e6b.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\687214bc-47af-428e-900b-11b8d6d78103.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5faec784-450a-4ad9-8ceb-e22429a1e64c.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9d7f4b6-a6e6-4499-9efd-7a530ba5dc11.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2103254-5ce2-4783-af04-d873874a4a11.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d8c6701-44c0-483c-9f56-53cedec2c1aa.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Java\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Java\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Java\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\twain_32\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\Registration\CRMLog\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\Templates\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\Templates\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\lib\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\lib\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5554deb615ba89bef09e452940695331c
SHA1a77f5489ef5aa599b248a62c67b0acb614154594
SHA2560e96a43c795c257bb1024d55390c30b28e308d44320b45ebfc362957ac1cca77
SHA512821de91705cc8cd1c4d183fd8466109fd825ca0872b621964ef3f47b94c2f90676a19e226f61dc970d11961f7277d8190c254e0548744cce3926366d76534736
-
Filesize
4.9MB
MD572b494980a97f940c2409a3ade9863e8
SHA11a7909f127db1485d6c07855d9c755fbfebd79f3
SHA256c50c91eb3b7aca94cf542e00a2f5cae21994637d7e2412e8f3157e64e15f5206
SHA51207ad0cb82de7db0814662c5fdff9be94d88115634a3ec85dddf67503b7b25a268d0adfc99cccc0cb1ca0e7276c2718e86e1bf35d9e32c131eb6f40857a209f1a
-
Filesize
734B
MD5a32cdaf2e4a0789a4aee0bcd5e2a9c22
SHA11f2e45f57f3317aede536a246567f722b8f286fc
SHA256d2571579ca3d6bae38f48c2dab275ff938f569e02e19cf51880b7bfde2b5451d
SHA512998b83d81afff933c48146551b358812795ce94f94b76663f90ea69e542c978852aa89565613cbbcfa5e8ae1d09cd9a2741ebf28c94cf671bdd07e1d538fb866
-
Filesize
734B
MD5f262333c7256d9e3cb8cb471b9207f82
SHA187573f3b345ee911af9b02cd20d2f3266fe07d6b
SHA256d83eacd07d3a3ba25b803ed1941f2014d23aa9e5c24f7a2f73ec32160bb62583
SHA51200f96592e1fb1b57394f69ac10e8f4b15c38672a68c5a38d463f9f9e1cdabfd80d6c972aef992b7e524bc8ffeff2cc0ad04b4a8b3406c014efe3eba325e67641
-
Filesize
734B
MD566617a2587745e6ca1dcc1f7ee9eb443
SHA14d0acb794468ffacdedc84232f5b5815e3910a52
SHA256b9ad9144b6c0f5a32054991df567796eb0d16470b5c39e36020d2b80be2c7419
SHA5122dda2375d470b6b65870a987db47eca60ec5336954e5c29b97af874526d6d8f619add3f70ca19f482f6fefa7c5682aba3791fb5a56a0c95d7a0af05f275f4882
-
Filesize
510B
MD506d951bc147d53370ae95666e9dc5352
SHA1e31f862cb9d91da222a82f71bd9e7415ccdbf31e
SHA256d28f5c09409abc76b8a1adb404ea1e01563197f66e8032d5d16e7f6da8421efa
SHA51241dc6ba7173e0914107d1b54dae1c1b21ad8b7548c6fdebbf47a50081a9c9cc219fce28a2c49518dd3c493cdff029c197a212732b70c391a4d95187d6343681f
-
Filesize
734B
MD5a832558d9d502185e2a4023f6565ff79
SHA16cc2fcdd15ef6a167fce1c71fb515e6a7cebfca4
SHA256046f24f8d5b3e90a4a88ae72570117fc646f06b456bdd19ad3037bf02698540b
SHA5126b2d70d4eed3dc4f2ad8cc414d3a504d43b79cfa559c6f2ddba2db1be8790d4f23f7e4324fb0522c240f3b30e7f6ada1d99edc13f6f65cbd3ce4fe1be13ed23b
-
Filesize
734B
MD5c47df3f9bdf759537ea1a2e44b0b4e47
SHA153aacc9643677d0808af605a965066f765427bcf
SHA256cf5b40f13f6fedcf48e9eacdf7212c498fe7b8fdfe2011b86ebe304c34c666f3
