Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
22/03/2025, 19:06
General
-
Target
1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
-
Size
1.6MB
-
MD5
e38a8ba2db5ea28f0f52d37b4a9d0d45
-
SHA1
eeb67e1eb72370ce24df9b82c6a7664176dfe064
-
SHA256
1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6
-
SHA512
ee6f813b71c0c56c5794cb6b5ba48fdf527a9f0077aaf1a100e1f36c914e28bb6675f8ae90544ada72d0e315b436db8016dffe27467b6891cbbd1ef07d7b661e
-
SSDEEP
24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 16 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 57 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe"C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\System.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\upfc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\unsecapp.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3d3ff15-519e-4bdf-8d30-d9c26cf0e094.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ee6f9a1-6dd3-4046-90de-de6705a502fb.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fd4aba8-2926-44d7-8936-6a8cde27e91e.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\801b0008-1a77-4467-8171-dbd5d3a90aaa.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1510800d-c269-4d22-bd28-38078836d632.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb216745-1482-4611-940a-88be68c4c091.vbs"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\749ea99f-89a8-428c-b83a-c1f48e5fbaaa.vbs"15⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79200ef0-dfe7-4312-a48c-e110995b03b6.vbs"17⤵
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\401ecba3-503c-4c30-a465-9d9d997bb5e7.vbs"19⤵
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8ba5fc0-5875-46e2-afd2-2a290ae9dd9d.vbs"21⤵
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db254d04-f9ca-4ae8-adeb-2a11295d9ed0.vbs"23⤵
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10036296-14c0-4777-82c2-3077852f0de8.vbs"25⤵
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b42d0c0-966e-4c1e-bb01-026c66f449d5.vbs"27⤵
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b33b03f1-937f-4958-bea2-d22192eed416.vbs"29⤵
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d0ee952-034c-4ea7-b038-9bfe0abc96eb.vbs"31⤵
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe32⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13607788-59c3-455d-86fe-b84fe5afa931.vbs"31⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e971186-0b82-46fd-9856-1603488e4639.vbs"29⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0a9a014-6994-4fce-8061-725621cd9ea0.vbs"27⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b0ae12b-ef24-4578-943f-d38fc521154a.vbs"25⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d33fb1d3-d64f-4058-be5b-ba04a68ce5a9.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c62fed8d-55bd-4768-8324-d7e90193b43f.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79890d76-2a9b-472e-a98e-195cde6ce034.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd807abd-2e3e-48be-860d-8e10411467b2.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3bddb1a-fdb9-416b-b9d4-1deb635675ba.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc57c2d1-a1b1-474a-86ec-203992837335.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e471709-79d7-43fd-b662-f39a721fb7a7.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e93eda1-4eb9-4efd-a406-bea936299ff7.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\581933b6-b03d-478f-aa0a-e1475b592654.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fab43574-5efc-433e-b37c-7c5dde496efc.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\223962fe-0873-4fa8-b4a9-fb9da90c536e.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\d9c22b4eaa3c0b9c12c7\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\d9c22b4eaa3c0b9c12c7\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\d9c22b4eaa3c0b9c12c7\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5e38a8ba2db5ea28f0f52d37b4a9d0d45
SHA1eeb67e1eb72370ce24df9b82c6a7664176dfe064
SHA2561df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6
SHA512ee6f813b71c0c56c5794cb6b5ba48fdf527a9f0077aaf1a100e1f36c914e28bb6675f8ae90544ada72d0e315b436db8016dffe27467b6891cbbd1ef07d7b661e
-
Filesize
1.6MB
MD57fd3f9c02fbe85e6b17e9a6ee848f767
SHA1b13571749846099e06401b2a3f71ee5db4a3a539
SHA2566a2079ccf18d6d8bc4a8a9f01b5fe627f1f514cd439fd9df15d18ccc42206dd0
SHA51274f9c3d83e616db06d570b716eca1e854c03ce13f4c2626b62a768d5193828f1a7019f1bb62366e20d385cb27ed23e5e4a9e46d1e79d096f37c99977fe8317bf
-
Filesize
1KB
MD53690a1c3b695227a38625dcf27bd6dac
SHA1c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA2562ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA51215ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5643f98db244717856667bfd771e9db1c
SHA15434950e3506ae0cca216690c8fb5d2b38dd591d
SHA2565e01aecf68e759cce4264330c3b7bc5b30b0d6c17718e558543c87530cf78256
SHA512886d498dfce303f191b32d7001197aad7bd5eec12b5885ef620be32750902da2369536b10f451e712380bd7b420c051447b998d42f53ffae9b6a358c4db66a44
-
Filesize
944B
MD51641de9a10da75d35edf03caa25212c1
SHA1af73f64f8ce476c8e4eb56bb40426552d34c1ca8
SHA2565fbacccb41dad88018fad178d824e1dc4cdc48e08032d374ac88d37c88ee60c2
SHA5127123f9d69a0930a5143e442893cb2711bd9fd911f50e00f7b651ff8d448b78541ea0fa5f36452ad30e4c90ebfd1b1cc51e97422d6649089ec6b9f783ee6101e0
-
Filesize
944B
MD582da496008a09abc336bf9adbe6453dd
SHA1a57df6c2432c6bf7ab549a4333e636f9d9dfebd2
SHA25669def38d01c34269e4e7be79130fc62befb01815c783fef6d4dc116672306810
SHA51286d1efaf512d5ffc0af6a4508e63ffaa646971192762461957c0a544e77f9f24bbd0576927a6a996a87f147bcd6562bdc27a57caac6aad64354f485a7a7a7197
-
Filesize
944B
MD535be6e176d67a5af3e24a7f54b4a9574
SHA1900bbb3f3f8a9d38a4e548b4ba60838a9eae41b9
SHA256c0be8fe9bbed3f82068a8179a28fadfcaef8a524818f34b87b59b5e1b2cae1c7
SHA51209d15913b88d2eb7529d661c5bb2ee20eef0a7df92b5eaaadb2ebc70ad68d9c38b341b148ac058c895b7f85a54d703c3543b043d8d2a3f0536d21d3c7ebbe15f
-
Filesize
944B
MD57cfa57226f15f18e8c29720a8a6efc8b
SHA1fef3b41b9715cd37a0bb9ab323fc9aa62158d55b
SHA25653d11cfbf4bbedac6a4963cbe63d8f500f1cfd159e1b9c24149c855d3be188eb
SHA512d6ea186fa684b2ca04eb5d9292a5d60b4d22f03205eb0bbe51c8715e1312e2179bc6da60c7763cb7663cd967fc761b9bd8d9949b009e2e6cba51883a167d1820
-
Filesize
707B
MD559fa5dbfbfd05d7f862d1c39d5096ed9
SHA1dc1c9038970d98d858fb21c10a34f71bf4e17af4
SHA256ac60b57a65e33703748c3fc44d481335033bfee2982c67bc00a747f3bf21d1cb
SHA512b92e263f2a8194fd2dad4afb734886c2e38bbc01f602632ed9650c0335f3904bac76f3040daaf50a11a2f418e33363abaebdfb164b0d6c8ff6619fe0208ae920
-
Filesize
707B
MD52050c8dc263c16d3852e3d72cc2ac55f
SHA18660818a819e636d2d27e5eab429422d5f034988
SHA2560d27625da9bcce7e88b26c511fd1b07afc3d42f32a8ad48b088bc9a35d3dc9ec
