Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19/12/2024, 11:33
General
-
Target
2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
-
Size
4.9MB
-
MD5
d8b8aede9dcb3c6ead52f11fc0826520
-
SHA1
6b5981a21251b5d0833a8dc8e7b4c71787c3d6e6
-
SHA256
2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4
-
SHA512
c3bbcbf837ae31dccf70e966dcb57e6bce105aef5163ebb44111fc7dc810cb34691292cd4ad30ab0e1516a75f569addfafaf6c3a4b026c2a1446f1182bb005b1
-
SSDEEP
49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 36 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 11 IoCs
-
Checks whether UAC is enabled 1 TTPs 24 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe"C:\Users\Admin\AppData\Local\Temp\2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7b7d2c9-7390-4c25-877e-7b8883360b3e.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29d6bb9b-ab18-49e6-b42b-33cd7ce55a40.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af715113-231c-4ea2-9f3d-a23fd9415884.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5424572-7f0f-42db-a125-edc88a86ae20.vbs"9⤵
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbd4e136-307f-4b96-8bff-26b30999bb24.vbs"11⤵
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6433cde-e332-40d6-b3a4-0a27cf70d115.vbs"13⤵
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\157d6a25-6df1-4e7c-8a46-493bc6c47a10.vbs"15⤵
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c0516b4-839a-4db9-bc8d-e13c860640ab.vbs"17⤵
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b4caac5-0a4d-4dd6-b36e-ae28083a66e2.vbs"19⤵
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95d99af1-0746-4144-9fde-6a937a6e43fe.vbs"21⤵
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\937d0258-c8d1-4836-8459-fb646253aa00.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00e42dea-d856-430b-93ad-778d0c7d256f.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94081a07-29d9-4fed-831d-31016c56adda.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2dc5042-ab18-43c4-933a-7979162f0179.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6e81e3b-fafd-43a1-838e-0a380b93ecd1.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8aaf6d60-27ca-4992-8648-9f971fcef770.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e61dda2-e993-4263-9ace-f37cc397057d.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81dd7175-113d-4fa9-ae42-b07f5842d1ea.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfe9be9d-a3bb-47a9-9186-70661173202f.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27c6446b-236c-4ca6-b5f3-c7ea29e6517d.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N2" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N2" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Public\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
710B
MD5480294658f4152f587eea785066fa99c
SHA1ef5e45c5d359447183e7cb945d63bfb8cec3b966
SHA2562c85e5709f8ea68b99427234289d0a2b527a277307bf7e647352c8290aabad90
SHA512bcc23b6b5916adc4a85133eeb25a466342316c37ff45dd3cb74f02254608e94fe6514d5a9931819298b3169d8521d11b24572c8490d6e13d7f2051ffa0b27428
-
Filesize
710B
MD5ad3e0b1428fb0c505b9fe442684ba2a5
SHA12443ddd186989bb00c8e373adf0fb506445d46c1
SHA256737cdaa7a84f9b13c25dddbd76f77dfa01a94c052985c0c9a3aa785e9980c1e9
SHA5121375f9d4375378dae11589a9ca952ddf13865e11671c9a5f77e852ff2a17f0b96b1bcf8cf9993fef14ac59a9fdaaf8e4f4e5dc03702fa490a768d0b57d9cda19
-
Filesize
486B
MD509f5bbe889b955a45836c39a3ed442cc
SHA147d68631944ecfc357666cccdab3b3c8cf4fa9bd
