Overview

overview

10

Static

static

10

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31/10/2022, 23:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6da18a760686378730d42faa0095b4cc133d83c82560b461685aabb061151e0a.exe

  • Size

    1.3MB

  • MD5

    d3ffaa11ac289722de199f81e16753ed

  • SHA1

    eb471f003236e851fe1a944f581c04434af8d47f

  • SHA256

    6da18a760686378730d42faa0095b4cc133d83c82560b461685aabb061151e0a

  • SHA512

    b792927218c96b9c59c9af3bfb897e5e0236f5279f2ef152a89845878a857b373b99dd15c4ab0df80652d857a248fa763145c06d5b5d66ce598a89be4cdbcb8f

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6da18a760686378730d42faa0095b4cc133d83c82560b461685aabb061151e0a.exe
    "C:\Users\Admin\AppData\Local\Temp\6da18a760686378730d42faa0095b4cc133d83c82560b461685aabb061151e0a.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3388
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4208
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4100
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre1.8.0_66\lib\deploy\dllhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2876
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dllhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4212
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\fontdrvhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3412
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\spoolsv.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4664
          • C:\Program Files\Uninstall Information\dllhost.exe
            "C:\Program Files\Uninstall Information\dllhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:4892
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4132
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\cmd.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4404
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2616
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Local Settings\OfficeClickToRun.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2140
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\fontdrvhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:352
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\Offline\SearchUI.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5000
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3548
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4968
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3816
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2332
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2352
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\DllCommonsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4580
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4892
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3828
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4048
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4612
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3580
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4912
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4780
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:428
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:504
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre1.8.0_66\lib\deploy\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:188
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre1.8.0_66\lib\deploy\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3320
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre1.8.0_66\lib\deploy\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1680
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3316
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2084
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:760
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Music\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2740
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Music\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2436
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2452
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1584
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:800
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2200
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2260
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2716
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:196
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4572
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\odt\cmd.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:728
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1040
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1556
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1472
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1144
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1160
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:692
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4940
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\OfficeClickToRun.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:412
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:632
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4944
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4920
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\Offline\SearchUI.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4776
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Offline\SearchUI.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4764
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\Offline\SearchUI.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4752
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4800
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2008
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3728
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3736
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3740
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\CRMLog\DllCommonsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4896
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\DllCommonsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4592

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Uninstall Information\dllhost.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\Program Files\Uninstall Information\dllhost.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          ad5cd538ca58cb28ede39c108acb5785

          SHA1

          1ae910026f3dbe90ed025e9e96ead2b5399be877

          SHA256

          c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

          SHA512

          c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          671b2b813640dcb876cef09dadd69824

          SHA1

          3369ad339a8e2969763d785bfcde338ca45e4fb4

          SHA256

          6618c48554d2dfd2a9545d03217b249781861bd2aee992673b645540c9055423

          SHA512

          0773f66c4a27641c1830c2a2293da2c411565e6b39151a25945148088d2fd430b67e7c91a6ac30423e6bf7234ab69438755fdf891395a26240e61cf2efd54327

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          a9560d582a15ba8c5e7cfc73e45db558

          SHA1

          6647dec7f37b3f0f55030e8248d03691b2f9eacc

          SHA256

          3caa22543af9dc1f909e24610c0f78b525e2c845be697853d1d0498b31dfac0b

          SHA512

          e4fb1a6c1f73155b0f6937629f306f73d408fd4d0379ae89d8f0884d364c3452bf92d5f6432b044f36fb401f0b6de529a6138c5cf0567327d6032464708980b2

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          80b42b5cc092ac20f40058344903e052

          SHA1

          f10f916470c021253bab23bf9dcce591751f735b

          SHA256

          0b7c0537c11e48212ddc448b59cec100101fe8086fa6897b9e5b338016babb1c

          SHA512

          a2753005a69f7b0feb7c3ef6c5ba84657199f3b6c0f77cc53125d669740879aacc8c3d729e21c4849a1066676b9286b3a33c0bde16871de6b117a7b353cf3e88

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          80b42b5cc092ac20f40058344903e052

          SHA1

          f10f916470c021253bab23bf9dcce591751f735b

          SHA256

          0b7c0537c11e48212ddc448b59cec100101fe8086fa6897b9e5b338016babb1c

          SHA512

          a2753005a69f7b0feb7c3ef6c5ba84657199f3b6c0f77cc53125d669740879aacc8c3d729e21c4849a1066676b9286b3a33c0bde16871de6b117a7b353cf3e88

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          040c0566da83e3a112f6ac19e67dba93

          SHA1

          e21d0e5db7184f1cf367c6d95b487561dcb83520

          SHA256

          1d389bb9fcd33eb56a082b33979c00dcc218f99f7cd166f45f9a0c292b8c8f3d

          SHA512

          db91f66005a0c95c8ec67bc2af9fa590853ff7acdfc1123a6fa1ffe352efbd9bdc0acae6f32eb55c4040432b8595b625236f5969524c39438f16be39e5e59dda

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          5a8614400045cab6212c072b0fb3501c

          SHA1

          db31e412996f6f03b5366202e146d5fc877b31df

          SHA256

          0b778e9004a4c5d8968894161761e7e52e68ddc30b1d80a9dfe6ea7d5ec5e8b0

          SHA512

          6e6fe3159d20d053c1eebace68094a0b75018ba47778e0fe633b2bb683d4f9d5e5b6d7125f9221622e57b7587623a2d667aea3e343d8a88d2e00d694d364e6dd

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          f83d1c88f385ac958cfbcf5396ed129b