SHA512e1e5c8d5a702d47e37c45ee2128d81582cdc8357dede2e4fdc4335f5b03d75def696a3f4301457c6533aa59f5b9315735fb8cfba6c21ad10160e8a2ecd814640
-
Filesize
734B
MD5964670a7650f58641e7ab30cde2a693e
SHA1e8f7dab8daccde1217c3a84ed966ac67f1be2454
SHA256e9f6c6f4836904708741d2f12168ac2258e022a46067dc20dd6ed3f52a976d2e
SHA512dc995ec0580e2b7c1546396ae4fb490a7f557696a1f6687899cbb128c0ffdd6287e273282a68588506d1be0208fce843b404e4ab3191944df706cc7f32a1cd4e
-
Filesize
734B
MD5e282f08d2e24179a9a7faf3c11415c61
SHA1976e1e34bd695c7398f6f3f48d06e0014ce05583
SHA2562241efa370a2c09067559f9b36379be7fe5d1d80264f52f3763aee1db9bded60
SHA5122f6a56e1ad5b90fe7459501d1f8ea99d3839b69d7d102520f970a886108963a3f36d4c0dcd409eaa7ca7ebea47df771d74ff028fbd0c0cbb15a056f7b60aa6da
-
Filesize
734B
MD5c97e69f38d38ebcf2197f79c360285a3
SHA1e37a52e7694420a8b03fe01a0c0f4fe0e950fef8
SHA25667edf76e7680d47f78d5cde9c30d5042df6f8052a37f3e286a5d8aa78315d750
SHA5126a979592d757071dba7ef72556cabe843ae00bef7a8da6abae46b791852c171494c28fd4b6708c031d5c7c42e5e16b9eb7e1cb84d3daa5131a33c38cb0047592
-
Filesize
733B
MD587502969041631cd07de4c0300badf6b
SHA1034c4f27bda57c9ae0b39e6f9fce2ae98042d967
SHA256cf335443d9267ab5a9b0f65e1aa118fe0c92f985494004718fc5b555d1047a09
SHA5124a48bc17a1bb4a0b8dae3507716ab1dddc9d59be337235d0c3b30844d5eaf7dc65176c680af755307ad51ee96681c2c93a10f57da40cb0c206aa4327c838fcbd
-
Filesize
734B
MD567a81904cb9c583c8e652a0d51984d00
SHA1acc1b17d2d5395e2b0786828bc4b4f3daf50938b
SHA256f7b1642eba40988568f850dec412f9dab074a60094f3c2852baeb6ad8c9afec2
SHA5126fbd5eb04dacb311191e37cde7733b1b75d33795f35345b54f7613384f6b249084e2df8f57e0de7dc0bfa28c5e6232779de669c1c554ee3406987f57f2829797
-
Filesize
734B
MD5790cda57c0607fd6a6ae6237f177247d
SHA124a77f1c62866012538bd58fd5aea1dcf907f9c6
SHA2560c20958018d0a16db92cca438190f2384eea8fd9ec31cd8a1a5e36f713476e6d
SHA512f41e347fe2142c28d0c6d935e06720177a4ea72f791265b59a10d15cb4b1f4a9bc0d71bf714c0423a3aa1fe7c88e8cc3403e239c19ed28e578c653dbd57e6101
-
Filesize
223B
MD5eb50857cbe2f45f886b27481c41b0b83
SHA15468bdfbcf53d6df95d2466820cc2eb8011a7635
SHA256de5485f0c21fc4832487cb2e391e0b982cab33b47d8bf6ac29edba647cd8461b
SHA512403486166d321d65250785e480e76b9c655dd32c44998a9828e6a66091b03e5f045c353bd0ad7d92e340f9bfa3575efc5029bae473583fef016db72230c5aa5d
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
7KB
MD5a7e4e8ee16a11fc7ee3ca784d5147b54
SHA1176bcde2232f68ded6c403a002c6d80522852bad
SHA2566b81d2ce0de56955cda1afc6e3d70e879d72aa9fcf6464e9062533d595cc06c3
SHA512349e585492d9171299da52f321778fd9a88279b1bccad5a6190cbe77fab0b0c63c417b59a1b166fefb0c209840fda80063d192ffea6791b3e7382f0c3f52bb77
-
Filesize
4.9MB
MD55a8b935a9c93a32d1bb65fc9d09c6d48
SHA1267afd2fcf1aa84a67fee09b4e602bab43b0fe8c
SHA256561301753fd9ea18b9c6411e23dd9c011f3a3c420cb17ea1bd2664dc68467d75
SHA51230795a0fb298e7785163e07fdc084ae788ee83f6bc29902418f3c04fb7421d150b1d6e9a6b32709d8f6b1c13415f887ad50b8890c0103234a5088deea8a10b59
-
Filesize
4.9MB
MD5682295e9dea6b6c362facab1d64dbcfd
SHA1f919a213030d33a2cdea27e7471ddbadf2f2a268
SHA256101706972216b2377ea15046f3707034c45b88e70773942f47ab0e74468712b5
SHA5124cd90d088a4f5faf082b5567314e3d5e1a80a1ebffb1f3cf7eb69a71386e6f87205e38a49a350a7118e03b888cb5e61408b356f78e16a6282913dac2a09d622e
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
2.9MB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
5.0MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
1.2MB
-
Filesize
9.9MB
-
Filesize
32KB