SHA256d1cad0c4d806592ee534ee56c34cc884e81de61e953694b30c2b01dd942b1a4a
SHA512f1312be9257027befb52981c9009822ffaea02fb679acb0b231055d26c1768e7692de7b9403b3a5eb963d5cccdd3609665798685842dea184cb66bb8a6356a83
-
Filesize
710B
MD52d0dc8e284d46e37d8c6eee3eecff078
SHA1c69bf1adeb2ec546dae1faf3d1b0fcb5dc0369de
SHA2566670c9c5c08ff3664301eee8dade69809f568781cfe60165a27d68ed9bc6061d
SHA512eaf6ad2c83e596697ea09ce902d7b3bff957a08143030b70985512afa5043269c10e8640995fd425b16175fa70d9fbf1f5964c087d35478711cec74f27b5cd2a
-
Filesize
710B
MD5b4b13777bceddd80e67083653f7071ae
SHA126331550bdb2d74b80ddbfa4fe54e8006c3fc854
SHA2569c7ad49ae6403e23497c31a621db274ccbef34eed2e78e22932ec4ab81e70f2e
SHA5122bf58e3af4d5423e17528d5f649ad290bbc393fe6f0408fed47412a7d305263786fb7abf3dd33d885d88952e71d93fa875035455b414fd4933099c9745a7a2e8
-
Filesize
710B
MD5f5f9413ef3c9d1a98bedf151d7270b25
SHA1d5fbeefc762e2b87a05165fe7af5b4d7db948993
SHA2563eeec9432e06f1d5aac89c2cb06ae2a3f0b78e018434d2f0ea7aefb8cc75b9ba
SHA5123673c1db51e3d1e53aada1c553a34f6ebb73194f6b616d850a8f890e0073e82883f78f5793bbe3496052266e8c950bafdfb955dd6d7c7b9776f5eea4695ee679
-
Filesize
710B
MD5c911c4bd587a689e1383425558a34ea4
SHA17e13092d9c78022fd93133e5e180dffe0f45cca5
SHA256167ec839bfa1cd9be8dcc0349981222f60af17405c44483e687a0700424a0141
SHA512984184d1f178673360a4793d1f0f0374a1b844e52b4730b5ec4d8254b2e38a3d0e3bba56e1307a351145b1885f5c5beede706972d4915a33ca1c9ff969bec7d2
-
Filesize
710B
MD5318263a228c31e928d705f8149bfa7af
SHA120a83b1111d01ada74f4832fb618be44aa9d9949
SHA256ab9966650431a2e31a0db25c26686f412388b11ee433d0ea43eb57cab1482817
SHA51241b1719abff25dc4e1b7238c15cf898eb1ae03309d84b30f17bf362886cbb035f3c37d06430bbdbb7e81b457f7c4048c931a4c9685a3adce48802c4612a5c297
-
Filesize
710B
MD561cff87a3d63331f7d4f37bc5a8929f7
SHA15e573fb7ff52fd53d030b8d2b009f2324414499b
SHA2563f7ba957a93a0608bd1e66301f5e9f230b4eab18dc87e4cb28a343bee19846a9
SHA5127e2f31893d0299312beebeaeb5b3c644d4a98b88d7e703fe00e9ca10cb243e7e78bccc9f7834feb3583640f871e7dc616b3f6ec68af8d00edd5439c6a5bf7e87
-
Filesize
710B
MD54672a4685bb6899bb12c21ca08af900c
SHA1780b4cd8d0b2926e6714f7446d44d5931b6d7af5
SHA256c43814ae692f45f191917e2f03cd2d3f89098f931e15d0c2e8724e2e2e1dab57
SHA5128f690d6fd3bf8c1a33e53512c984551445224769c4b816738ab97550e84cd79e2c02c37347a2ad49d4a560f28ee6fd51716887d11075a5716663ea18263c3277
-
Filesize
709B
MD5d0c71d199be2399a60596334afc9cb26
SHA1acdabc9ae297a0918a20d569411db21d30c00193
SHA25680b608838f37f2840b9d39300ece58b730ac54b92bdcee8431a107f595cd7815
SHA512caa9ed373d789cca51fe1be329f87a94d40754d06f86f6e0c14221fd49f142b30bac460ccdb3911a2b7c97446e3fb998aff48416575e5fe9d30cd1b8a54053e4
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
7KB
MD5aea3bc1c97b60fa1766af18f240e7080
SHA11ff09abc4ba82ee57531467cfeefb2fb41e542ad
SHA2562caa1996fe847dab6a386cebdd8226b40832d11f8027248ca5dfb2f2231ce7b9
SHA512b642bd7f889765adf393df0fd68d2c1e5e71e26e02cd0695c7693e3dff1338704adbc21977531e78ea8cd9180701c85b6fd7b208ddafd2a152931af19d8087c7
-
Filesize
4.9MB
MD5d8b8aede9dcb3c6ead52f11fc0826520
SHA16b5981a21251b5d0833a8dc8e7b4c71787c3d6e6
SHA2562e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4
SHA512c3bbcbf837ae31dccf70e966dcb57e6bce105aef5163ebb44111fc7dc810cb34691292cd4ad30ab0e1516a75f569addfafaf6c3a4b026c2a1446f1182bb005b1
-
Filesize
5.0MB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
5.0MB
-
Filesize
9.9MB
-
Filesize
1.2MB
-
Filesize
48KB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
2.9MB
-
Filesize
32KB