Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
13-11-2024 04:59
General
-
Target
9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe
-
Size
4.9MB
-
MD5
ad5458bcf729c47d91d818cc1465b7cf
-
SHA1
90ad45413b8da4ce7ecf79cb87f4aa82304f1c1c
-
SHA256
9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59
-
SHA512
8a4bcf74c8d05243fc653fba5f2638505cd175f4bcffe1cca6c99142cbb8db44b5c1a91c1e1e37cdc7597fa2bcd24dbf99ffc6103702460688a29bd906327ad2
-
SSDEEP
49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8r:L
Score
10/10
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 33 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 10 IoCs
-
Checks whether UAC is enabled 1 TTPs 22 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 33 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe"C:\Users\Admin\AppData\Local\Temp\9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe"C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb3f1d50-d3cc-40cc-a90f-21d8a57a34e3.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exeC:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\306b0a08-2dbe-4f5e-b9c5-c69d44305a30.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exeC:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f27de6ce-e390-4709-a02b-aabb570ce81e.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exeC:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32a5bbc4-8e66-474d-ab33-10dd07035dfe.vbs"9⤵
-
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exeC:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4dc4f2cb-6d74-4dd6-9350-f8d1c935cbb4.vbs"11⤵
-
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exeC:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4f20617-69a8-4263-a3fc-1ef57e80f6a3.vbs"13⤵
-
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exeC:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c78b1c69-f5b6-4f68-877a-86127eb63f24.vbs"15⤵
-
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exeC:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c7fd156-3d4c-4313-beb3-40801f3539c7.vbs"17⤵
-
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exeC:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a1b9e33-a045-45df-8537-234cc16d1d40.vbs"19⤵
-
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exeC:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac68b200-7c06-474b-a938-e152946bf7a9.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55b5c1cb-56cf-4529-85ed-5ca2239787cb.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\041134cb-23b2-488c-9ac7-bae366e8e2aa.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6377f731-1cb1-4ab3-adae-d166d7282c83.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b2705cc-1788-4ec5-b50e-df3ef60d83e5.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fdc5dac-2d26-4914-9238-00ee746b549e.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be59c496-4c02-4877-b603-b6c192b4668a.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d90bd27-ae87-4a2a-8e24-178928ed29b6.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd706839-eedf-4b3f-9dc6-4d0e5cc4f961.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\en-US\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca599" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Start Menu\9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca599" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\9701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\Sample Music\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5ad5458bcf729c47d91d818cc1465b7cf
SHA190ad45413b8da4ce7ecf79cb87f4aa82304f1c1c
SHA2569701ad13cbd42ba610864dead2fab0ff3588e959dc00180e38a41273fce4ca59
SHA5128a4bcf74c8d05243fc653fba5f2638505cd175f4bcffe1cca6c99142cbb8db44b5c1a91c1e1e37cdc7597fa2bcd24dbf99ffc6103702460688a29bd906327ad2
-
Filesize
4.9MB
MD57b095e28e22c0c57aa38f166106c8de0
SHA1d8b4d92abc54f0c1964d7a375aecaa11f4c08c10
SHA25666b113b8fbcf7063cc5e6b0e95a20e9461c66076883725c96aa0d73bf08141c2
