Analysis
-
max time kernel
94s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2024 18:00
Static task
static1
Behavioral task
behavioral1
Sample
e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe
Resource
win10v2004-20241007-en
General
-
Target
e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe
-
Size
2.0MB
-
MD5
38924c8184bf5944da2ac3e5cd987da2
-
SHA1
1af0d4b729dd9c3a42c197a4ec961cab5722adda
-
SHA256
e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908
-
SHA512
225e25eb08a1abe529a4fc5eb435eb800145a782e3dbdd6ba1c28925f84d758c18111ed181649bd222d50fd4a44f1ede7e43c630a58ae9a92fd2074d3d306a61
-
SSDEEP
24576:FcBmS1nneRYZwoKBU7ArlQUCeYIxerW33/XfV6jx9aP5VR/z0WcBS4bppmHVSqyW:9S4/ST6xijxsBEmHVSqFHOHqnCgXu8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\smss.exe\", \"C:\\Users\\Default User\\sysmon.exe\", \"C:\\Windows\\debug\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\StartMenuExperienceHost.exe\"" decAE9F.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\smss.exe\"" decAE9F.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\smss.exe\", \"C:\\Users\\Default User\\sysmon.exe\"" decAE9F.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\smss.exe\", \"C:\\Users\\Default User\\sysmon.exe\", \"C:\\Windows\\debug\\winlogon.exe\"" decAE9F.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\smss.exe\", \"C:\\Users\\Default User\\sysmon.exe\", \"C:\\Windows\\debug\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\"" decAE9F.tmp -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2748 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 2748 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 744 2748 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2748 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2748 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2748 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3112 2748 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3336 2748 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1348 2748 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2748 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2748 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 60 2748 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 2748 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3696 2748 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 2748 schtasks.exe 87 -
DCRat payload 2 IoCs
resource yara_rule behavioral2/files/0x000a000000023bbd-2.dat family_dcrat_v2 behavioral2/memory/2140-5-0x00000000007F0000-0x00000000009A6000-memory.dmp family_dcrat_v2 -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2060 powershell.exe 3092 powershell.exe 2280 powershell.exe 5100 powershell.exe 3372 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation decAE9F.tmp -
Executes dropped EXE 2 IoCs
pid Process 2140 decAE9F.tmp 3656 winlogon.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\7-Zip\\StartMenuExperienceHost.exe\"" decAE9F.tmp Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\smss.exe\"" decAE9F.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\smss.exe\"" decAE9F.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default User\\sysmon.exe\"" decAE9F.tmp Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\debug\\winlogon.exe\"" decAE9F.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\debug\\winlogon.exe\"" decAE9F.tmp Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default User\\sysmon.exe\"" decAE9F.tmp Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\"" decAE9F.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\"" decAE9F.tmp Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\7-Zip\\StartMenuExperienceHost.exe\"" decAE9F.tmp -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\hnaorh.exe csc.exe File created \??\c:\Windows\System32\CSC565E4759A4F4EC29875F420D0435D8.TMP csc.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Mail\9e8d7a4ca61bd9 decAE9F.tmp File created C:\Program Files\7-Zip\StartMenuExperienceHost.exe decAE9F.tmp File created C:\Program Files\7-Zip\55b276f4edf653 decAE9F.tmp File created C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe decAE9F.tmp -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\debug\winlogon.exe decAE9F.tmp File created C:\Windows\debug\cc11b995f2a76d decAE9F.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4864 PING.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings decAE9F.tmp -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4864 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1640 schtasks.exe 1628 schtasks.exe 60 schtasks.exe 3696 schtasks.exe 1420 schtasks.exe 744 schtasks.exe 2828 schtasks.exe 1664 schtasks.exe 3336 schtasks.exe 1348 schtasks.exe 964 schtasks.exe 1460 schtasks.exe 2284 schtasks.exe 2420 schtasks.exe 3112 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp 2140 decAE9F.tmp -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2140 decAE9F.tmp Token: SeDebugPrivilege 3372 powershell.exe Token: SeDebugPrivilege 3092 powershell.exe Token: SeDebugPrivilege 5100 powershell.exe Token: SeDebugPrivilege 2280 powershell.