Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
13-01-2025 22:11
General
-
Target
2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
-
Size
1.7MB
-
MD5
46702766a2b352b3db95618c69a14526
-
SHA1
0c2c1e90dc69c16e2b09b705f6914b2372431a59
-
SHA256
2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9
-
SHA512
e1f84e854034293444f0f3ce562816e3f011ec58008f3601e00a7cf7125fc29c2f965fad7a59498d4d96b941006f20a4dcbb3373b325cd9fb6018cfa2aefc06e
-
SSDEEP
49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 9 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Drops file in Program Files directory 50 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 11 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe"C:\Users\Admin\AppData\Local\Temp\2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Java\jre-1.8\lib\winlogon.exe"C:\Program Files\Java\jre-1.8\lib\winlogon.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\214bf27b-8fda-4e6e-aee7-b60d2abbd920.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre-1.8\lib\winlogon.exe"C:\Program Files\Java\jre-1.8\lib\winlogon.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db76fae8-9735-4942-84b2-40c6fa89e758.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre-1.8\lib\winlogon.exe"C:\Program Files\Java\jre-1.8\lib\winlogon.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\095a6ab9-0a88-49f3-ac4d-64398c9c7461.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre-1.8\lib\winlogon.exe"C:\Program Files\Java\jre-1.8\lib\winlogon.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca95c2c9-b981-4809-bf06-d930fb7e7baa.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre-1.8\lib\winlogon.exe"C:\Program Files\Java\jre-1.8\lib\winlogon.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5ae01b1-836b-4265-9ad6-9825c8ff5b27.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre-1.8\lib\winlogon.exe"C:\Program Files\Java\jre-1.8\lib\winlogon.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f5248bb-1d9b-40ed-b0a3-ba60d7965aed.vbs"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre-1.8\lib\winlogon.exe"C:\Program Files\Java\jre-1.8\lib\winlogon.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59efff34-5728-439f-b9a3-38a21c5039b7.vbs"15⤵
-
C:\Program Files\Java\jre-1.8\lib\winlogon.exe"C:\Program Files\Java\jre-1.8\lib\winlogon.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\899483c9-6bb4-4bb8-837a-22996ce985d1.vbs"17⤵
-
C:\Program Files\Java\jre-1.8\lib\winlogon.exe"C:\Program Files\Java\jre-1.8\lib\winlogon.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee819890-a5df-4f84-a468-b3f9f67cc7ad.vbs"19⤵
-
C:\Program Files\Java\jre-1.8\lib\winlogon.exe"C:\Program Files\Java\jre-1.8\lib\winlogon.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa6b6bfa-5f9b-45ea-9671-f19d7f377df7.vbs"21⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49bc3f0c-c9b8-40f8-b7c5-e783ca875665.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f728ca8e-71ce-40fc-aac7-98792f943891.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee00844f-79cc-4def-96aa-84f312e8a2c7.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edf56843-d257-45c6-b756-f481d6aa2490.