Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
06-11-2024 22:25
General
-
Target
ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
-
Size
1.1MB
-
MD5
bf13fac7f8484064e0b61d4930e82580
-
SHA1
08495d92383b65f214c87a4aaed1103fe4cc7330
-
SHA256
ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59e
-
SHA512
cfba119bdbe539b7c64a5a9bf2581b21d6fa120154745f54bc36c1aac3ddfa555d4d01dd43c0626c2d95cd5eb0005c1c03387c853a18e8ef3d4d1c9d472ada87
-
SSDEEP
24576:ZxU376C0skFgqIyXFnbCDQgZ8e7FRsWC9ZRHInh4j1Cf6liXwkOmpd:EPkVXFGDQoP7FRCZRonh4hfewhmpd
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 25 IoCs
-
Drops file in Windows directory 15 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe"C:\Users\Admin\AppData\Local\Temp\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe"{path}"2⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\sihost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\host\fxr\7.0.16\SearchApp.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\services.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\dllhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\unsecapp.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\SppExtComObj.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellComponents\RuntimeBroker.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\StartMenuExperienceHost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\All Users\Adobe\dllhost.exe"{path}"4⤵
- Executes dropped EXE
-
-
C:\Users\All Users\Adobe\dllhost.exe"{path}"4⤵
- Executes dropped EXE
-
-
C:\Users\All Users\Adobe\dllhost.exe"{path}"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04162043-84c5-43d0-8278-1b445425c6e7.vbs"5⤵
- System Location Discovery: System Language Discovery
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\All Users\Adobe\dllhost.exe"{path}"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1ea5200-5d1a-436d-8dce-f55c7006e6dd.vbs"8⤵
- System Location Discovery: System Language Discovery
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\All Users\Adobe\dllhost.exe"{path}"10⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0998a2f6-23a9-418d-b120-1dc36df7acfe.vbs"11⤵
- System Location Discovery: System Language Discovery
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04879219-97db-466a-8cf0-e79c758eedab.vbs"11⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edf66433-91a2-481e-9d2e-10351ca49c67.vbs"8⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd1b0fb7-6853-4607-9e64-15f9e742301a.vbs"5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Panther\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellComponents\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ShellComponents\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellComponents\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Downloads\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Downloads\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Downloads\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5cc650ec67105ee376ded23817a5da533
SHA14caa3008cff5d9f94f11ad16230c38e1b33df0d2
SHA256481b043dbfde8603b97b33fe3fae5d31d0eb10317842d7a6807a03930afbe4aa
SHA51246c4884d60ec28fc2dee3c3d18a456017ed5c05a959c95a287f0a824a32430fe47691e07cf4fa923cce669415ab9dc71f56ed925ec85ea5fd3c766225a4e73ae
-
Filesize
