dcrat | 8148b7d10cc4d45ac6c2d1454119161a1ee677ac0986e4dd86e2f38a15b7ac19

General

Target

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
Size

2.1MB
MD5

f26bb4f3cc67c00580554bea3dac5e4a
SHA1

14c7857a8edc29dce1a27379f60f0d9443303627
SHA256

8148b7d10cc4d45ac6c2d1454119161a1ee677ac0986e4dd86e2f38a15b7ac19
SHA512

32c1d95bde25e1807ce7312280106259831057df7da893041c43d3c76def49de500ccb7e87b8c08af7657fdbd22117d9320dc4f9e7eebed85f54b3f2e7418010
SSDEEP

49152:tmyDQOI0/F/LopeanZ6QNo1y80nfLSx9ZEQCUn/ty374FM5YLCbtYY2Zy:kyDRZFTopJhTfe3ZtVy3x1btJv

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1736	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2036-54-0x00000000001B0000-0x00000000003DA000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe	dcrat
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe	dcrat
behavioral1/memory/1216-65-0x0000000000200000-0x000000000042A000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

1216 explorer.exe

pid	process
1216	explorer.exe

Drops file in Program Files directory 14 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

description	ioc	process
File created	C:\Program Files\Windows Journal\de-DE\taskhost.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Uninstall Information\WmiPrvSE.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sppsvc.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\0a1fd5f707cd16	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\0a1fd5f707cd16	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Uninstall Information\24dbde2999530e	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Java\jre7\lib\24dbde2999530e	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\0a1fd5f707cd16	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\sppsvc.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Windows Journal\de-DE\b75386f1303e64	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\sppsvc.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\sppsvc.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\0a1fd5f707cd16	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Java\jre7\lib\WmiPrvSE.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

Drops file in Windows directory 12 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

description	ioc	process
File created	C:\Windows\Prefetch\ReadyBoot\6cb0b6c459d5d3	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\Microsoft.NET\7a0fd90576e088	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\SoftwareDistribution\SelfUpdate\Handler\24dbde2999530e	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\AppCompat\Programs\8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\AppCompat\Programs\1eeb0f43201e0c	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\spoolsv.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\Prefetch\ReadyBoot\dwm.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\f3b6ecef712a24	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\Microsoft.NET\explorer.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\SoftwareDistribution\SelfUpdate\Handler\WmiPrvSE.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\ehome\smss.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\ehome\69ddcba757bf72	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1840	schtasks.exe
2036	schtasks.exe
1888	schtasks.exe
588	schtasks.exe
1744	schtasks.exe
1720	schtasks.exe
2016	schtasks.exe
472	schtasks.exe
1668	schtasks.exe
1844	schtasks.exe
1472	schtasks.exe
736	schtasks.exe
1860	schtasks.exe
564	schtasks.exe
1860	schtasks.exe
2032	schtasks.exe
1780	schtasks.exe
1340	schtasks.exe
1928	schtasks.exe
1032	schtasks.exe
896	schtasks.exe
1812	schtasks.exe
1320	schtasks.exe
756	schtasks.exe
2036	schtasks.exe
388	schtasks.exe
984	schtasks.exe
576	schtasks.exe
1064	schtasks.exe
928	schtasks.exe
1760	schtasks.exe
1756	schtasks.exe
1628	schtasks.exe
1764	schtasks.exe
432	schtasks.exe
300	schtasks.exe
1732	schtasks.exe
1712	schtasks.exe
1320	schtasks.exe
916	schtasks.exe
1332	schtasks.exe
1492	schtasks.exe
1604	schtasks.exe
756	schtasks.exe
1488	schtasks.exe
432	schtasks.exe
1668	schtasks.exe
1772	schtasks.exe
1088	schtasks.exe
816	schtasks.exe
1800	schtasks.exe
1364	schtasks.exe
1704	schtasks.exe
944	schtasks.exe
776	schtasks.exe
1172	schtasks.exe
1380	schtasks.exe
1416	schtasks.exe
1504	schtasks.exe
588	schtasks.exe
1556	schtasks.exe
544	schtasks.exe
1800	schtasks.exe
472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

pid	process
2036	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
1768	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
1768	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
1768	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2036	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
Token: SeDebugPrivilege	1768	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
Token: SeDebugPrivilege	1216	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

description	pid	process	target process
PID 2036 wrote to memory of 1768	2036	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
PID 2036 wrote to memory of 1768	2036	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
PID 2036 wrote to memory of 1768	2036	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
PID 1768 wrote to memory of 1216	1768	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe	explorer.exe
PID 1768 wrote to memory of 1216	1768	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe	explorer.exe
PID 1768 wrote to memory of 1216	1768	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
"C:\Users\Admin\AppData\Local\Temp\8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
"C:\Users\Admin\AppData\Local\Temp\8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe"
2⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe
"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft Help\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft Help\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\de-DE\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\ehome\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ehome\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\ehome\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E8" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E8" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\Microsoft.NET\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\Microsoft.NET\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\WwanSvc\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\WwanSvc\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\WwanSvc\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\Handler\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\Handler\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\Handler\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E8" /sc MINUTE /mo 12 /tr "'C:\Windows\AppCompat\Programs\8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E8" /sc MINUTE /mo 11 /tr "'C:\Windows\AppCompat\Programs\8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\lib\WmiPrvSE.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\lib\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\sppsvc.exe'" /f
1⤵
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:472

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe
Filesize
2.1MB

MD5
f26bb4f3cc67c00580554bea3dac5e4a

SHA1
14c7857a8edc29dce1a27379f60f0d9443303627

SHA256
8148b7d10cc4d45ac6c2d1454119161a1ee677ac0986e4dd86e2f38a15b7ac19

SHA512
32c1d95bde25e1807ce7312280106259831057df7da893041c43d3c76def49de500ccb7e87b8c08af7657fdbd22117d9320dc4f9e7eebed85f54b3f2e7418010

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe
Filesize
2.1MB

MD5
f26bb4f3cc67c00580554bea3dac5e4a

SHA1
14c7857a8edc29dce1a27379f60f0d9443303627

SHA256
8148b7d10cc4d45ac6c2d1454119161a1ee677ac0986e4dd86e2f38a15b7ac19

SHA512
32c1d95bde25e1807ce7312280106259831057df7da893041c43d3c76def49de500ccb7e87b8c08af7657fdbd22117d9320dc4f9e7eebed85f54b3f2e7418010

Download Submit
memory/1216-62-0x0000000000000000-mapping.dmp

Download
memory/1216-65-0x0000000000200000-0x000000000042A000-memory.dmp

Filesize
2.2MB

Download
memory/1768-59-0x0000000000000000-mapping.dmp

Download
memory/1768-60-0x00000000006C0000-0x0000000000716000-memory.dmp

Filesize
344KB

Download
memory/1768-61-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download
memory/2036-54-0x00000000001B0000-0x00000000003DA000-memory.dmp

Filesize
2.2MB

Download
memory/2036-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2036-56-0x000000001AAC0000-0x000000001AB16000-memory.dmp

Filesize
344KB

Download
memory/2036-57-0x0000000000420000-0x0000000000432000-memory.dmp

Filesize
72KB

Download
memory/2036-58-0x0000000001F70000-0x0000000001F7E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads