Analysis
-
max time kernel
119s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
19-12-2024 11:32
General
-
Target
0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
-
Size
4.9MB
-
MD5
8ae5271e85f7f0ff3bd5df1f96d57b40
-
SHA1
9bb09274523bc1b88f7c48922549a9c7464f2027
-
SHA256
0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5
-
SHA512
4b02bc90828f55e2510221b6c334d4c4ebe706be3ab8371b1e222bf8cd939407a40e76a0d1d1df3d14309c7ca6eec89c96bb7dc590ed990206e773577a17d8e6
-
SSDEEP
49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 27 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 8 IoCs
-
Checks whether UAC is enabled 1 TTPs 18 IoCs
-
Drops file in Program Files directory 16 IoCs
-
Drops file in Windows directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 27 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe"C:\Users\Admin\AppData\Local\Temp\0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\602Zy6uMFq.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Windows\SchCache\wininit.exe"C:\Windows\SchCache\wininit.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dde6109-8774-45d1-b5cf-6e181e5b0a55.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SchCache\wininit.exeC:\Windows\SchCache\wininit.exe5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d6f8078-86fc-4cdb-bf2e-34041753866e.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SchCache\wininit.exeC:\Windows\SchCache\wininit.exe7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aedc99df-5e8f-416a-bf14-5b27ffe9e3c5.vbs"8⤵
-
C:\Windows\SchCache\wininit.exeC:\Windows\SchCache\wininit.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\338d3d26-ef33-4ccb-919c-f746f463e1fa.vbs"10⤵
-
C:\Windows\SchCache\wininit.exeC:\Windows\SchCache\wininit.exe11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f4ebed4-0d8e-48f4-b723-e4bc0771156a.vbs"12⤵
-
C:\Windows\SchCache\wininit.exeC:\Windows\SchCache\wininit.exe13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\046055c1-7689-4e70-a2eb-5c526ad43c40.vbs"14⤵
-
C:\Windows\SchCache\wininit.exeC:\Windows\SchCache\wininit.exe15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3ed4cd5-22a5-4165-92e7-d619f46ec690.vbs"16⤵
-
C:\Windows\SchCache\wininit.exeC:\Windows\SchCache\wininit.exe17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\521de8c1-8ddb-4f88-80d8-81c636dc6602.vbs"18⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf007f97-1e14-40f3-bf6b-dfddca6afa95.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d0f20fd-4ada-4e4e-a06f-5b1470fa095b.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4619ce6-f8d8-4ade-aa8f-bbfa8921f148.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3f5c434-9262-4d95-b726-e022d6a7091e.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da1cbdcf-6dc2-4a52-b2aa-26787eed6e3c.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52cb52aa-ac2d-4ce5-91cc-e292bdda0773.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a709bb6e-19d3-4907-9506-0105853b5747.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa7ae631-577f-48b6-8a49-68ff192b5372.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Chess\de-DE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Chess\de-DE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\Chess\de-DE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\SchCache\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD58ae5271e85f7f0ff3bd5df1f96d57b40
SHA19bb09274523bc1b88f7c48922549a9c7464f2027
SHA2560f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5
SHA5124b02bc90828f55e2510221b6c334d4c4ebe706be3ab8371b1e222bf8cd939407a40e76a0d1d1df3d14309c7ca6eec89c96bb7dc590ed990206e773577a17d8e6
-
Filesize
707B
MD522b3301363a56ec3f5c6ffa25e9f2d0c
SHA11c0febf6b93927edcc929de1a659dac329b92553
