Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 16:10
Behavioral task
behavioral1
Sample
a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe
Resource
win10v2004-20241007-en
General
-
Target
a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe
-
Size
1.7MB
-
MD5
9d62f5b5d9eca0a94ba46565918695f0
-
SHA1
71bfc63978a703ba9f0b18dae7d2ca67018b7fe8
-
SHA256
a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177d
-
SHA512
a1db284ac814611263fee44d158cffb845bf20f92d993518bafb3dfba8a0de6a9d32c1b6545cf515febe61856225707765c9f9db2ca5476347d1674cff818199
-
SSDEEP
24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 980 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 2876 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2876 schtasks.exe 31 -
resource yara_rule behavioral1/memory/3052-1-0x0000000000BF0000-0x0000000000DA6000-memory.dmp dcrat behavioral1/files/0x0005000000019627-27.dat dcrat behavioral1/files/0x000c000000019639-120.dat dcrat behavioral1/files/0x000700000001967d-131.dat dcrat behavioral1/files/0x00070000000196be-142.dat dcrat behavioral1/files/0x0008000000019d2d-176.dat dcrat behavioral1/files/0x000b000000019db5-212.dat dcrat behavioral1/memory/604-236-0x0000000000F30000-0x00000000010E6000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1964 powershell.exe 2968 powershell.exe 1920 powershell.exe 2088 powershell.exe 2168 powershell.exe 2924 powershell.exe 2704 powershell.exe 2092 powershell.exe 2348 powershell.exe 2396 powershell.exe 1508 powershell.exe 2420 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe -
Executes dropped EXE 2 IoCs
pid Process 604 WmiPrvSE.exe 340 WmiPrvSE.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCXF32E.tmp a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File created C:\Program Files (x86)\Windows Mail\en-US\services.exe a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File created C:\Program Files\Windows Portable Devices\lsass.exe a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Program Files (x86)\Windows Mail\en-US\RCXE462.tmp a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Program Files (x86)\Windows Mail\en-US\RCXE4D1.tmp a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCXF32F.tmp a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Program Files\Windows Portable Devices\RCXF533.tmp a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File created C:\Program Files (x86)\Windows Mail\en-US\c5b4cb5e9653cc a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Program Files\Windows Portable Devices\lsass.exe a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Program Files (x86)\Windows Mail\en-US\services.exe a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Program Files\Windows Portable Devices\RCXF532.tmp a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\f3b6ecef712a24 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File created C:\Program Files\Windows Portable Devices\6203df4a6bafc7 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File created C:\Windows\security\ApplicationId\PolicyManagement\0a1fd5f707cd16 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\services.exe a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Windows\it-IT\WmiPrvSE.exe a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File created C:\Windows\Media\Characters\smss.exe a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File created C:\Windows\diagnostics\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\RCXDC50.tmp a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Windows\security\ApplicationId\PolicyManagement\RCXDE54.tmp a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Windows\security\ApplicationId\PolicyManagement\RCXDE55.tmp a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Windows\Media\Characters\RCXE25E.tmp a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\services.exe a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\c5b4cb5e9653cc a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File created C:\Windows\Media\Characters\69ddcba757bf72 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Windows\Media\Characters\RCXE25F.tmp a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Windows\it-IT\RCXE762.tmp a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File created C:\Windows\it-IT\WmiPrvSE.exe a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File created C:\Windows\it-IT\24dbde2999530e a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\RCXDC4F.tmp a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Windows\Media\Characters\smss.exe