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 3656 winlogon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3656 winlogon.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4676 wrote to memory of 2140 4676 e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe 83 PID 4676 wrote to memory of 2140 4676 e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe 83 PID 2140 wrote to memory of 4820 2140 decAE9F.tmp 91 PID 2140 wrote to memory of 4820 2140 decAE9F.tmp 91 PID 4820 wrote to memory of 3960 4820 csc.exe 93 PID 4820 wrote to memory of 3960 4820 csc.exe 93 PID 2140 wrote to memory of 2060 2140 decAE9F.tmp 106 PID 2140 wrote to memory of 2060 2140 decAE9F.tmp 106 PID 2140 wrote to memory of 3372 2140 decAE9F.tmp 107 PID 2140 wrote to memory of 3372 2140 decAE9F.tmp 107 PID 2140 wrote to memory of 5100 2140 decAE9F.tmp 108 PID 2140 wrote to memory of 5100 2140 decAE9F.tmp 108 PID 2140 wrote to memory of 2280 2140 decAE9F.tmp 109 PID 2140 wrote to memory of 2280 2140 decAE9F.tmp 109 PID 2140 wrote to memory of 3092 2140 decAE9F.tmp 110 PID 2140 wrote to memory of 3092 2140 decAE9F.tmp 110 PID 2140 wrote to memory of 4320 2140 decAE9F.tmp 115 PID 2140 wrote to memory of 4320 2140 decAE9F.tmp 115 PID 4320 wrote to memory of 4352 4320 cmd.exe 118 PID 4320 wrote to memory of 4352 4320 cmd.exe 118 PID 4320 wrote to memory of 4864 4320 cmd.exe 119 PID 4320 wrote to memory of 4864 4320 cmd.exe 119 PID 4320 wrote to memory of 3656 4320 cmd.exe 132 PID 4320 wrote to memory of 3656 4320 cmd.exe 132 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe"C:\Users\Admin\AppData\Local\Temp\e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\decAE9F.tmpC:\Users\Admin\AppData\Local\Temp\decAE9F.tmp2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\csxt5pjs\csxt5pjs.cmdline"3⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9AB.tmp" "c:\Windows\System32\CSC565E4759A4F4EC29875F420D0435D8.TMP"4⤵PID:3960
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\MsEdgeCrashpad\reports\smss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sysmon.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\winlogon.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\StartMenuExperienceHost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3092
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0KC50T3yOP.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4352
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4864
-
-
C:\Windows\debug\winlogon.exe"C:\Windows\debug\winlogon.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3656
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\debug\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
157B
MD59aaf0b3101dcf041747338bd4eb33645
SHA1047d9d058d88281139df7d294abbecb625dd34f2
SHA256dfcba38599f7d4c34f1ef8637d66be93a90af3b3ffe51b0dc3ef7e497a7e74df
SHA512de4f232765415c119584f32ce9fd0bcfb7091167375aa12ff71c85037bcba8f6cf48e762a853bfad5a94284869af299859453e2f2bad676a57e9a2a0d090d4cf
-
Filesize
1KB
MD5874368e376d42a420b7961ba11103d04
SHA1a795691256954c3308ce13b2fc0dbf392c24686e
SHA2565ebd1ff5020f1ddb700d62b80a19a332e8e83e86098cd417afafb695ddc0ff12
SHA512384ab8c541adf6a4d803e718fd64c29f2ffc2759a9926e3b305b19711d9c363f502c27cee3e7bd58a312c383f399b135ffa863208e7f2a5254d61ed2e040b9c5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.7MB
MD537d00592110ca3cc53b7f6ca6ab1c82a
SHA186e13c84c33969081fe59d123e3cf81e9b3e5674
SHA2565acd08cc77f1cebd2cb95f88b37edf94b9e72b9b1c965af7ea2766e9ddc5afb9
SHA512618eeaec0ac5390184a3b6195634cb16d3def1d2ac8ab3664b3128a4e4776dda7777e6c2aedf138a6f8e9b7f6f84fc58c38f89d9178b220443567e0c55e0bbcd
-
Filesize
379B
MD50ab5733430a36d24998de5a627da14ac
SHA143ec02c14892026baad4d5999f9a16acdfcd9937
SHA256b8bf44eef4f4c8d5d3167c390569242a298fbb129ed366e554a0f7b5972fbda5
SHA512cba8beb803f3f553a470c8299254a27c3c61397181c835b0625f6d04df62f09c2f5e0b157556393d4e95caa7bfd387d0a123add444fa870cde8c543b3f2b5061
-
Filesize
235B
MD59713f64e7c21fb5a927270eb6cf4d483
SHA10120e7bf0d449b824a00edb9c34103ba3a47fa8d
SHA2565dde20e5aac902e1fb8b49164f6dc225f9b945291f8bc1dc9c9b73161df9431d
SHA51223b4fdf29830aa28e56d3429fc4354054590ff189db7f349c7bd39a54fc3c054059e0ac86069aa99bb2ebb89b1cd18f5283bb6826d1271880671bf63e48c0f3d
-
Filesize
1KB
MD565d5babddb4bd68783c40f9e3678613f
SHA171e76abb44dbea735b9faaccb8c0fad345b514f4
SHA256d61a59849cacd91b8039a8e41a5b92a7f93e2d46c90791b9ba6b5f856008cd8f
SHA51221223e9a32df265bb75093d1ebaa879880a947d25ac764f3452b9104893b05f2c8fe4150cb2465681df7a0554dcefdb7f623aaf54772ade878270f453ebc1bcf