SHA2564ec390f7968918498d1a09d31c66f46066deab61a189df6ff71693eca7ce7164
SHA5129f56124947e26a79c720899e81497282c3c3d9a87cd5a233006f4708653c74206f4685e186508af60959593226b4673ca404db902636ef698610975d4f4545c9
-
Filesize
706B
MD57d1c8fdd7943eab37371e53622e49a29
SHA134ec57eb6eda5d433854ae48259cd87909cac150
SHA256a2074ed09b0a9b333c506f0060b5746d773e708a25f6feaeee92a2bce190d78e
SHA512a089e7def6ea68656d0209990f1b158cc484c3dae78d20167debbef744eee6c9318d3d8a581ac65f9fda03c45b005db7c7f929aaf45efc574ee7c53f5c2e897a
-
Filesize
707B
MD535b2c3fbd215e9efe0f520cc8c5516ee
SHA1045bd00399b967dc647344a9c4e749d2efed8fb4
SHA25617738da54dc06a3997a0308618865cf3a51d124e29cba544eba634de93670784
SHA512832b03941c805c881bf26c8bc62f2711f3839bac5d2152f2c842538fe4d169fe5d7b3f2cf261f119da157762e9d61a9ae019c93ebb2f8081840b37ac5f138269
-
Filesize
707B
MD58ac86ccc7f59542aa01c065174238a26
SHA17fb7c2d21bafe8630c45678af606af6216237874
SHA256067259563836b8b220b3f6b18082c1ccaae159ef5d52c9a7a128649f07c60e1f
SHA512580dffa223f2c07819e2fa0e7f231981ce3d5555d9f9c7b4813049823858c381e998079b98e7c4039d22ed6b78b6fab58a01e328988d521f68aa7155973b1a95
-
Filesize
707B
MD5d3bcdc5a7f59f7c1b039ff985a2dcbd5
SHA191511787e72f5a7411c02505fdb14973a431c9a7
SHA2569c4a76fdf3c680508c6f8f2a5654975814a49e485371b363c9ecc0923016d0b9
SHA51211dc34f3aeb114df7b4e503fe2f48fabbb3ef0d60fd35213ba4ab09451057bd885fe8da7f86277d2adf4931d31cdcab3adcb84b2649e82f4bd7cb46b96466390
-
Filesize
707B
MD56c10e83439cc69a5dbfd0174d298dccd
SHA13b14b7acf08d13aa270b824ad5221ff6c53f3c57
SHA256b0e0131f8e709d9d61351597c5e0242a9c8f9e65f8243ee4775db6a61a9dd2ef
SHA512fe89f51a5850b113c51b04647fc5d91b05c8969a0a878199314ee8372ce5682dc28941a6f99e89bc75f8a7fda5bf79d4be4d6d820a58ed9db9823722a23a3151
-
Filesize
196B
MD538d387cf249214105a3c0ce487ab4a76
SHA19c2b8d3f56bf7684f159ccf62362d52b76fd0592
SHA256aea70e9d83d807efaa95059437fa9a6ee1ef49219c816fdb33c8243b66bc2081
SHA5128d904ac9fbcf69edec96c09c39d9b7cb91779e0bdfca847beb578caa69ad102685d08b66cef6c732b0069ecf39b2f6e163242c8d013cbbdcbcdbd184f63bbb64
-
Filesize
483B
MD59724fd6e828e1794744757f1e690f680
SHA1ebf005eca70ad2d4298eb7d0fe0a892739de2b79
SHA256761d57528bae993379565cc4d0528fba571ca832b378b97d310f42b6281dc82e
SHA512198e356cdae936a2bdb6c8d5b84e7b93c58db612f3686415571c0f08d49c96190d7ce4e7e50a5b50e789135d9b7c429548652ae36bbefc772b93e673130294ed
-
Filesize
707B
MD539d5a15b330677778ffea88cf420dbf9
SHA19ba5ef479bc3e1f2913659e58109a42b4ae32cb4
SHA25605a19b574fa474ba837dfba13d4e3d62623780f228df13d5b7dcf3148222a6bf
SHA5127e4ae99f88744a8c609082c7f8e3c7161850c9029f1659d2f5cd9e22a79c991d1f86f91aefb357bccc82906212c4a1890e9d06531fada498f24027a1bbf059bd
-
Filesize
706B
MD51415b6617c886b46757bb344704df9bb
SHA1f4814161fec56c9fdaadfca8fdc1ea34689ca84a
SHA256e0ff39a29ac7a34446e9f07357cc7c7e5607a2927192a3c36f05d4f8ee2a6525
SHA512f2dc78c41efb45dbbf31de67be8e04fb2bdff62960e763dfd90f8cbea7432b2b276da9efb3087ec4300c8b9e52e434c5c2cbf0fb3f005e325d0a56744caee79d
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
7KB
MD54d7c5d81ff74523c8c00f47f08e10601
SHA1df004b460f588d06d57d77001943339825fa71cc
SHA25609a083c7937b1169dc987708334ebe68c58908cbf7d4c9aad54505f6dd412e43
SHA512f57d578652dbe7ef93644dd0d278ab15565067cb1215c17194d099cc33dbce07b39ac1d6d01fd6c473a3d106bbb5976aa2d4c7ac1b782eeb8bc3d7f02ffd8e99
-
Filesize
4.9MB
MD5b31241d73e960cba12dda1290f01e01a
SHA117540b431f39e3729024788a17b7e108b63135e1
SHA256f8b6ffdb58f28173a45a305d598b7d17713e4cabe13093685d8cf0b9c6eaa9d2
SHA512afd0df633b1131b603459a822b83e1342068fb95894a4a7715a66fd68583390d4e61e135fbf39e61c87cfcb2d14e9cc30f75dce822f88502a0480a330043310a
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
88KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
5.0MB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
5.0MB