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e37ad905-112f-48d0-b347-fc29f62bd0c2.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1fba475-7740-4a3f-af9a-885568ae08ae.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e02f0a4-f3f5-4297-b1ca-6afa51d803eb.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5991aaab-1fe0-409e-9e92-c19bd948f059.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d963a77-da9a-4b16-adfa-b0c32b313c5b.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64388776-71fb-43d3-980a-9760a3694f4a.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre-1.8\lib\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre-1.8\lib\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD52e19ac110c1d1022cb6af67d232e254d
SHA12eb46fe0fda867bbb7e709f71a6542842989ad1d
SHA256d29268a00f42db204b4532ddd0839766dd9d1aeb0c8b21c0551deeeb82b67c80
SHA512a6f2950cb562a5b20249995a858f780e5600cf8732bbf040afa0355b9ebd3a5c87af7946abdf304c3aafa1c3d320f176bafcce5e090f4fc0bd2420b0a1e0c4c6
-
Filesize
1.7MB
MD54cf975aa30f30690da7b22a64202b6e3
SHA132472082137fd15974cd6128977dc1ad5103760a
SHA2565dd24e76ea9e178342e6cb6b579186146183a60011d2ab685020cd1b00e1b67c
SHA5120f2aa4c969124ded876a9ca93ac702de0b1d031940e3f56f42c352405d46abea755d8e7024847cbaf798bc117c0563ee5cf13b13a8a4ee9ed77a9219db16e5e7
-
Filesize
1.7MB
MD5379f9f24c6ddfae7dde3bf076a20118c
SHA146264b3709fa6d6e426d5e9d3ecab4a6785fef6d
SHA256e9cd9233970fe2313db009b1db0809fc9e2e3f6bcbdc72ad223ec753edb81d39
SHA5123a3cc35414ce917a362375171e9e4198f4aa24c5b813508a90ae2d487dab8cbbec39efaa0ea64926cb4500265fdaeb23405add9c3bacfb54106e719f6cdb10b8
-
Filesize
1.7MB
MD54d2c350aeb35ee7b5ec068fe816dbf5f
SHA14bc240755a47ffb83a3d011e3169c34f7e6dd497
SHA25677e54a2a85064e67f23d071037a784ec33ad69b5fc372e3add1f36b5076fc884
SHA51225073158a201fef07f506296d0f10bdf05d0bed8e81e14468fa786094f98c7e7c4f82c54f752bd45ca3036fb2c3e168cf7f54dfcebcbc5e70a8a83f27d609a2a
-
Filesize
1.7MB
MD5d4e0ecf64dd25193591fa85406fc6cab
SHA13d1b65ad51d94a82c9485a19864f04abce0ccee3
SHA256c256f619af09dd9fdd0ba560a621d066314fa048f2db4ca187640f4ccb63eadc
SHA512bb59fb0b98bd9af0b3e7076bf3bb6ba65d7d8ecc57e319d6e4ac2b71db5205d19c0bfeda5ff3675061b25fdf148e8b434a49f8a3ff0af0aef3acbf742bc50945
-
Filesize
1.7MB
MD56bcb0a14a2e9ae45b2471fd818938d6b
SHA175ff31d0dce89e331300ba8545b95737bf3a7b49
SHA25622c04442735a1ae8157cf6bfc7f0017505332c3a161ca856411e065c615dc528
SHA512fe2ea0629cf2135c0b9610d9b17d9298094945ff531e16ef140a3d5e8f07afb210050100932a5c0ea1c013b70d6d201da4eded393393651e038af2590f55752c
-
Filesize
1.7MB
MD546702766a2b352b3db95618c69a14526
SHA10c2c1e90dc69c16e2b09b705f6914b2372431a59
SHA2562c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9
SHA512e1f84e854034293444f0f3ce562816e3f011ec58008f3601e00a7cf7125fc29c2f965fad7a59498d4d96b941006f20a4dcbb3373b325cd9fb6018cfa2aefc06e
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
722B
MD589e0b7e6226952f7df4242a79695d6fa
SHA170ce16444b5c11350ece2f53de348bcab384bda2
SHA2560fffa7ea92df454e3eebd412c79055bcc821ce64bcbec483405b0d7f8fab58a0
SHA512852f07103546fd01c6cbb8239fe1af5835bf6b1f811f08222a556c6294ef023d7f315b153daf65aa76e972a7bdf316f318184ac909c8526fac930fba71dcf71e
-
Filesize
722B
MD5fda390933cb9f4f9069a6ff1e9586a47
SHA1894f77cfc837361f6d3d7d4decb5cfb670390ee6