1.1MB
MD5bf13fac7f8484064e0b61d4930e82580
SHA108495d92383b65f214c87a4aaed1103fe4cc7330
SHA256ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59e
SHA512cfba119bdbe539b7c64a5a9bf2581b21d6fa120154745f54bc36c1aac3ddfa555d4d01dd43c0626c2d95cd5eb0005c1c03387c853a18e8ef3d4d1c9d472ada87
-
Filesize
1.1MB
MD56acdd94648e790256b3aaafd141a64e1
SHA1b2b13a3e1190e4cbcb9d7fc8c486bbd9fbd64b92
SHA2564d43a3fc6b369711b031f821dc4cc236886966702ce992e9100894892d32edf8
SHA512caf7de04bac87ab58b8115855e99902822ee0efe3dd0b8883f53b5ef3ac8f056bcbf688d08f83dab6816e05666cf34c80b1321629ee422eb605b768e43720a75
-
Filesize
1.1MB
MD573162ebb055188ef4d631e2f0fb1cb0d
SHA1a0dea015fc72f8cce98fe5b1d0a62c1b40e646e3
SHA256fa2c6ca9084bdde9489a837a57cf28daef0c658286a4f9c62183d6402b60c8cc
SHA51295487ebf45447a1af0c5317b3ca9d478d976a8e169147fcd200aba85a8e1025fdfb0d61603e116ed3fe077768c0210dc93988a4658066c26263977591be79d49
-
Filesize
1.1MB
MD503b081f378b77a91610db30d3c9fe11f
SHA134cc2a2361e14e3dc24736e3b70221c98847bf0c
SHA2563ce285a4a7e0ab4e825b9fdbbf2d40decc70080461f58bdda1aa054c435ad3d2
SHA512c0f0500d782fca71dc61b958e08f666619519673216951866bd5dce49b41c7ec841696b825e04fab91a793da31fcc842a823ae11df666c80df7a462bc33d31fc
-
Filesize
1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5942c91700e31c23e71b375d27eb3ed99
SHA17ea71517f9660a4a626712d723e0a3011bdc1f40
SHA256011d13d38350db4d25541387c213b185004d057fe13e18b86f6df0563ba8d1c8
SHA512911896cb83734c5bb95d652282a9d1e1c8cd8401813fbf2f59dc46feef0b83e2f06ccf83dba9632e3988e92ab142c88ccfd82df1319254a08b958b1fd306ae8c
-
Filesize
18KB
MD519d07686f000b9d405a985bb22b43fea
SHA1e4420210998f13230a1336c0196a4b785fbe056b
SHA2569af84c2bbc3c842ecade29f10e66f957ac545d823e2d15729a71aa4df4657461
SHA512bf002ae787878df7f6c5147ecdc7b058c8fd24b950fd71a1f6c4e76e7217940a4ac171fab4a201e111050f124744d2b000f59b7182c54868142b03c6d725a27e
-
Filesize
18KB
MD530b033e66f9b7bd2390d872a9c97879e
SHA1e3d855c9c4b5c9b3742a03b2dfb38b440306e847
SHA2560829670da4fe4df22afb82ded63e5d5a602e3ad9bf9963c7ed215092836fb68a
SHA512c347b20b688bd3dc70b32833e80b65be31e65775e5df940bbe561aa30e8dba54abf684a3160dcc363ef8de2f6c04b8e3778ee61f0e825cdacbae7bf873e9ff33
-
Filesize
18KB
MD5db7b52446a77ecd8fd124fc9c4df74d4
SHA1a0ae1eb5dc1e612b1a2d5f27b7fe2d2aba957ac8
SHA25669293a730009a8503d6acf9676be12cc1ad6d4afe7deca642818ee7da6333dad
SHA5128f1db8d7917af3ad8b88db7efbc7a9522a0f280344f65fbf7179fde0ee975d77b6d294c1d262e4c5c644dc3566ef793a0d742f2416c81a05ba9a61d494e78565
-
Filesize
18KB
MD5a31d5d8c16b101fed904d78718fbe66e
SHA135b50386de9c46b843c72bb4adc9cb0e801fc2e0
SHA2563991d7fecbf955bdb634fa7692a356a6364b615f0403bd28f452e6123a5c851b
SHA5121c03833c425f9fa7f5b6e3478e45e4ab6e7734965d871844914254d143fa8c4e582a4ca6b6316f62a4ec09b9ec4928b13678832f32419295ddf461df8830009b
-
Filesize
18KB
MD5ddd6d930aa5e9175f1522a39f2b67c50
SHA1e9caad635df197fed1aefcc7db39194eab52114a
SHA256a3057fe8b0bac9edd4cf09c01dac53e0636b667f8fdf180f7e0c49d64712af74
SHA512d8d7a165be1a466d2384995f65c1c71e73c13c9ed9ecfe6816e19a409082d7d9d530f679141d634857f715c49ebcf26669adb45138034fd0a4f3e34b09a0acf3
-
Filesize
18KB
MD5f0b9cede1be6012cac5d732f317ed841
SHA1944f69443e55d1ba62f037a1d0dae746bc327235
SHA256a35741adc6c3ed60e1835f79100fb0dfad09c4da8a9e3a9e8ba210a38614731e
SHA5127a0086f89df20642cfb4bbefdc2a8be2a9f3e75dcbc2317d020897427324bcf6e761ea46fc26242e9d5897400feae0ae3dc1773f9126e9a389662dfed8cdf2ff