a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Windows\it-IT\RCXE6F4.tmp a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 980 schtasks.exe 380 schtasks.exe 2140 schtasks.exe 1892 schtasks.exe 948 schtasks.exe 776 schtasks.exe 1092 schtasks.exe 2604 schtasks.exe 2672 schtasks.exe 1664 schtasks.exe 1528 schtasks.exe 484 schtasks.exe 2732 schtasks.exe 2720 schtasks.exe 1380 schtasks.exe 1508 schtasks.exe 2944 schtasks.exe 2280 schtasks.exe 2188 schtasks.exe 2812 schtasks.exe 3040 schtasks.exe 2232 schtasks.exe 1980 schtasks.exe 1636 schtasks.exe 1668 schtasks.exe 1040 schtasks.exe 1816 schtasks.exe 1388 schtasks.exe 1476 schtasks.exe 2980 schtasks.exe 2984 schtasks.exe 1244 schtasks.exe 2192 schtasks.exe 1052 schtasks.exe 1984 schtasks.exe 3028 schtasks.exe 2760 schtasks.exe 3056 schtasks.exe 2636 schtasks.exe 1128 schtasks.exe 2800 schtasks.exe 2924 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 1964 powershell.exe 2092 powershell.exe 1920 powershell.exe 1508 powershell.exe 2704 powershell.exe 2924 powershell.exe 2396 powershell.exe 2348 powershell.exe 2420 powershell.exe 2968 powershell.exe 2088 powershell.exe 2168 powershell.exe 604 WmiPrvSE.exe 604 WmiPrvSE.exe 604 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 2092 powershell.exe Token: SeDebugPrivilege 1920 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 2348 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 604 WmiPrvSE.exe Token: SeDebugPrivilege 340 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 3052 wrote to memory of 1964 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 74 PID 3052 wrote to memory of 1964 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 74 PID 3052 wrote to memory of 1964 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 74 PID 3052 wrote to memory of 2968 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 75 PID 3052 wrote to memory of 2968 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 75 PID 3052 wrote to memory of 2968 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 75 PID 3052 wrote to memory of 2168 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 76 PID 3052 wrote to memory of 2168 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 76 PID 3052 wrote to memory of 2168 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 76 PID 3052 wrote to memory of 2348 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 79 PID 3052 wrote to memory of 2348 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 79 PID 3052 wrote to memory of 2348 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 79 PID 3052 wrote to memory of 2924 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 80 PID 3052 wrote to memory of 2924 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 80 PID 3052 wrote to memory of 2924 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 80 PID 3052 wrote to memory of 2092 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 81 PID 3052 wrote to memory of 2092 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 81 PID 3052 wrote to memory of 2092 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 81 PID 3052 wrote to memory of 2704 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 83 PID 3052 wrote to memory of 2704 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 83 PID 3052 wrote to memory of 2704 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 83 PID 3052 wrote to memory of 1920 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 84 PID 3052 wrote to memory of 1920 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 84 PID 3052 wrote to memory of 1920 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 84 PID 3052 wrote to memory of 2396 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 85 PID 3052 wrote to memory of 2396 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 85 PID 3052 wrote to memory of 2396 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 85 PID 3052 wrote to memory of 2088 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 86 PID 3052 wrote to memory of 2088 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 86 PID 3052 wrote to memory of 2088 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 86 PID 3052 wrote to memory of 1508 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 87 PID 3052 wrote to memory of 1508 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 87 PID 3052 wrote to memory of 1508 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 87 PID 3052 wrote to memory of 2420 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 89 PID 3052 wrote to memory of 2420 