Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
25-10-2024 03:27
General
-
Target
a59ee5da5832f84997cb73323970bdd1b0726255079d0a0bcccdf517b685776b.exe
-
Size
4.9MB
-
MD5
7faed207d5f74070e86f9f0b67985bd7
-
SHA1
dc6e45da39c6e7bd949c70b768006b23a424f238
-
SHA256
a59ee5da5832f84997cb73323970bdd1b0726255079d0a0bcccdf517b685776b
-
SHA512
615da33c5d754be2e9f9ee43c766cbb248fd701d92933484d0c8cc6f7764063e6238da368a50ae31d3a88c3437338ad039c4d801a3f43f5554706861bec97057
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 39 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 12 IoCs
-
Checks whether UAC is enabled 1 TTPs 26 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 39 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a59ee5da5832f84997cb73323970bdd1b0726255079d0a0bcccdf517b685776b.exe"C:\Users\Admin\AppData\Local\Temp\a59ee5da5832f84997cb73323970bdd1b0726255079d0a0bcccdf517b685776b.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5b4edc9-db85-4126-923a-46eebe362c7d.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49f2a248-c41f-456a-a061-81c64c345618.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9c50061-3f0b-423d-8150-ae818e8273ee.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\303280eb-ba4a-4870-9cb6-4b091b92195c.vbs"9⤵
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afe7ed3b-096a-4188-a1f1-965425c03bd7.vbs"11⤵
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\120a6364-ab45-4953-9de2-1acf76c5ff10.vbs"13⤵
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f756c1b3-706c-4e23-9f51-4da5719532f2.vbs"15⤵
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d927e870-8fc7-4b37-9853-16a9e5e92587.vbs"17⤵
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03e7dd29-ec18-4722-88d7-267390708580.vbs"19⤵
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1604cac6-730f-4f94-9453-bfe4d9a1f811.vbs"21⤵
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4966d58a-8947-476f-ad20-9c978f573453.vbs"23⤵
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44ad6a94-f46b-4b32-aa88-165f3272acf6.vbs"25⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\061faaf8-92bf-4e1a-8f56-810ca3b57ac2.vbs"25⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91f9de50-59fe-4fbb-855e-5e17bb685812.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e57ec047-7f11-4a4e-8eb7-3c5f2238b775.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ae660a0-4db8-4cfc-a0a6-574c142faeb2.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc54b85d-d6a5-4fc2-87f5-17381ef9c4f9.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76c37baa-a1a5-4a58-8fd2-15c90daddc11.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8996141-1fe1-454d-82f5-ea50fcc6878b.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f64e521-3aa8-416c-ad18-632c80623573.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7082b8d-c8f0-4a0d-8570-2f59ef4d588c.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\153e39bb-2032-4924-8f63-02430bf0caf4.