Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
02-11-2024 23:48
General
-
Target
7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
-
Size
4.9MB
-
MD5
ae0ba9569cf7c10b38e333294ecd7e70
-
SHA1
ea845af8e5d2a2faee5881f904e79f6316e461dd
-
SHA256
7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05
-
SHA512
b9959a49727c1867aeb71d71c9b26cbf0094bb6a310dec981f110d09d9b2aa3d33b9800ae6736cd66c51720ae76d0b6b5887e138377429f6aea6c142b247bd2d
-
SSDEEP
49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 36 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 11 IoCs
-
Checks whether UAC is enabled 1 TTPs 24 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe"C:\Users\Admin\AppData\Local\Temp\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exe"C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\546913cb-430c-400f-a62d-8890fa58a570.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exeC:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54d7e262-aa79-475f-98b5-9e375f17f7d8.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exeC:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce573882-0c3b-4049-95a8-7e75ffcf7c0d.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exeC:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8a7652b-3ac4-456f-b0c9-42667d19210b.vbs"9⤵
-
C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exeC:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6900c962-27aa-4eac-8a46-abddc60463c2.vbs"11⤵
-
C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exeC:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\484c9f7f-dca6-4ce6-874d-58bec08a6a4d.vbs"13⤵
-
C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exeC:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b03098c3-7dd3-4cd4-bb08-44123d95bcf7.vbs"15⤵
-
C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exeC:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d495fcd0-46f7-4ef3-9bdc-1de9c3113325.vbs"17⤵
-
C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exeC:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exe18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85aa2f0e-c44b-40a8-b15b-a195664aba03.vbs"19⤵
-
C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exeC:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exe20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96b0dcea-8f85-44b3-b13d-0b6e97689444.vbs"21⤵
-
C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exeC:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exe22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18c9c30d-b1df-4e2b-b00b-5cd05c59d62e.vbs"23⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb6f9e49-23e3-40ec-a9f6-69566deaf14b.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07915b13-ee25-4275-8464-7894a7c04a8a.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44c27853-ed63-4b29-aa62-a1fb7adb2e8e.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d746cb3b-6a99-4f0d-8af4-7bcf7ab2af0e.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b078440d-bbe7-452f-9d51-3b713ce0a1bf.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5799b6d0-0477-43cc-84e3-266fa0aa7f5c.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61c72093-5822-4eb3-8dc5-e63f2ffdfa74.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0502a8b1-1563-4298-b270-82136b6fdb5b.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6014d4d0-a319-4a34-8476-b4a6ae29c234.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6533cb1c-da4e-44c5-8bdd-e7fcb32495f9.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62b622bf-9fd5-49cd-98f8-d59913b3d37f.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Recent\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\Recent\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Recent\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Minesweeper\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Minesweeper\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5ae0ba9569cf7c10b38e333294ecd7e70
SHA1ea845af8e5d2a2faee5881f904e79f6316e461dd