SHA512024d6b127cb509e2a30151807240c2cb896ee1925a5ec00d44b1c473fd03812197f6baa1f30e356600d513517abf69d68bc4b57e8a12c9b299b986db77030c4e
-
Filesize
707B
MD5bea7d1b89f516afb28d11f784faea92f
SHA1b68db8e9a5b414359bd1d99f070cc921d8ea6dbf
SHA256428d81d839acf0c268da07e4ff2a6c165a5e8c1e551c513cdcb15a07823f5417
SHA51264663fc7655dd92f2dd323432ff8bcbdd53a2b69497b336216de86fd97124b5dc9e3ada46d2113ecd9468214080859db8cd9065ea65a2b8994ffa9aec53ee1f4
-
Filesize
483B
MD531db4cf0fb94de23011ed13671f67929
SHA1ed335cdcb5ac9bce1d59f2486701c803174cc91d
SHA25602680d0a1ae4bbcdb152e10c1146476ea1d999593d7efdecea28a6e98ce8f168
SHA5127c2dfa6e387d0b03ef46b822640c0b1cc38a4b12624ded8e1cd58dd3d14da88eecd918611cba9b616730495f1832663d2fe4478b78042cf067bb0c8d034ad5bb
-
Filesize
707B
MD511c5de917c70642b274b48f6de7f98c5
SHA1a4ad068aa56312cb3963dec5b9622a1e2aa4ddd7
SHA2560d775265b779738df306f061385eebb0656a6e66c68db7d70ca26325f7f52111
SHA51251ac5637d07784f21a5e7c9e78893f9c1837e87313cdf08e9c0998434bb71b630686497f5184dfb1091779e7490632b6c5ba48ba63df1fbecb30a406ac9dd3d8
-
Filesize
707B
MD5714c77f6f9ba8584629c3d97e1df2eb6
SHA1fed77a15d65ebe9261d5e54ee690de35fd95853b
SHA2563cf31a0dc78780448dec8b20807a957ed2312cd25432a63afff0128bac5333f5
SHA512e3e13804aedd6733b4ffe87137c8b7631ce3c0306be11ea950bfe55e98a4334844e520509f3b58e159e133ace96dd64ca3d10fa44379bf1361e6e03325f799f2
-
Filesize
707B
MD520aca60f5ff6c15dff38063c52594b50
SHA102d9f4a1465235bc5f33306d4c4669317a47533c
SHA2566cefaf4bd7226c25ecfddf9bd7fd454dcc7b6b594723b7d0d7920412654089fa
SHA512c45e81fb0d6eb8985299b9e773c666ab272d30dc1d12e138b19d2caa6d3a6459a050b2ebe7a2d7e62f38abc76b01ec1e8455cb353a3169fb999b38337d8cb441
-
Filesize
706B
MD5b5a4aa7b9ede463a89e76a032fec5cf3
SHA15469375f48e04e8b54084aebe37ea5a317e012d2
SHA2569045ef85b723bd88e9cb39d1d9419a2433d42492d29b3dad2dec4fc9a1b5d51b
SHA51240ffa86329aa31148d86671cc74148fab6fe8e3d015a0480d7c20d7ee9e376f878d8239bb2bc75e2c0afcffb2c25cca8d216cfc862dc3935a351ec407570337c
-
Filesize
707B
MD5b1d4353d9fd37e37f476fc2586932670
SHA18b78025261d0598e760fb61149fac73df2384f02
SHA256109c84ce8476f1c2ff666adbed750bba05986ddcfde2fcf0aa394fd8168cba99
SHA512d2360b07cfbcee7f4cdcfdba917a8cf5caa605d4e9ef0834b3e57ffa1f3a46ecd9b651ed29dc5559a92fef5596413752cfa1d92def063d58379feff0a0fa2689
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
707B
MD5aac3b0da6282faa9a7dfcbee941cda2f
SHA1d8f49d8881b5b32c49ed7e070e4fb7fe512f09d4
SHA2563e37e1478f716564aa0dd4600aea679a94518e8c67b4d7640ec96f9300a7466c
SHA512f9ac0a96ac22ccd8a0aa0fefc052f9c479e9f541460736d2decfca5e07bdcb93ef46526eeefe213d528173c692f5a285800090b779d6bb24e52274e9ab6712ba
-
Filesize
707B
MD57721ec2a9d837c64345d71d8f1e93021
SHA119fa781e0ac58884a58e7d5640a186eb01778a6b
SHA25679699818872e1d27da8b0ed2d9df9cff0e41542611aec87264e0e50d80dc6d30
SHA512e7af215c97671024e7c0e5fde0d6dde6a070f978f50db18ab4916c6e2bdcb2ed099ec61009e3b1c5805662970744d31741df7e19d79df53cb2ce87191a1e13d6
-
Filesize
706B
MD5b511dc4ec7b5aa670e8ed9ca1cab9e44
SHA1a62fb8a3db9dc8e2c04e2baf2a08d8fb5c406b39
SHA256d2fcd88c3c229993771ed475d9d9deffd9714da0f9e4a7b829131d7f7393880e
SHA512ef40483967e4e8c91b5db4e9b7893c6be5e3f7448cd3be402fba34370a6f599de7e75d2508ff6e33896e5be2ed07a6f3b2a63990d1fca579e2c5cf22f139927f
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
1.6MB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
136KB