Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26/10/2024, 03:36
General
-
Target
77FFFEE187FABB45FFC7219D421EA83F.exe
-
Size
1.4MB
-
MD5
77fffee187fabb45ffc7219d421ea83f
-
SHA1
3f21e5a79d674131678ac5de8eaf30bbfcbb177c
-
SHA256
272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26
-
SHA512
3c27ed77b4e5c522804b48b94b70071bc07b4227ed3f5018d45160cb192136296f75a84af770caf72c797d2ea7fa36c8d897f2d68199f0fe0123c94781452b1f
-
SSDEEP
24576:KufUOExyABqHwzAsZg7ySXHzf9gUQ4zWp2Wn7b5kXxK:K3zBqATEzf9gUQPn7b5kXx
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 15 IoCs
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 48 IoCs
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Adds Run key to start application 2 TTPs 30 IoCs
-
Checks whether UAC is enabled 1 TTPs 32 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 16 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 48 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\77FFFEE187FABB45FFC7219D421EA83F.exe"C:\Users\Admin\AppData\Local\Temp\77FFFEE187FABB45FFC7219D421EA83F.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jiyYbf6xt0.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e33fc0a8-44aa-40f9-afb9-9cbcf4d26912.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e376e44b-06e5-4d4f-b95d-ee54ab6614c7.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\382d30c0-692c-46e5-bc9c-9d15fa535119.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d36d35db-af5f-420d-89e4-9791e162fda1.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2855e878-f16c-4549-b122-38133cf0d24b.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37468b60-5e11-4b8d-a0f2-cfef8da143a5.vbs"14⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3ea7489-9f16-4b2b-aba1-24378178e98f.vbs"16⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9cee822-51f9-494d-805a-bc84f724a0c6.vbs"18⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05cc5801-db96-4442-9139-3b397acc61bf.vbs"20⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3696eaf-7a76-4b18-a04d-04b4fdf0c7de.vbs"22⤵
-
C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4497312d-b8e0-4a7f-a41b-5aae6078fa55.vbs"24⤵
-
C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f21b1c62-4868-4854-abad-f72987dc4af8.vbs"26⤵
-
C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62272bdf-21ce-4c1e-89ea-7af74e81b8f5.vbs"28⤵
-
C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5fcbf15-b6bb-4ae2-9bf7-434b0e2668bb.vbs"30⤵
-
C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe"31⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\451f02aa-e2aa-4ac9-a602-e8be55773c4a.vbs"32⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4babeee-ef40-4a00-af05-0f80cdf14e85.vbs"32⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3c76076-2561-45c2-9c2e-f758d711f4d5.vbs"30⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46d0265c-7459-4c36-ac23-4afcc9750b57.vbs"28⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f506bec0-09a4-43bd-8ca9-17d15ca3703d.vbs"26⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef9c40d0-e953-41c7-a535-bf26d644720e.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\866a0ee8-a7a3-4fa0-b865-2f99d97a2dad.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22841f8d-8ca0-461f-940f-dfaeafea62b3.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b4a6299-ac32-4359-b3a3-694050250aed.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33e13f7c-6485-49a3-af92-0cc553a1dda3.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9eabf991-6c2c-4ffd-b248-0d9c8f3f3fca.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6396ff6a-e98f-4b50-9ed4-6d3c36fbb502.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a41d19ab-9a6c-4ebb-a4ff-1ba6d045585b.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37e3f6a1-af1c-444a-87d5-2cc1da6c4206.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e85bd8db-656b-4027-8af1-4518c58fb146.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ca6e78a-d8e3-470b-9f86-1dd9d8f57101.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "77FFFEE187FABB45FFC7219D421EA83F7" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\77FFFEE187FABB45FFC7219D421EA83F.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "77FFFEE187FABB45FFC7219D421EA83F" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\77FFFEE187FABB45FFC7219D421EA83F.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "77FFFEE187FABB45FFC7219D421EA83F7" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\77FFFEE187FABB45FFC7219D421EA83F.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Resources\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\es-ES\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\swidtag\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\swidtag\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD577fffee187fabb45ffc7219d421ea83f
SHA13f21e5a79d674131678ac5de8eaf30bbfcbb177c
SHA256272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26
SHA5123c27ed77b4e5c522804b48b94b70071bc07b4227ed3f5018d45160cb192136296f75a84af770caf72c797d2ea7fa36c8d897f2d68199f0fe0123c94781452b1f
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
731B
MD5788d9dc0642caa451b9607b4e6608246
SHA1900baa1e01cf6a5d28bf8b73cbf22af9d15f85df
SHA25698964c97bd6ed3a8340cadfcd64d14521d28b86d8d0f3b8ea6bcd6385e7f20b7
SHA512a2e2ae1d1c71c4659fc02ae6fe8fb953c6b4405447ed7bf5c8ffaaacc3f156fcc2bb36faf791e6ef4aa9aef02dd2b6b7bca704fb86e3762f9594a32167ebe512
-
Filesize
732B
MD51113aebc9a398ed50911ded1192950f7
SHA1845bf7b3df7729d5caa76a417f67e35226ccce79
SHA2560dcaea296f3b8cc19bba132cf6001c20114b4c374b13d2d3d30fbb80da4f5070
SHA5125d476d966f0994948a369960bf933062d6fb260c629b619174b9392d4e4aa1f5e7b65273b64b2ca4924ecc57de21d4a5acebbd9a9f9131834ee29632a8eeccb6
-
Filesize
732B
MD59e2b9a378e88f0a0fc8fd3fdc341f918
SHA18068ec11e76be79acba1296b52fc129f18ee9ab3
SHA2560c3f0c540d2169ee0a044872af6d37c71e82af6b88abaf7f6ca9d0a112109dc8
SHA5128fc750f23d99a5ad6499ef77b0c7f183a3586ed109ea65117c3e9bafb982e41e2e9d241454edad81eb80fca270e255e16a6d75cab762509a9d1e873be3cdc99e
-
Filesize
732B
MD5d02226bff7eac04d0bad878f188e2571
SHA12fd92b540dea7775d938541137e4e021b41d1a24
SHA256efb03823434d51d515b0aaeecc30cc883bbd18e27bb5e1bf4b3932e96963fbd3
SHA51231ef3cbd1da1bafeb1dfaa22de4d7b770bb04c087719568788b5f1932b807f00931385e8081726eae413d7fc2419212cb22e3cd07c17878bcd43cf72a028e6ce
-
Filesize
732B
MD52839d2c93cc88ad8ffc6102efbc3e3a6
SHA19e7861ec937a741d009f46ee60c6db5b2868234f
SHA256b9089f565f7f39b6ffd0bcb3988ba28087d2c6c4b772a15bd1f3aea9c238f84d
SHA51238e3da0a2cf313d1c0bbef9c91a2224b7cf1f55a9ade5f83fd4ffbfeb321f244c4d8b8e545f07ddd729fc6a9f46008b9601694e6282ac6de9e57d265f319812d
-
Filesize
732B
MD5d13bc86392f589a40f16a7e9ec875969
SHA184f4be4e0a606b0cd8b0dc88890b2786ccd2d85c
SHA256a9b27a3518117ff585f3999b25b14d5e26da1e9a0a69a4ace45c8dca9c05448f
SHA5128461082baed96e9d6c68af9b2dc255a07a7d138e37a8a798bc9fd57f01b4a186bba3fcd91201699473ba6d0290c62099428f7fc69c8f2baa37dc97c74074f2e6
-
Filesize
508B