SHA2567c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05
SHA512b9959a49727c1867aeb71d71c9b26cbf0094bb6a310dec981f110d09d9b2aa3d33b9800ae6736cd66c51720ae76d0b6b5887e138377429f6aea6c142b247bd2d
-
Filesize
745B
MD53ca23dda3eb23240f009041e8c2c2cde
SHA1c08a9cecb8a64a4572f2177ce6702ae0a165ad82
SHA256f4f13b2480b40c216df636d2e787047ddd2f6c30d9cf55ca9b69e4ebf6c267a0
SHA512b3120fc7cf664e7d04aa9e0ce82a553a153f395966de08dd73f21fcf159e7aa72f8bfbc5d06bc33b1e42865f2fa997b1a86b60604b0cf0e67c2fe10c5bde6983
-
Filesize
745B
MD564ab5f79fdb88aaa2a04ef8c0e894d04
SHA193b527157a3f9c312508ac0deb14104c4e975b85
SHA25607cffcae38f54e96b251acdb8238f7c4913ee6aa4c8ecac6a66dcff71edeede5
SHA512040b0ebe904062865d24f938ddc22fa82c7f7eaee2941377fd07d4f915033f5868c68a4fec0d9140c1638d9db80881927c70670cd1241a637b2850321549873f
-
Filesize
745B
MD5eaa8b438685d072ba5ad770ee4c6d2b7
SHA1d95a8b0fdc858acae4f5618b6a731f6e02629ad6
SHA2568f4d683a82a4d9fac4d16e0d8dec28a057990b76831da9292a92e79157c3c1e9
SHA512891bec1005e289da2f2545235d6ec5af816988322294eccd04a46744324d788dc421606847ef808902992ee4c8fc7f66f053a1880c25c10726ebf5aca6755d0f
-
Filesize
745B
MD5a23eaad8898ab0c509fe1210bf567c87
SHA194d0b592f2ad32780e96c1b08f77be5760620c12
SHA2562fb7ff8e55eb61a9af1685f534bf0b3a6fb45cd7023b87b3fab347af84073f98
SHA5126afa5a23dd69537a58a24bc0bff86a632f826269683325ae48d890ae7c7ea6bea88233ee4e45541d0d5772ad47fa573288fd9df5caa8b72a780bc4d34545386a
-
Filesize
521B
MD52eb03d9cd27a72f4c85ac24fa2d50bc6
SHA1665e8610555186f9138f8a5573c12cdb6254f9bb
SHA25671571047c853315b44ff0a0c9f7de31086a1813c9dea714af3aff9244e995438
SHA5128be8b2676f84882ff89a598c396b876ecacbe2db36448cb4c28cf3a609202967c40179aaa6fd146d096a1fa32348e7c3fa8142c1852f4b919eef8f06585bcc48
-
Filesize
745B
MD5d0db09b9c562900f82da8bf123157c5c
SHA1d9db15775b668d41f1aca8dcdce3381970270ad9
SHA256218d3108fd9a015b42d0f65084c3283eb0010b9e972753e5c56002e01f2d19e9
SHA51275ee6bb35363260a779e2fb958c5bb19cc25554b6b7e4e36a3e08bc0defdc36c3d8b12f1ba05279d8667637868ae2174ec7612654f315a573db6de277218e6f9
-
Filesize
745B
MD55cbeb22665ae9c9434d4ea8a5dd3e1d3
SHA13b7b730f27600cc32c8668fcfead2ef235490a2a
SHA25643b8b67e52d1dfaa5d9f0f726c5aef6fd0b2e4e166d4f4454c2c9a4e254b4bd4
SHA51265ae7ebcdfec9bf0f7cf16b1b0cd7eaa78c3d2f558f062c53c286b4d6dd90ba666e77e4a490498c9222d8fe5a7d8e37d9c0c0230533b2ed24100c9c444948a7d
-
Filesize
745B
MD5fe726d12c961aaef57cbae2855a3c7c5
SHA19364416412b0302c57ed4d51c1228e809fe3dbf4
SHA256ae4a8cb173ae98644007944b3d89c986c4d722e1d4a41f1dbf3368928a1a04d8
SHA5129e4c0bbe180add933b48037488b6a30db44a1d4510f7567d66770321667a052a435d0f111719189ef2803017880a24cb90e9913d907a8812da77ed73a7797380
-
Filesize
745B
MD5172743ce22abeaaff82a37ea22a2b129
SHA1c6d8dc6dbd8494fe744a34c0af70c10d9266a651
SHA25603d64b9aaba2fca91caaab0fecc50b598cf0aa77094a92d406a7a25836a9f2f2
SHA51273cf30ec7813f55bb96663c48ec692af9428e1b3d95f6dc8a41e5c79b25ad8e044ada57d10c04943dd413cbb598d4a2d4ca53c8398117d755e331948dac662e2
-
Filesize
745B
MD5f0187c70c896fa686feebecc36cdc356
SHA153f4db383850956699a4b2ab6006dc14ef4d0194
SHA256af7d0a636b279aabfab2554b2b66afd427ac6c29f688d87335ddde942453ee98
SHA51281d4dda6dcb5a0cddae781f45ef827e89a5e8a141183a3ff45859eb2981c104c6ba80906f88c4786d80987a3de8c6226bdd207d945b519478b0aa93cd059b067
-
Filesize
744B
MD5b57c767014fd0a28198d9d4c6f6c659b
SHA15b6579b318f0a3fc44bf70b4ef48bf08d556b6e9
SHA256524e74581200f0051bc2021c937237d14315e9343066621af825efc1b5118430
SHA512838094b2a60f25c7a0b322866d976ddc36456602dcb7ed51ff663eb10be5edfd4430d1a5b3ff1a74c9e089c0cb74a301096cdc0b2e009d6fddd1ad6405f0831a
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
7KB
MD5bfd897d07ac23f97e56b5aa3518a37a8
SHA13acd9a3ef9a26cb93b907ba70748b28849149f23
SHA25679f0d71874653192513885e5a518bbc30fe4a165947d7ffcdbdfb6c776bd6a90
SHA512c48243d9bd0df6a4b649b4e46eadaedc4b5b2b88af922bbad0ce0956b3da37ed96c685bce5b12ca4b21e383b223d891c690ce50f93aa02fc7d21af8802b6ddb7
-
Filesize
2.9MB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
9.9MB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
1.2MB
-
Filesize
9.9MB
-
Filesize
5.0MB