          SHA1

          8c1573bcadc2d7d14e8c95eace53506a886cfe6a

          SHA256

          ca5f384a07e037186c7f4bcc5a0d93e2d8b80afddf3391bbc1fe1b23c136dbe0

          SHA512

          f7af33c1a19833db9c1a376d1fa42b183a26df8729443acb4f6e3aa82c43b440bb2f7181e741665a1c9c74fc7ae90ef70a1924ac56b1834535afc7de5e1263fb

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          f83d1c88f385ac958cfbcf5396ed129b

          SHA1

          8c1573bcadc2d7d14e8c95eace53506a886cfe6a

          SHA256

          ca5f384a07e037186c7f4bcc5a0d93e2d8b80afddf3391bbc1fe1b23c136dbe0

          SHA512

          f7af33c1a19833db9c1a376d1fa42b183a26df8729443acb4f6e3aa82c43b440bb2f7181e741665a1c9c74fc7ae90ef70a1924ac56b1834535afc7de5e1263fb

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          5bf20d2f341000ae78704ba67b123983

          SHA1

          7c5c1dabdc089b86909db50601f42efdcb477fdb

          SHA256

          ebdcf51eeef8a51b1870b518b6a25f8a2c4d968f885320fa7e2c81241718055b

          SHA512

          c59b26e7f08491b5b8261677676a5dbe33311fca2b70e381ea81f8957dfcaf3e2fae82a6a68b0305bd279a7d641de455632b017fa41dc1672b72f0d6a65ad27f

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          f83d1c88f385ac958cfbcf5396ed129b

          SHA1

          8c1573bcadc2d7d14e8c95eace53506a886cfe6a

          SHA256

          ca5f384a07e037186c7f4bcc5a0d93e2d8b80afddf3391bbc1fe1b23c136dbe0

          SHA512

          f7af33c1a19833db9c1a376d1fa42b183a26df8729443acb4f6e3aa82c43b440bb2f7181e741665a1c9c74fc7ae90ef70a1924ac56b1834535afc7de5e1263fb

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          38047f00f2ac312e4f0b390e80ac3dce

          SHA1

          f0ed989098f70263f1d734514c33e42fdafe8182

          SHA256

          221135e2d4123497c5f0d3a7a1f69e7482273c626261340b45e4514605a50681

          SHA512

          1eaffb94cf02b0d725c2a863d605ed3a87563744bb9670dbd107294451c8e19f8bcda07ac9e7f5cdacf3d8aabbb88fc2a643f6c371045cbb61f82dc32bbd9d92

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          66c08f1e61fc9f9f785d385ebdbd716e

          SHA1

          efb814023944b0a1c30334499c14f5164cfda79a

          SHA256

          6e6399e8eb39c4702c84870e6d595bd0f717e5eab39df41e26459ac99cfea44d

          SHA512

          151446f67c44a6dcdbeb32d2729935f952ae97be0066b588180c5ae265c8a50fe583cf1f9702b7298cacc2a68cdefe37e8cc463fd48a402dfb3157c526f7c4d6

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          66c08f1e61fc9f9f785d385ebdbd716e

          SHA1

          efb814023944b0a1c30334499c14f5164cfda79a

          SHA256

          6e6399e8eb39c4702c84870e6d595bd0f717e5eab39df41e26459ac99cfea44d

          SHA512

          151446f67c44a6dcdbeb32d2729935f952ae97be0066b588180c5ae265c8a50fe583cf1f9702b7298cacc2a68cdefe37e8cc463fd48a402dfb3157c526f7c4d6

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          e6294b0b3e2f660bc4b9f3c1cc48188d

          SHA1

          a0b58552362c01a95ede1b6e059c9e8b5832ac06

          SHA256

          a38a2f3ad23c22061cb6dcda7cf7c5916786792735ba6e9d4ba31a488225d499

          SHA512

          a0dd1c5c60784852baefdff0c113a0a773abbd875c77ceb3d9a44e0ff65a98b5993487eae52bae41eee4bbcff69f3f2ff0b3f92a07b2b747294e741508fedafa

          Download Submit

        • C:\providercommon\1zu9dW.bat
          Filesize

          36B

          MD5

          6783c3ee07c7d151ceac57f1f9c8bed7

          SHA1

          17468f98f95bf504cc1f83c49e49a78526b3ea03

          SHA256

          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

          SHA512

          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

          Download Submit

        • C:\providercommon\DllCommonsvc.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\DllCommonsvc.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
          Filesize

          197B

          MD5

          8088241160261560a02c84025d107592

          SHA1

          083121f7027557570994c9fc211df61730455bb5

          SHA256

          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

          SHA512

          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

          Download Submit

        • memory/2272-180-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2272-181-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-173-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-146-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-150-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-151-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-152-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-153-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-155-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-156-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-157-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-154-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-158-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-159-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-160-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-161-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-162-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-163-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-164-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-167-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-168-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-169-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-166-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-165-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-170-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-171-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-172-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-115-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-174-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-175-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-177-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-178-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-176-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-149-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-148-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-134-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-145-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-132-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-144-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-116-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-142-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-143-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-117-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-118-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-120-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-121-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-123-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-138-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-124-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-141-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-125-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-126-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-133-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-140-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-128-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-130-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-131-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-129-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-139-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-135-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-137-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-136-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-127-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2676-147-0x0000000076EA0000-0x000000007702E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3816-368-0x0000021B5D200000-0x0000021B5D222000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4100-380-0x000002A2799F0000-0x000002A279A66000-memory.dmp

          Filesize

          472KB

          Download

        • memory/4208-284-0x00000000031C0000-0x00000000031CC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4208-281-0x0000000000F90000-0x00000000010A0000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4208-282-0x00000000031B0000-0x00000000031C2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4208-283-0x0000000003350000-0x000000000335C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4208-285-0x0000000003340000-0x000000000334C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4892-375-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

          Filesize

          72KB

          Download