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 89 PID 3052 wrote to memory of 2420 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 89 PID 3052 wrote to memory of 604 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 98 PID 3052 wrote to memory of 604 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 98 PID 3052 wrote to memory of 604 3052 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 98 PID 604 wrote to memory of 2824 604 WmiPrvSE.exe 99 PID 604 wrote to memory of 2824 604 WmiPrvSE.exe 99 PID 604 wrote to memory of 2824 604 WmiPrvSE.exe 99 PID 604 wrote to memory of 1972 604 WmiPrvSE.exe 100 PID 604 wrote to memory of 1972 604 WmiPrvSE.exe 100 PID 604 wrote to memory of 1972 604 WmiPrvSE.exe 100 PID 2824 wrote to memory of 340 2824 WScript.exe 101 PID 2824 wrote to memory of 340 2824 WScript.exe 101 PID 2824 wrote to memory of 340 2824 WScript.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe"C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe"1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Users\All Users\Documents\WmiPrvSE.exe"C:\Users\All Users\Documents\WmiPrvSE.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e01d0f64-bab7-447d-873d-7113f08c5dcf.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\All Users\Documents\WmiPrvSE.exe"C:\Users\All Users\Documents\WmiPrvSE.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:340
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d98eaecb-a980-4b9f-af27-4df86f571112.vbs"3⤵PID:1972
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\Characters\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Media\Characters\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Characters\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\en-US\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Documents\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5ae358387b4f4f9c7e7700203d42a3ee8
SHA1860b31853be2a4b62180384dd5e6ec94020fefb7
SHA2565cab92463fed04f40fb3bf0c976145d1c2951c3e57fc4ad59460781c5c492a13
SHA512af0ed003f88d31607229195bcdd57ec056eadc7895f1826162e47d37408350d6326171dfafea4abdec1ccef5d856913719f8494482e8aa59e1ee5e5e3fbe7f76
-
Filesize
1.7MB
MD55557a83b7eda286c7944d0c1999cfeab
SHA16675cb8c01b5782e6a0fc21813323298fabbce8f
SHA2566d5c296c142be861346e9a6d9a5b0a3f153c44714bbaf0b4b264b5d2c3f1f367
SHA51200e653c671fd2f6d26d677f4b8363153c7fcb8e60460cf4773f3027464f639b4b51ba3d9e690b23992c3fb64f3626055aa2427843d60e86be0a01471fadce43a
-
Filesize
1.7MB
MD5d85af2a620fe30b910735cdfd2501ee0
SHA11fbafff90b68d32d71bb5a9bfa760a982b47d250
SHA256a86bc570ba243a7f0785142d3a58677d73bade6ed9d06feb0e98b67a595c8665
SHA512d1ac35bbfa43ec8132a3f52e0c248c1c0ba948d8c06759fa3298273d2d8d557d3ab30f39b3c2c6dc50e03d45451898bfd72d16c05b10bb67c637f3d0df0eba07
-
Filesize
493B
MD5f3ffc0d3aebc5d36bca2013d93c5f069
SHA1795094405ca6fbd80b9fe1fd5154ffff501b5e4a
SHA256547ee910d434f5935878eacc798c6d1d471c3eb6c625ba4a0bbed41d25e37301
SHA512e04d2dcc10e5a6f4b5b5e5a6137a3b54814660bb3412cba662ffb8018e2291546b62caa53105ddb456d1502aaa2cd8733d00b1dcc704a75e60f7035d36686644
-
Filesize
716B
MD53f0fd9891fc01792318611f6f093bed4
SHA1544316e9a26b36a469cc37dd152e0d0ff5726bce
SHA25652ff85791d96f4050414ee603cc42d6ee2b2281a9f60bd64f03903adad90b322
SHA51293edc76c9d0f50962d919c4f0aabd87e5cc526fa57ef03b717649e473894510a862736c1a5ec449cec21572c320c910e3671b378723b0b57009f92ba18235a88
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f0e0a1ca5c4f0804c620da074ebbb9ce
SHA1c732a94c2d8edc30bfaf8361aa633e86cc206d54
SHA25675e3501a9ce580cabbfb32e9d8f1e2f5ac599f715f95b7877b6e615c3d353e70
SHA5123a42c85528aefd291077539f99d802dcbd656e3eec347ccadb3b8935d94173bf278ec2143b79de679018b771487a14fd2423619fc107e84e43b913821a8d1251
-
Filesize
1.7MB
MD5f857a1d3e5da65672f958cc8379772f3
SHA1372cad0f26e6241540d00a832b204076f28b04f4
SHA2566a10259556dceb0f03b4cbe37a25da3f379add7f615b9732ea745e6f1e0f3cd6
SHA5128eb5b0e662db10d117744502a3a01e03d9a15ed4302003d78f6edda766ddd1721209281e08939166c25141b1b5832b39afffd5c04b46b35c6be243c0673e0c90
-
Filesize
1.7MB
MD59d62f5b5d9eca0a94ba46565918695f0
SHA171bfc63978a703ba9f0b18dae7d2ca67018b7fe8
SHA256a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177d
SHA512a1db284ac814611263fee44d158cffb845bf20f92d993518bafb3dfba8a0de6a9d32c1b6545cf515febe61856225707765c9f9db2ca5476347d1674cff818199
-
Filesize
1.7MB
MD5de0fa3d8acba2adfe721c1a72f67ecd1
SHA1f81750696efa5aed193a02835255a6021e573a9b
SHA256787bac419c9d576116b2577a1f649119df41b719bdde5b9f241f3d15e1091aa3
SHA5122cfa57d2ed8fa04c6040a3617dcd8ca76a039e4e07930fefc14eb974e799db29f8220a31213e02dc996f2e8ba6110a0e9819c7578e2102eedc93e5c004afb24c