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04e462d3-9006-4aaa-9c34-3a078ae01086.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0bb9a63-06c5-43a0-a538-3a5ff2ac5c4c.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Public\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Public\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft Help\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\en-US\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\en-US\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\en-US\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\en-US\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD596998172633cd95dc1e995c2c7bc8fbe
SHA18b5df05e0e8ab29fbb56c1a57e8397d6ff36906e
SHA25626674787bf8cb33d5c60ccb2a21cb753b4d3e063de7997228c6a285102da09fb
SHA5121580767cde21675ec183e5b3b05b3b705c3155ded875bcc6d70a13ba8ea3b6b0ca9bfded5b6b466c9772dc48e30240f9a234c933fe50ad4be8e583483a87cbde
-
Filesize
4.9MB
MD57faed207d5f74070e86f9f0b67985bd7
SHA1dc6e45da39c6e7bd949c70b768006b23a424f238
SHA256a59ee5da5832f84997cb73323970bdd1b0726255079d0a0bcccdf517b685776b
SHA512615da33c5d754be2e9f9ee43c766cbb248fd701d92933484d0c8cc6f7764063e6238da368a50ae31d3a88c3437338ad039c4d801a3f43f5554706861bec97057
-
Filesize
4.9MB
MD5f0edd34aafbd17e44f09a444c1cef533
SHA18945bf441324eb43ab6fb8c7a801a4aa4bb10538
SHA256f41555de5a6dfc3f1089a6709e106ae36f3863c622a6f6fd9017d7fd6d1a340e
SHA512ac996ddb75cfc1314ef339a7975b13638d7428a826ec1360643554964ded831e0a2bd7fe5dd9c1f999aed867725b7e25a91e9c1937432e7a5d767146d3ed361d
-
Filesize
751B
MD5a58286df36609866b60fbe1128b13452
SHA1e12b20f94eb4f32eb2579fc2dabd0213c19dc019
SHA25624d3d68fa9ca0fcb6bdbcbca5b8720e4c45f80268fbe7c23f98bf56df65f6177
SHA512202e044cb694dcfc7c45eb51837c46990874cc9cbc9ab6ee2fac8689d3b2e6fc2660689e2c75ab2376092732d83fecab03534d1adae690454d1d3aa123ad8c5a
-
Filesize
751B
MD5541dd71a8898d074d1f912af1b058dd9
SHA1a89eddb921738a3dedba8abeb27b2a100ade5323
SHA256a639409c40ab4e63172c921ca4d70ae8b897adeca5c440e75e2af4ad78a0b2df
SHA512fcb57a2877b3269de9eca3d3b89d797fb8e838415371da8bade65f4ff0b4b1916ffb9dc8222942f91e9d0ee7e9ed7b7969dbe77a2b9e3bb35399a97ad7d12f61
-
Filesize
751B
MD5bdc08c3cda03334db9307abe3f04d6d5
SHA15ff093db7545b0469c984108afd11c6d93233c18
SHA25625f568cc53f8ba00fcfd46ed5c9b714a3abd5134c9e30ebb30057a0d55877770
SHA512c5dff22552b03b544b9c36f465421975cfc09b84994e1c958dcee58f7378fde471cd49bcacdcd97281ed36bfd812a5071008a535b4f0d67fb286c0351d173495
-
Filesize
751B
MD5857e8520f19db2701e4735669835a73e
SHA1c78f7c76f9f2c0bf3fc2a147d8d3e96b1d1001ae
SHA256eb5cda96e4d303ecf73d1e0f6c9ad4950873968afe5ad8030eee872c4be4975f
SHA512fc54c6aef9cf9bf1dcf9c4165b0ba8909ed0c0ca98f1679930b0b323f0513b35d7c43fc31e5b07e79677f1f30951c333a157883505a3d39f77504ffcb07064cf
-
Filesize
750B
MD584b32a2444de17db23277af27a04dc80
SHA1ec4a9c8cc3938ecdbec8e004b9575b79abe111be
SHA25614ac29301820056ac6088f46d054c0218f4d4c0688081f50bd3c49b8609ab693
SHA5121f3caf865a452c2e89291e1a470434079b7f77fcf2ab13e9d1805a98235481ecce1066875a85e57496d17bcc4e96364bc36e8eb6e48cb0ff175cdde0f1283820
-
Filesize
751B
MD54d7c9da6c59f997f7862d630f8a901a7
SHA154cfd0daf882b5a8203001896a14b1d5e502d9c4
SHA25677c06800bbdd0d2b3e6894f655dc279bdd2f20c32b9296d7802becbfcbe7757e
SHA5126e01b24f52d02bbf81a66442202dd7aca4c838ffbb00678375ac695840e770a6467626567b7ed8d00057418513ec6d034594645de0685e567e13bf35844f291b
-
Filesize
751B
MD5cebeb7494bed61e42ca095175d3506f6
SHA140455580fa0f6e9432550ad6cb5e7e212858a90d
SHA256a4c4686d172b420c2d32a3e83770686a281d8e07141c875d44fbe59265b02218
SHA5128daeaaa0688614a6e978f9108f39c026ea99d75816743454a2f372a1abe48b4f292bcea503e74f736d0dd2599eae2128aace526f33d849b4fa524b932b1cc59b
-
Filesize
751B
MD58167a5c285a285a71ae0061a5a639068
SHA17e752ce38d4d9f7b09cf2912ed84f9095600dde0
SHA25655d86468657bb463fdba0e6b683faf7db45cc182ae038336a0221dcc28ffc572
SHA5128b680f98bb906e1f7dcb88967924c03703b3d6653239d5ea28a46ebf03bf472ca6c7b5193e001aef74222e496a93e488d682ff8d125f117939f82e57996763f6
-
Filesize
527B
MD5c72d2b63af3b3c848e81b98a8124368d
SHA1c353bd966df183238e60716c0ca1572ecf190b21
SHA256dc63c798367fe8827034795d9a3d431b6e7b6a81f9b323f99bf72c98bde5cdfa
SHA512f727bb060506af7314c543c7ca3df08415cc7ea02403ea605079c19b3cb4418710ac35653e142b86992ad18019b3cf4e2e193fd07c7c162c4bafc33da9b924ea
-
Filesize
751B
MD5bb049cb881e55402d0abb70a6589b04f
SHA122b3859e377104bb552d4b77e847f263eb2a1b45
SHA2560068dcbe2decfd57c5da7300b0da1611b474332cc788c0dd27fcdeb2933c0c25
SHA51293d5da5dcbd2048682e01ecb7fd7589413af6a888c6bc53a8674063b016f179e91af53ad09ddb0e3dbd97af9c8d9d0bc6d6d918441aeae6cf589589cedb4fb9e
-
Filesize
751B
MD5a2940264effff3d2a84b72ed83a58e8f
SHA10e6f60e5339fe179d7f190f74c3f3aefe6a57c8a
SHA256e1f11eaffc0a322aee74d0b9139a709f8828e09bfc4b8d0f1f5da0082ff65adb
SHA512ceef78933a98e02ff49c1d527e954ba6feabfaa2f8adc6e48cb98b8995bfcb9137397198e7b65c9096f44c3d5cc8b18c09316d779326b055b71c548c1b8cabff
-
Filesize
751B
MD5a3dba0a9472de63ca343d8223fd91e53
SHA162790983f0dbdbcd649fffccb9e73b59d0bc27af
SHA25604291fd95f281cffca974ebc8ce7a2a7da8d699d8a86fc719cafc8e0a074e84a
SHA512bec35abd06bd95784439a83ef920340c2b61ee9a0c13b8d14b115a87ccd95308b3dfd454fd118ee9de2daff23a10f3e1a5ccf86706a22e32d7ba1eb89b1647ca
-
Filesize
751B
MD586d30e66c153c3e9856eca22e3d2f6ca
SHA17e1afc763324609309f1aafd9a5b9f246b1487bf
SHA25629846f39ca10239aa5d430b9a9c50ac28dc9136bb65309ad4c638d1deddc533b
SHA512994984963de27f0e4f208017582b02913cc73d2ed3d3756569db47d692ee2f81cc657d5e68f1aa37ce205a8fdac9c0c071232f98e3b6deca453c73f342385543
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
7KB
MD522ec88e415b484a922e57143b5631373
SHA1803d1420e26ec680470a70b7958d53ab5a122e3c
SHA256733a558554a36d772d5d72c641c4cba0f61a29e1593f11854def775448c3574b
SHA51231775cb2ef3c5380ce6fe4bb25d150994f2ffd74c0ef8cb5b22bc200a1c74fdfd41aee378ee3a938c8960c794c314ad1bab32a13a27e4a921fbf11eb10eb30eb
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
1.2MB
-
Filesize
56KB
-
Filesize
9.9MB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
5.0MB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.0MB