-
Filesize
18KB
MD5fc087fd910430bc86f5b5f9fc6f9ac7b
SHA108a0caa144911dbcf8ecff648f3139e28008266d
SHA2560fce9a5921c651d1c8d4ef8d8491a97606655f8d52602db0ad680b8246a5f855
SHA512bc14d123fc67553f6810e2aaaf9440bf6e5195183e3509e66f70d3995af74baa9b6528711c76ae02cc398560946e509bc18f52c7a415d76c5201f26ff25240c7
-
Filesize
18KB
MD56dd3c51b5b43e141d91dc9e8822cbf7f
SHA155cae4be7ea0b9bf056d10be49e70b81cf18fe66
SHA256d56a73019c1f99a4319be29ac6ce7a41b5399e6db8604f12991ffa810ea597dc
SHA512818109a734b6df2b2241e07cdf80fa88935d01f309a17eb346cda2185acbb5a98961124d20a0d5106224113e3fea7457dd51f947d16526c63f019dade92b1335
-
Filesize
18KB
MD59cdefdb081dad48057da927517d3d7bb
SHA1e8d87e5ba1ccbd9dd6a43eb9a93b04f3740a2c50
SHA256af120c5776507fb46e8d99bd8460671739e2d8ec815c2c250083b2b0d8a2cab0
SHA512a0eb2ae236c72ade016451a07f896caf4ba12c320418e1af2804aec2f83fb15680040db677a36e6d84b6ea383337070fbabb381732f6a740f3a2760e09c1b3be
-
Filesize
18KB
MD5b1c4e5ae3f33dd81f41909eab0c761bc
SHA1e84d3cd369c6a74f5d91a6acfde598ad33e6633d
SHA2566f2893457e72105b7ddf52a0763594254da4ae59b470dee5347553e75dac75f6
SHA51236cb1f292ae8ef4c01b92789c8e99f4f0466ebdc99e215626db493261a20e1595e7d1b75e8f44921a4c0c62b3d216dc625923d5181cdb78eb8a14e84f9388ccc
-
Filesize
712B
MD59a7dff9b9b854adf24dc943f1ecefa4f
SHA1245bf4fa322f73100a8faf10059ad8911ef32db0
SHA256471a0a01c65e434b900236646f71b350e8c5e78a598dcb0510b209f655147666
SHA512a6732427d5aea66fe700b432d23bb45b8dec53cba49d87b065a086f2f42d2b61944ce9ea0d92e69eb0515a55fb5bc66eef4eb081a5349b940e835f0b1b282e4b
-
Filesize
712B
MD501515f4fb2bd5f7bbdb587356b6023c2
SHA13568c3175bd3ddc9a01646a5af280fd996900c27
SHA2564ae39edaf7922602ae3031b2884a9a260e38128dcabf392eb313c3b211f8fdd3
SHA512c1003348e804f6fe79c2804ad8f0658a860743ca76cc153533ce366181be459d3942a8600773ff9d412093f2e6d46f1efb0c3f3a58a7e547ecddc5e6ba91252c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
712B
MD5c6f9457ccc575ec45d38b9946210f327
SHA1372dec9a839c82bc27991a25265040f20aee9085
SHA256346c0cecb589671bcb5b2d43c4b132925760786985e2bb2c1a4f6c53e32f455e
SHA51287cb2f25760e0d2756e1937c61a4ce1aa4612345262349db79704dae1131be90df0ead82ad9be5ebc46631dcf348c7636b76f4831becd6c4e437827bcd44a0d0
-
Filesize
488B
MD58e735bfca0bed491e3a50c8f1f344d54
SHA1393ba7e4cc914322b16856be9c23d680fdd25030
SHA25684b1d426c5d0a908d755ed65609b68f01cc1ecc62c3b2dd389948cfa45d85a9d
SHA512040640d189b517db86b79225b51cafb418b4719d930205b621d064ff8fab58d61e2d2ca7a25df7caefa90a622eaf945a564f8cc8b303fe71fa03f2d2522690bf
-
Filesize
1.1MB
MD5f540fabb3d1a6faf7e8929646f4e94bb
SHA19640dfeb69198ed5b1428d767c0641a96e890203
SHA2565dd076e53e75415ba9ab1a2594c8e609fa4b1fc28544fa831f9f9b91e92f363d
SHA51287aebcc2bf7c9242b6816080815e2be4b40368216f8a25c78d105161c02b92ac6387b6e0122229c1e36d138ffd01bdea5f0c5ca3c95ba7c029bbd8b785a53285
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
1.2MB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
48KB
-
Filesize
7.7MB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
408KB
-
Filesize
56KB
-
Filesize
112KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
5.2MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
1.2MB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
984KB
-
Filesize
7.7MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
72KB