SHA256deb2235dbf611df6d6112faa813e686ea4581602e8ca2bc131d2cd93988da079
SHA512cd857c28fcd6c5e771e1e6473ba843ccf503e241516e31f2d9026e931b471eeab3a6fbdeebd1e48399550ee7d250479cd6777cef2f8b5e53140dc02ecea3c14d
-
Filesize
722B
MD5e3c5ec0f3f2cb1335756b4ba34018846
SHA1fd2c212f9b1d861297975c1f08e1d797d5b1c7ff
SHA2564cb5e028963560724fed2ca0f22555791cf86b8d2891eeb2cb4d6a0ffb462aee
SHA51265aaa3c2f66aa95951d02b4f7f09ba8c027ef1cca1c43bd44a4772d33b8dd5f5af8c776f7d8de9eb99b144a437b37c315825d94469f6a0711c2bb82ffa3836f8
-
Filesize
498B
MD532d0efcd48056d14c847b46db7cbdd52
SHA178832322f5cbc9737c0c86c1f6165143daec2b33
SHA256b3c652fefb1cc0efe64858196a248151f8f7d6ebe74431919af2917977e1d9ec
SHA512d085ca4e575af036f3b12759a2a4038cb2bd68bcdedaef03b760fa4957b2c9d7b70be5e43d67e581bd7171f5fd623733f7abfea15f5093c08d3bf82a2769522e
-
Filesize
722B
MD5c00851691a4c36fcac80cb98b3f6cd95
SHA1bfbd15c9c7a6ab6cc8d456a559a28bfd305dd7b5
SHA2560a9af89475c9e4f5f15f7e7f04dcff2d0f1ae4c53baac1705e12d6c12de83a5e
SHA512bee9242bbfc7bdb60e552f810f184da20269e3b8fd0667971043ff318821fac888af322bf1d290df5053f8520aad06a1ecf4686f94f9d1b2d31f470be77e465f
-
Filesize
722B
MD5c00b49aa5be6eb9239cd76025d21f789
SHA1cfa7a88c80f2a92871bdf458c239145b5a112539
SHA2560da7b3300e2bf207c4c5443d08125502600cc5e089ecb9933869d5b4d50cb6eb
SHA5128d87ab67808daf5abffdcdea11c03b21cb29cf4da697b42893bdf1d2072d718d56fff997988d19f4827a6aec8449bf4edb5f222b22d21a084dbd791792757998
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
722B
MD52fb9cc6d864485d82ecf2447a92de322
SHA11582452721dccbbe541295f9b7b9b62ae99067c2
SHA2566b7b07fcf946c1d4c41a41624f4f47c65d0a3b76293a59c5b24144675640e95f
SHA512c1a7d17dbf229cad6b019b467973ffd2a7d2ccba07df0616dec4c84c6ad215f5d04a7a448ab353f9eeaef1c4679ae131070b239e6e2c85935e2e0d228f6b26a6
-
Filesize
722B
MD5c03e389d20f89b80e3a61f741cfbf884
SHA10ec91673c49863a10bab084e5c3e0f21cc672bad
SHA25647bd24131f5c743b250b9295c6011047f27749e2a49a7a8101d2bcd0b2da4e27
SHA512647360573188429a4a620742b3c0cb119a62d3c38e968a507842edb9a1acec3c3cda3565a185c551c4ea71063f6f12182bda0aaa6b412fdcc7060dc98aaf4e34
-
Filesize
722B
MD50e147724fabf4976ed6a872d69019348
SHA114114dad91fdfaca70a0e4d98b370bd462e60c08
SHA25630a5340625d399a68bb7a8a61ead03c699f36c2937ad4ec44c47fad0f816796a
SHA512afaa2d20e90c1e28b4ece72c052ad644cdfaf35c0473808df46e1e0eb023f9cc9e9d7cc9740fd60f29b7fa4ac7187061a215d34a8317ed52522e303ea635d162
-
Filesize
722B
MD5561a0acce4cbeeb4f005dacaa1d38429
SHA166122ee0b32c211d7898aae856923f53707d3a53
SHA256acea7a2663bb2c8f4d984bd24323b14b79588942e38f4f91372c7d68ab0517b5
SHA512fc4eb174d7a28ba00aa5a7c97467dd8667ad6f0be1303bfae07c8001fdc05bdef51af24226a633f8c30cdbe248758495e5055fbbcd3ef9318805c0d462e6907b
-
Filesize
722B
MD59302b0f66c960dcb6957b1952f65f644
SHA1ff084eb1408df5d1288774252e55fd15e5ba708e
SHA256d0bcf0dd21cbfa51c1e4f627e83740d2e5dd637169535687a39458e0ccb6f0dc
SHA512616b72af7138c77139f6ec7d7a9641d72e76d69122413ba62346829237c437eda6e691cac90c629792277567cda415d9373266f79e02c6d17de61664fea963fa
-
Filesize
312KB
-
Filesize
136KB
-
Filesize
72KB
-
Filesize
1.8MB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
5.2MB
-
Filesize
8KB
-
Filesize
1.8MB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
32KB