MD5f6c4920059f7ee55ae5aea6355129ee7
SHA1c8b9beb6139ee82809a8ea2e1fb5451697cf7899
SHA2567610607d5fac190aa970690505134264bcec0c00c161504372291ef47d46e491
SHA5120454b840abfcf9a20555de29809a5814aff5fe67c10f4663abb7ffe87e06ef3f9937ac2a2c92da1a1c61858ce36ed0024f00b6daa8007e261d484cf4c4241258
-
Filesize
732B
MD51fa09b0190b361a4bf862bb6e3fe20bb
SHA1347f23b01c4996e7e356925b32aa7cd765cf260a
SHA256765f9f44145e69a8869c498d0018f33d55f1ec27a07da8f2f0eaba136a2c9f85
SHA512fb0577bc97648ac8574029063eedfeb2eb69623315fc4a98ae447ce751b02839366711e25a2890c6ce213e05de718fee2c6102403e8403e9396fd63f31f0f1d8
-
Filesize
732B
MD5ff05955456495fc39d4008b2c803a459
SHA157bf1ed8ba3a85950b368d7efd31f4c08fb13d46
SHA2561945ae042f3772a137f7f9f3045ada809d57b206ff308a12f33be44c5c33e103
SHA5121faa031cb83bd55c34dc14bb88078b36bb70187c9e9208dd2253764da0ee86342fc6d8d012630429d988980dc0e5834b6ffe9ff63529c804759a2824d919275c
-
Filesize
732B
MD595d2f060666f283ce2f467a51b809afd
SHA11ecf2d33cb1689381213ffb688d9996c01b92a18
SHA256c15e7aac38f031ae4f7cc1b7806e5b3c6a5fb56f45eabe755f45081c397e9254
SHA5121a72bca7d623af7645bd03eec045f8087c04cc62525c4179db6c31767e626edc55094e56c187b978ef11e234f984458be80f38a22a4cdb44e34a54f18047b017
-
Filesize
732B
MD5b679e44efa1d20c2a64a4c8f7a859590
SHA1ff2b92bc50c9c569ac049e9db3b80acdd03ff05e
SHA256540b1fe53861905da5bec04d45b7216d1785b0446c9595ee51705b446b35a8e0
SHA512b03917d489e6e671f8349736b75627b95e180273324a38439572fd05c3665559d4b2d3514f977ef84d612ebed57c93f8ce636cd185147253982a3524afdfbb33
-
Filesize
732B
MD5ac962ee06bd3038f48f3f87dfd1db271
SHA17793e7c3c6c8951f1099227712dd578363906366
SHA25641ea3519b1982586d0549cfdd00f52b60cf23edfc1559a90acf2a6d2517c0345
SHA51273c64069fe519c2962110beb85902c455761d4b9314e52a9993bfe8afdfbe959338cb2cb5c2d0f95bdac83a9db499c994a81343ab1cdb333fe41353b48cc7895
-
Filesize
732B
MD55dac91857e3c1bca1794a1521f2c7c8f
SHA17bc33e30c4faa130c898b35e8e6f8a50ec6e3735
SHA256ef44cfb56fd179292ae418ddcdd7dccf404e7552b9302779af307cfbc2bad1f9
SHA512f0785dcbe2dc742a1946cbc5693624b32be61b5dcc418437bf645d44a25f4f6e43dfd52f957bf6285daeef605861463805299236bd398f8b2ce97651929687cd
-
Filesize
732B
MD5cd5539e3024c02e8630fa3d0e60a3b0a
SHA1cc4abcc17d87e8351f332a8c41975dc3a084d4bd
SHA2563df447979e7967a7da17135f1e0509ac58cfac368db78c03923c3e829efac73b
SHA512c22a3408e00d57a7d79040b6c0ff61b143bec97594037e761d63f0edde79e49d6486a9c08d7575da2a0a5a19f59ddcfba1b7175850d9fa020da27fae2963da48
-
Filesize
732B
MD530dd7ed5bd7d955a73593a133c236061
SHA101d8249962240d8a6e912f084f7b6e14164ebd6d
SHA2563663cfb5267e48d91bfc455a8a1edc4ca924bae41c9acb5c828a55e340a77e3e
SHA512f9f5a196d2121e9340a0629636953cd7ba535ce44b67db598b8550507f9646a65977d49fd4b64e88ce41c00dbfb381e3775ff43aa3987056b85d876a24e25c64
-
Filesize
731B
MD5609b5ad824bbe62c19f95e228748b086
SHA1577dd5f664658eba8fc0d374e86f38674e059f89
SHA25641ae978673a708d1e67985d673854e4d33fc58539a5088c1889cad9c3596614e
SHA5120771091cd68738afd40638e068fdbbd15e830010093542e3349b58236dbf5d06f45d0f35fafd2f35222bb7c11b8bc03353284be1d11bda64cf098c6e7d18c8df
-
Filesize
221B
MD563cdb72157bf9e0e3a05a6cdefae3a52
SHA1ed8ccb03162d254c54e2fe05e2d7559ca0662552
SHA2564e43fe5d39fdd792cf207f4dbe81852b3c086745d4f70d20292e6690d7c69a75
SHA512043cbba0e874cb4162a870542003e4d2de1717701ec8130025414740b525a08d87962bef7687740c8932b91afe4a973312efb35b41499e0d79766416b48f5ca2
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
320KB
-
Filesize
56KB
-
Filesize
5.2MB
-
Filesize
48KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
1.4MB