SHA512d9968fbc7474d577e7d8eb849663a56677b7f724395eaaee2e37d842b76fd8d23f79b3ac2dffc5a02130bd21b14780fa04d3e90121df0bf6d5c89d5b45f7a2a3
-
Filesize
737B
MD5873ebd051601970f881cb818848b37bb
SHA1e24a6b8d19e2dad9d1a3c52ac8ea8ca2bd302bcd
SHA2569f2a80582e002d869e4c700468b04dccf9c2ca2861900d63baa9dd43124943f7
SHA512198d2f1cf4f6b732f65bb171eff4dd029af8bf84d3d286dda2f9691bec4b665518eca46c1621f95d6be94888ec9c0f09057437abfd7816da9276594132e09221
-
Filesize
737B
MD5e602e9667dd69466c091ae125b8a3c0a
SHA18e9eecdcb1ab95e6170ddbd1b3b61e7ddd1b30ca
SHA256b9a67183623b8858095ff9f8b2ac001262b3e3e6e6049525b290e7fc8d282aa6
SHA512a7ac042df558bfbb4764566e6ad6c7fa44d7ecba5ec6db7dc0bb99e7a73bad39b11b0a9e73d06f295ed861d801849694417f852ed4dd529e6d50eac11aab135c
-
Filesize
737B
MD53735b979f5c9a8387bb0b92539c0e1e7
SHA14ea61c0ab4617c21b62eaca7928462579b5f79f4
SHA2561eae281a2a940b052867b9fdc1b779d04f323309ed6c0f33bc4c86b5efc99515
SHA5124d257847527b5d1e7f35591134ce7d412c529e0514df3e7e316103ae33ff28213191f6d6b450e4a61f90dabda75f4bc16d6848cd4f22f993e79c0111b68d9a64
-
Filesize
737B
MD50f4a77817fcb3470667b494f143bfb25
SHA189a4a39e6b890b3d31ac310582b33528e75bd76e
SHA256f4fa9cf43581ddf6b5f97f9e2780b9b10ceacc047d4d2aee3fbbc81bab8e5461
SHA512ce4b10c13d8363f5bfd2da8208695f4d62457c8697fa5edc40746397b0cf4a9ed688fadbe4dce7bf156393a6ba414d0bb5d33e2527567c753d0519e0f9a7dffc
-
Filesize
736B
MD56bd181132f95cc13b7b247429912c1ef
SHA1786570fbd40de79d8174eeaa41ed651058b1661d
SHA256d6adbdf30c7129b17b40492c17d27fd45cddd96956eadfac87acc69c0a5ce1fa
SHA512c94da677fe9372f6f1713de60a5d3203a5ba375fa4a6cf7a3dbdede5d3a19211cb8d02208d58293c0d64215c74d83efcd33ac2dcf31c19e88987055ea16e1799
-
Filesize
737B
MD520e3c5d1298cd5dcf42e17177a5f83ba
SHA108252e33e8294c0a32e8008ca3bc401ba9f45ea6
SHA2560abf286c66e02a44b9fd31e4e333e9c1c2adbd12339e519323a8f02028d46f11
SHA512d8c97c8e152c0ed2c58816d3089a016fff24f92896b100cc8e474ed5660040a4343e92d69925ba698810bcc82cc9bf46e46ce6f21cf880601bdce1e8b4920769
-
Filesize
737B
MD52c47fb2712781cc37c430f50d36231a1
SHA1df1e918a7d099f380bc00fcff6ddb5f65e61938b
SHA25663cd2b8e61d91b14e03819e0b241264093d0de57fb1514dba8c65e08b87ba2a4
SHA5124abee8cbb1bcaf2841655e229b31c1a6d8aad8efc18bd60f47854b102792012701348eefb307f31479db2992f98a7330f6db3944a408a927985cfaa22393b6c6
-
Filesize
737B
MD594d6fadaeb911d58cb29e5153456c130
SHA148fe67981603a0cda970c0473c4fca36d44e6c07
SHA256936a1c09e70c1666acbddc0984d69f0619db4068308228bba24de159a94f4e5a
SHA512e8ff13078d44864b6cc4de3463967ed5440a24b3b80fe8381815bc31d2ea333cefc9c7c11029558d1996e01126885401f190c1887011e190873272cdc124ffe6
-
Filesize
737B
MD533e54a300496bf063b288eaffe7ea0b1
SHA13d754fa44bb821a65e4f70912a8c2d2b45e2de6e
SHA25697bd0972a92f67cabbfe516a3758432be885447849cb3b5bc83b4b5a27f9a92a
SHA5122daa31b486f4a21d294c679be8196f1ae3351a0324305e0c5962427069b200b774b0721469338d22db6cd0ee98380b3f4fc3e9a5568cde206196e18f3985802b
-
Filesize
513B
MD56af3b022d3f7a9d35f6fbc29e80be4c5
SHA1b83b590f431a6e079e4fd7f435f88908d507c515
SHA25642440c1f93e7277601445d708b179f83fd77664cf41956465bfb103415f0c6c7
SHA512f42be7bd3a8916e18dc5929883b574446eecef491a3748d70487a571415a1af827356a456b0cffb847ca889b8c69f275983828ecee055d592aae0bcc0bd121a2
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
7KB
MD50beb52372642d6f85c8f2012e8b622ef
SHA1a822251cfcb71ea845f21792193c5d57b016409b
SHA25640b2fe0bf35e73272f350732e6e0bcdb7acd444018ca13da49487877773094fe
SHA512eabe3b4c181273dc89a8b59eef990e100b43bb7ed4e2a1b32c1900287d89679e8f37ba257863e5b58592af1c653de5879a2b3c9b72e597aa2666157fd1df3bce
-
Filesize
4.9MB
MD51c44ff08563e342c7137119ee896f817
SHA1bc58eeaae4923597e92f3d6e11235c4665864236
SHA25669b3dea31044074afad229a4e8297268062b8745f5ee267018f8c8cbf151a03c
SHA512b4da86f59f84e809984416de27b6a934d4eb4535dba6fd7f40aae1f87e8b0a2da4b3c647ca36d56661100147a4aa679e8e1489b08f175c1df4e64e26427b4024
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
32KB
-
Filesize
5.0MB
-
Filesize
88KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
5.0MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
5.0MB
-
Filesize
72KB